The end of the year is looming and the Covid-19 pandemic is continuing to shape business practices, leaving some organisations scrambling to put out every cybersecurity fire as they crop up. With the increase in remote working and destructive ransomware attacks, this approach is no longer tenable. For a business to not only thrive but even simply survive the rest of this year requires going back to basics, upgrading and enhancing their cybersecurity measures for business assurance and continuity.
ISO 27001 is a great starting point in this mission. This international standard provides a broad framework that can be used by organisations across industries, helping businesses define the need and scope of data that they hold, as well as recognise common security threats and vulnerabilities.
Organisations that meet these requirements can become ISO 27001 certified following a formal compliance audit. However, even if this is not the end goal, using the framework can illuminate the strengths and weaknesses of an organisation’s security and compliance posture:
Reassess your current information security measures – do they cover the scope of your digital footprint? It’s impossible to have an organisation that doesn’t depend in some way on a third-party or supplier. Does your organisation’s information security strategy include risk mitigation measures for third-party risk? What is the cyber and compliance status of these third parties? Are there repeatable actions in place that can be used to regularly manage these risks?
Can unnecessary changes be avoided and necessary changes be implemented quickly? Change management is a key component of ISO 27001, and often a tricky process to get right. How has your organisation handled necessary changes, such beginning mass remote working and implementing new cybersecurity changes alongside? How could this process be streamlined, while maintaining the due diligence and thought needed when making these decisions?
Does your organisation have a vulnerability management process to handle cyber threats and attacks? With every new supplier or third-party, organisations must understand the specific, inherent vulnerabilities that each new connection presents. Ensuring that patches and updates are regularly and promptly installed is also key to this.
The ISO 27001 framework is a simple, basic way to understand and update your organisation’s information security posture. By striving to comply with ISO 27001, your organisation can be one step closer to cyber resilience and business assurance.