Trust in the ability of an organization to protect the data it uses is a key factor in an increasingly data-driven world.
Global best practice for Information Security Management, ISO/IEC 27001, is the foundation on which to build this trust. Users of the standard will be familiar with its Annex A which is the reference set of security controls to be considered when implementing your Information Security Management System (ISMS). The Annex lists 93 controls taken from ISO/IEC 27002 (Information Security Reference Controls and Guidelines). However, to get the best from your ISMS, IEC/ISO 27001 directs implementers to focus on their risk assessment and consider other relevant controls and guidance which may be applicable, dependent on their business risk. What does this look like in practice?
Let’s discuss some of the key themes relevant to current businesses and how you can incorporate further guidance and best practice into your ISMS in line with the requirements of ISO/IEC 27001 and your risk assessment.
Cloud Services
The rise of cloud services in recent times has brought great opportunities for businesses large and small, globally to find more efficient and effective ways of managing their businesses. However, this mass shift to cloud-based services has attracted the focused attention of cybercriminals. Cloud-based service providers have become a specific target for cybercrime, as attacks on this digital supply chain can reach many organizations in one hit, greatly increasing the “blast radius” of a single attack.
Most organizations now use some form of cloud-based service1, hence the introduction of a control, specifically addressing cloud services with the ISMS reference control set. Many organizations are heavily dependent on a range of cloud services which give them a cost-effective, scalable business operation; furthermore, increasingly, businesses are offering services which are cloud-based in some way. In these circumstances, it is worth considering a deeper dive into the information security risks and controls needed to provide the appropriate level of protection in line with your business risk.
Security Controls for Cloud Services, ISO/IEC 27017, provides additional guidance on top of that given in ISO/IEC 27002, focusing on cloud services. For 32 of the reference controls in ISO/IEC 27017, there is additional guidance for cloud users, whilst for cloud service providers there is additional guidance for 30 of the controls. There are seven new controls, all of which apply to cloud service providers with five of them applicable to cloud users. As this standard refers directly to the controls you have already considered for your ISMS, alongside a few more to add in, it becomes a straightforward addition to your existing ISMS implementation which can greatly improve the focus on cloud service information security. It also gives greater confidence to your customers, suppliers, partners and other key stakeholders that you can be trusted to manage the security of cloud services effectively.
Privacy
According to the UN Declaration of Human Rights, privacy is seen as a fundamental human right2 this designation has increased in focus as the amount of personal information being used by businesses and governments has increased. Personal information ranges from basic data about our identity to location information, shopping preferences, internet search history video images, audio recordings, financial information, medical records and more. This information is extremely valuable for businesses and for criminals. As the world experiences a digital evolution, laws and regulation around privacy of personal information have significantly increased, often with hefty fines or noncompliance.
The controls in ISO/IEC 27002/Annex A to ISO/IEC 27001 have been updated to reflect the increasing amount of personal information in use by organizations and the increased risk of a data breach and potential subsequent legal liabilities. Whilst some organizations have limited amounts of personal data, perhaps limited to their own employees, others hold customer personal data or use personal data as a key part of their business, potentially handling sensitive data such as health data or data relating to minors, or large volumes of personal data. In these circumstances, it is worth considering a more in-depth system for managing the specific risks around privacy of personal information
ISO/IEC 27701 sets out what is needed to build a Privacy Information Management System (PIMS) based on your current ISMS. It is based on the requirements of ISO/IEC 27001 and the reference controls and guidance in ISO/IEC 27002. The document refers directly to each requirement and control, listing only additional privacy requirements where appropriate, alongside some additional privacy-specific requirements and guidelines for controllers and processors of personal data. So, with ISO/IEC 27001 in place, a lot of the work has been done already to enable you to manage your privacy risk. Alongside the requirements and guidelines, ISO/IEC 27701 also has some useful Annexes mapping its content directly to the European General Data Protection Regulation and to other best privacy best practice standards. This is the most straightforward way to manage privacy risks within your organization and build trust with customers, employees and other key stakeholders, while minimizing the chances of a personal data breach with the associated legal liabilities.