Author: Luke Feeney
It was not that many years ago that the terms “information security” and “cybersecurity” were unheard of in the popular, public lexicon – other than to those working in the information and/or cybersecurity industry or related fields. Today, however, how things have changed with regular, hugely concerning reports in the media of information security breaches and cyber-attacks across the globe. A recent exemplar being the reports of the callous Health Services Executive and Dept. of Health cybersecurity ransomware attacks that have resulted in significant, and dangerous, impacts on the provision and delivery of high quality and safe healthcare services in Ireland – accompanied by huge public outrage and indignation at the temerity of an attack on such an emotionally charged, deep-rooted and critical societal service.
First off, a declaration – I do not write this short post as any kind information security or cybersecurity expert, far from it, rather as a “continuously learning” practitioner in the implementation and audit of an international, evidence-based standard for information security management called ISO/IEC 27001 (current version released in 2013, however reviewed to assure continuing suitability and adequacy in 2019). I passionately believe that conformance with this standard can significantly underpin effective and efficient information security and cybersecurity management (but unfortunately there are no guarantees of protection in an ever evolving threat/criminal environment 🙁 ). However, before I extol the virtues and value of implementing the requirements of ISO/IEC 27001:2013, it is good value to first define exactly what is an information security standard and thereafter highlight how conforming to the requirements of ISO/IEC 27001:2013 can help organisations in their continuing and ever evolving battle against cyber and information security attack…
A standard, in the case of this blog, an information security standard, is a published specification document which provides a common (consistent) language, a technical specification plus other precise criteria (requirements) designed to be used as a rule or definition to assure a level of performance (in a rigorous and consistent manner). Interestingly, the International Organization for Standardization (ISO – one of the largest and most respected global standards providers) suggests that their standards can contribute to making life less complicated by increasing the reliability and effectiveness of the goods and services we purchase, access and use. Put simply… an evidence-based information security standard is a set of established, evidence-based specifications, rules, definitions and requirements (regulations, criteria) that organisations, and their interested parties (customers, clients, employees, regulators, shareholders, owners, etc.), refer to (or better still defer to) as a common reference point for excellence in the secure management of data and information (BH Consulting, 2007; ISO/IEC, 2013).
Whilst there are a number of internationally recognised information security standards, including, but not limited to, the National Institute of Standards and Technology (NIST), Payment Card Industry (PCI) Data Security Standard (DSS), Trusted Information Security Assessment Exchange (TISAX) and the Sarbanes-Oxley Act (SOX), ISO/IEC 27001, 2nd edition, 2013 – Information technology – Security techniques – Information security management systems – Requirements” (to give it its full title, referred to as 27001 or the standard from here on!), is an evidence-based, best practice, truly international standard providing the specification, rules, definitions and requirements for the design, development, implementation, maintenance and continuous improvement of a “system” for information security management – referred to as an information security management system or simply ISMS (ISO/IEC, 2013).
Published by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC), 27001 can be implemented in anyorganisation, irrespective of location, size, industry or technological advancement. It is part of an every increasing set of ISO international standards and codes of practices (guidelines) for information security commonly referred to as the “the 27001 (or 27000) family”. Implementing a 27001-conformant ISMS provides organisations with a systematic approach to ensure the protection of their information and information processing facilities – and as a result comfort and assurance to the aforementioned interested parties that their data and information is secure when in their custody. Additionally, as technology evolves, ISO continues to develop new codes of practices and standards in the “27001 (or 27000) family” to address changing information security requirements (ISO/IEC, 2018; ISO/IEC, 2013).
Furthermore, organisations, via an accredited certification service provider/authority/body, can seek certification to 27001 and thereby outwardly evidence that an international, evidence-based information management security system (ISMS) is in place internally to protect all data, information and information processing facilities – good for the organisation, its customers, clients, employees, consumers, regulators, shareholders, etc. Everybody wins 😊!
To manage information security in conformance to 27001, it is important to understand their view of information security… 27001 regards information security to be the preservation of the confidentiality (information is not available/disclosed to unauthorized individuals, entities or processes), integrity (accuracy and completeness) and availability (accessible and usable on demand by an authorized entity) of information along with other “security” properties including authenticity (it is what it claims to be), accountability (all operations are identifiable and traceable), non-repudiation (proof of occurrence and its origins) and reliability (consistent, intended behaviour and results). As a result therefore 27001 views information security management as the processes and methodologies designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption (ISO/IEC, 2018; ISO/IEC, 2013).
[Note: While both information security and cybersecurity are synonymous, there is subtle difference; cybersecurity deals with protecting networks, computers and data from unauthorised electronic access, information security, in contrast, deals with protecting information assets regardless of whether the information is in physical or digital format.]
A 27001-conformant ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organisation’s information security to underpin the achievement of its business objectives (security or otherwise). Appropriately grounded on risk assessment and treatment (identification, estimation, evaluation, treatment, monitoring and review), an ISMS includes policies, procedures, protocols, guidelines and associated resources and activities, collectively managed to protect organisational information assets (information and processing facilities). Successful ISMS implementation includes analysing the requirements for the protection of information assets and addressing criteria (clause requirements and information security controls) to ensure their protection (Advisera, 2020; BH Consulting, 2007; ISO/IEC, 2018; ISO/IEC, 2013).
Thus a 27001 ISMS can be viewed as a set specific, systematic criteria requiring an organisation to:
- Determine the internal and external issues/matters relevant to its function and operation (including the services that it provides) and thereby understand and contextualise its information security requirements.
- Identify interested parties (customers, clients, employees, regulators, shareholders, owners, etc.) and their information security needs and expectations.
- Determine and document the scope of its information security management system (ISMS) through understanding its own information security requirements and those its interested parties.
- Carry our foundational, critical information security risk assessment within its defined ISMS scope resulting in the identification and selection of controls to treat (address, respond to) unacceptable risks (in addition to the information security controls already in place) – and plan/implement such controls.
- Establish information security objectives and how they will be achieved.
- Continuously evaluate the implementation of information security and achievement of information security objectives.
- Continuously improve information security.
All of these criteria are “driven” by organisational top management leadership and commitment to information security and will take the form of policies, procedures, forms, records and other documented information as well as processes and technologies (Advisera, 2020; BH Consulting, 2007; ISO/IEC, 2018; ISO/IEC, 2013).
In conclusion, ISO/IEC 27001:2013 is an international, evidence-based, best practice, top-down, management driven, risk-based continuous improvement standard for managing information security. And as a result, surely a key consideration for all organisations dealing with data and information in our world today… and the very minimum that the public expect…
Advisera (2020), ISO 27001 implementation, retrieved on 11.06.2021 from https://advisera.com/27001academy/knowledgebase-category/iso-27001-implementation/.
BH Consulting (2007), An Overview of Information Security Standards, retrieved on 11.06.2021 from https://bhconsulting.ie/an-overview-of-information-security-standards/.
ISO/IEC (2018), 27000 Information technology – Security techniques – Information security management systems – Overview and vocabulary, 5th ed., Geneva: ISO Copyright Office.
ISO/IEC (2013), 27001 International Standard: Information technology – Security techniques – Information security management systems – Requirements (2nd edition), Geneva: ISO Copyright Office.
ISO/IEC (2013), 27002 International Standard: Information technology – Security techniques – Code of practice for information security controls (2nd edition), Geneva: ISO Copyright Office.
Author: Dr. Luke Feeney,
ISO/IEC 27001:2013 Lead Auditor and Trainer, Certification Europe.
Director of Quality, Risk and Patient Safety, National Maternity Hospital.