ISO Standard 27001

The standard descriptions and questions makes it easier to make decisions on how collected data should move through the organization. Overall, it helps to ensure a consistency in the company’s procedures on how data and information are handled.

ISO/IEC standard 27001 –
An important risk assessment

The ISO/IEC-27001 standard, most recently revised in 2017, contains a number of requirements for managing the information security of companies and organizations, to avoid loss of data confidentiality, integrity and accessibility. It is not just about protecting PCs, mobile phones and underlying databases against cyber-attacks or the like. There is also physical security so data is not lost or gets out of control in relation to burglary, theft, espionage, broken vessels in their own ranks, fire, explosions, natural disasters or the like.

The standard is based on the fact that recognized experts have joined forces to carry out a general risk assessment of organizations’ vulnerabilities in the field of information security.

With such a risk assessment, potential hazards and weaknesses are identified, and these are largely the same for any organization regardless of framework, terms, size, type and organization. The mapping will therefore be broad and relevant for many companies. Digitization, information security, privacy and other protection of interests mean a lot to all organizations – whether large or small, public or private.

The mapping has formed the basis for the development of the so-called Annex A in the 27001 standard.

Here, the entire risk picture has been divided into 14 areas, where each area is again divided into a number of governing or protective measures – 114 in total. All measures must be addressed if an organization wants to avoid the irreparable loss of the confidentiality, integrity or availability of information or data in ways that lead to financial losses or even limited opportunities for business continuity.

The 114 security factors should be considered as a list of possible and appropriate measures that all companies with an interest in information security should consider implementing in their own organization. However, it is possible that not all 114 measures are equally relevant for everyone.
If you do not deal with e.g. software development, there are at least 10 measures that can be deselected solely for the reason that you do not have a development environment in the company.
If you do not experience customer requirements for encrypting data, other measures repeals. If you do not manage your own servers behind your own firewall, there are also measures that can be deselected.

In order to get an overview of which measures can be chosen from, it is a requirement in ISO / IEC 27001 that you must make a list of assets (LoA), where you get a timely overview of the company’s business processes, databases, hardware , software, networks, personnel assets as well as buildings and premises. Once you have a complete overview of your assets, you will know where vulnerabilities or deficiencies can occur.

In relation to the personnel assets, you should be aware that a lot of knowledge and data in a company is not necessarily documented and written down. Therefore it can be fragile if a key person leaves the organization – in such a situation, important knowledge can be lost quickly.

The 14 main risk areas in ISO / IEC 27001 are:

Requirements for GDPR

More and more legal requirements are constantly emerging, which are linked to maintaining effective information security. One of the good examples is the GDPR and the Data Protection Act from 2018.
These special requirements for the processing of personal data and the protection of privacy led to the introduction in 2019 from ISO/IEC of another standard in the field, namely DS/EN ISO/IEC 27701, which contains requirements for management systems for privacy protection. The latter standard includes the supplementary GDPR requirements, which are not immediately apparent from ISO/IEC 27001, as it was developed prior to the GDPR.

If you comply with the requirements of both requirements standards from the ISO/IEC 27000 series, you will automatically comply with all requirements in the GDPR and the Data Protection Act. Simultaneously further prevention against information security deficiencies is carried out.

Good reasons to comply with ISO/IEC 27001

By certification of management systems is meant an internationally recognized third party attestation, in other words an endorsement of an organization’s management system’s actual compliance with the requirements of selected standards.

With an accredited certification, there will be independent and competent auditors who assess whether the organization’s LoA and SoA are intact, adequate and genuinely leading to the security that stakeholders want and expect. Here you look at whether the rules and practical procedures contained in the introduced security and protection measures work and are implemented in practice.

Once the conformity has been established by collecting evidence through extensive sampling by the auditors and when any deviations from the requirements have been closed, the certification body issues certificates. They are an expression of the fact that one can indisputably have full confidence in the organization’s security system.

