The standard is based on the fact that recognized experts have joined forces to carry out a general risk assessment of organizations’ vulnerabilities in the field of information security.
With such a risk assessment, potential hazards and weaknesses are identified, and these are largely the same for any organization regardless of framework, terms, size, type and organization. The mapping will therefore be broad and relevant for many companies. Digitization, information security, privacy and other protection of interests mean a lot to all organizations – whether large or small, public or private.
The mapping has formed the basis for the development of the so-called Annex A in the 27001 standard.
Here, the entire risk picture has been divided into 14 areas, where each area is again divided into a number of governing or protective measures – 114 in total. All measures must be addressed if an organization wants to avoid the irreparable loss of the confidentiality, integrity or availability of information or data in ways that lead to financial losses or even limited opportunities for business continuity.
The 114 security factors should be considered as a list of possible and appropriate measures that all companies with an interest in information security should consider implementing in their own organization. However, it is possible that not all 114 measures are equally relevant for everyone.
If you do not deal with e.g. software development, there are at least 10 measures that can be deselected solely for the reason that you do not have a development environment in the company.
If you do not experience customer requirements for encrypting data, other measures repeals. If you do not manage your own servers behind your own firewall, there are also measures that can be deselected.
In order to get an overview of which measures can be chosen from, it is a requirement in ISO / IEC 27001 that you must make a list of assets (LoA), where you get a timely overview of the company’s business processes, databases, hardware , software, networks, personnel assets as well as buildings and premises. Once you have a complete overview of your assets, you will know where vulnerabilities or deficiencies can occur.
In relation to the personnel assets, you should be aware that a lot of knowledge and data in a company is not necessarily documented and written down. Therefore it can be fragile if a key person leaves the organization – in such a situation, important knowledge can be lost quickly.
More and more legal requirements are constantly emerging, which are linked to maintaining effective information security. One of the good examples is the GDPR and the Data Protection Act from 2018.
These special requirements for the processing of personal data and the protection of privacy led to the introduction in 2019 from ISO/IEC of another standard in the field, namely DS/EN ISO/IEC 27701, which contains requirements for management systems for privacy protection. The latter standard includes the supplementary GDPR requirements, which are not immediately apparent from ISO/IEC 27001, as it was developed prior to the GDPR.
If you comply with the requirements of both requirements standards from the ISO/IEC 27000 series, you will automatically comply with all requirements in the GDPR and the Data Protection Act. Simultaneously further prevention against information security deficiencies is carried out.
By certification of management systems is meant an internationally recognized third party attestation, in other words an endorsement of an organization’s management system’s actual compliance with the requirements of selected standards.
With an accredited certification, there will be independent and competent auditors who assess whether the organization’s LoA and SoA are intact, adequate and genuinely leading to the security that stakeholders want and expect. Here you look at whether the rules and practical procedures contained in the introduced security and protection measures work and are implemented in practice.
Once the conformity has been established by collecting evidence through extensive sampling by the auditors and when any deviations from the requirements have been closed, the certification body issues certificates. They are an expression of the fact that one can indisputably have full confidence in the organization’s security system.
The certificates are thus diplomas that serve to the stakeholders and the public as visible proof that access control, backup, virus protection, etc. are effective, sufficient and work in practice. Evidence is often provided through tests and trials.
The certifications substantiate that an organization is very unlikely to be disabled because it has not done well enough in terms of preventing security breaches, including cyber-attacks and violating the right of individuals to the protection of sensitive information about themselves.
Worst case scenario
If you do not want to spend resources on introducing a management system for information security and privacy, there is a risk that there is no real resilience or defiance to cyber-attacks, severe technical crashes, fire, severe weather, terrorist attacks, vandalism, violent pandemics, acts of war or similar.
For example, if you have never tried to use your backups to restore an entire enterprise system from scratch to the fullest extent on a brand new PC, you really do not know if it can be done and how long it will take, and it can be absolutely crucial for preparedness and business continuity.
The biggest motivating factor for implementing a management system for information security and privacy is to prevent large financial losses, which can be triggered by common disorder and lack of structure and procedures. The examples can be many, such as:
– The list is long.
An information security management system is thus a tool that requires ongoing maintenance.
If rules and safety procedures do not keep pace with technical progress, if they are not regularly audited, if information security deficiencies are not recorded and dealt with properly, if responsibility for day-to-day operational tasks disappears, it will firstly lead to deviations in the certification body’s ongoing follow-up. Secondly, it will give a false sense of security in the boardroom.
One can go so far as to say that an information security system that has no will, resources, know-how and defined responsibilities behind it is worse than nothing. Certification must help ensure that it does not go so far.
The short answer is no.
The cyber-criminal environments at the global level will typically be one step ahead of information security and IT experts from more authorized environments, who seek to curb attacks with preventive measures, emergency preparedness, emergency and deterrence measures and the like.
Briefly described, cyber warfare is an act committed by relatively organized groups of cyber-criminals or terrorists who have been set to illegally take control of unsuspecting users’ PCs or to penetrate an organization’s PCs and networks in order to cause maximum destruction or disruption of infrastructure, including logistics and supply systems. A kind of warfare carried out with digital weapons. Cyber-attacks are pretty much the same, but are often carried out by less organized hackers for their own gain.
Information security management systems complying with the requirements of ISO/IEC 27001 cannot prevent attempts at illegitimate intrusion or intrusion into systems for malicious and unethical reasons, but the better the information security, the fewer vulnerabilities there are, which overall reduces the risk of people with fraudulent intentions succeeding in their system penetration.
Systematic management of information security also means that the attacked organization will have a better chance of overcoming the consequences and limiting the damage and accidents resulting from incidents of breach of security.
Søg på D4InfoNet.dk
Search on D4InfoNet