The certificates are thus diplomas that serve to the stakeholders and the public as visible proof that access control, backup, virus protection, etc. are effective, sufficient and work in practice. Evidence is often provided through tests and trials.

The certifications substantiate that an organization is very unlikely to be disabled because it has not done well enough in terms of preventing security breaches, including cyber-attacks and violating the right of individuals to the protection of sensitive information about themselves.

Worst case scenario

Worst case scenario
If you do not want to spend resources on introducing a management system for information security and privacy, there is a risk that there is no real resilience or defiance to cyber-attacks, severe technical crashes, fire, severe weather, terrorist attacks, vandalism, violent pandemics, acts of war or similar.

For example, if you have never tried to use your backups to restore an entire enterprise system from scratch to the fullest extent on a brand new PC, you really do not know if it can be done and how long it will take, and it can be absolutely crucial for preparedness and business continuity.

The biggest motivating factor for implementing a management system for information security and privacy is to prevent large financial losses, which can be triggered by common disorder and lack of structure and procedures. The examples can be many, such as:

    • Expected orders that are never invoiced because the records disappear
    • Important research results, which disappear because there are no written procedures for documentation
    • CPR numbers and patient records, which fall into the wrong hands
    • Manufacturing secrets that inadvertently end up with competitors
    • Expelled employees leaving with all the know-how when they leave the company for the last time
    • Exposure of information about journalists’ otherwise protected sources by mistake
    • Configuration data and traceability information not stored properly
    • Software codes that are released without being properly tested or verified
    • Copyright Provisions that are intentionally or unintentionally violated
    • Confidential board documents and business plans that are leaked by mistake
    • Secret contracts forgotten in the photocopier
    • Credit card information and banking information misused in relation to e-commerce
    • Risk of fraud cases, e.g. because function separation on key items is not sufficient
    • Ministers and officials text messages deleted by mistake
    • Secret notes disappearing at City Hall

– The list is long.

An information security management system is thus a tool that requires ongoing maintenance.

If rules and safety procedures do not keep pace with technical progress, if they are not regularly audited, if information security deficiencies are not recorded and dealt with properly, if responsibility for day-to-day operational tasks disappears, it will firstly lead to deviations in the certification body’s ongoing follow-up. Secondly, it will give a false sense of security in the boardroom.

One can go so far as to say that an information security system that has no will, resources, know-how and defined responsibilities behind it is worse than nothing. Certification must help ensure that it does not go so far.

Can ISO/IEC 27001 eliminate cyber-attacks?

The short answer is no.

The cyber-criminal environments at the global level will typically be one step ahead of information security and IT experts from more authorized environments, who seek to curb attacks with preventive measures, emergency preparedness, emergency and deterrence measures and the like.

Briefly described, cyber warfare is an act committed by relatively organized groups of cyber-criminals or terrorists who have been set to illegally take control of unsuspecting users’ PCs or to penetrate an organization’s PCs and networks in order to cause maximum destruction or disruption of infrastructure, including logistics and supply systems. A kind of warfare carried out with digital weapons. Cyber-attacks are pretty much the same, but are often carried out by less organized hackers for their own gain.

Information security management systems complying with the requirements of ISO/IEC 27001 cannot prevent attempts at illegitimate intrusion or intrusion into systems for malicious and unethical reasons, but the better the information security, the fewer vulnerabilities there are, which overall reduces the risk of people with fraudulent intentions succeeding in their system penetration.
Systematic management of information security also means that the attacked organization will have a better chance of overcoming the consequences and limiting the damage and accidents resulting from incidents of breach of security.

Get an overview of D4InfoNet

Book an appointment with one of our consultants.
Fill in your name and telephone number and we will contact you as soon as possible.

Get an overview of D4InfoNet

Book an appointment with one of our consultants.
Fill in your name and telephone number and we will contact you as soon as possible.

Søg på D4InfoNet.dk

Search our website
Sign up for a course
Fill in the fields and we will contact you.
Sign up for a course
Fill in the fields and we will contact you.