David Goodfellow, UK Business Assurance Manager at TÜV SÜD advises that adopting the leading security standard ISO/IEC 27001 can help ensure FMs avoid damaging cybersecurity breaches
The prevalence of cyberattacks and data breaches is making companies increasingly concerned about the protection of data when it comes to the provision of facilities management. For example, organisations with critical infrastructure like airports, public utilities and public authorities must keep data protection at the forefront when engaging building automation services. As the control of building’s facilities becomes smarter, with the increased use of tech such as energy saving solutions and real time monitoring, it also creates large amounts of sensitive data. Breaches of such data could compromise security, potentially resulting in significant financial damage and reputational harm.
An effective information security management system (ISMS) can help enterprises of all sizes defend themselves against cyberattacks and other malicious data breaches that could have serious legal or business continuity implications.
ISO/IEC 27001 is the leading international standard for information security management. It provides a practical framework for the development and implementation of an effective ISMS to protect against the root cause of information-security risks. This is achieved by offering a well-established methodology for prioritising assets and risks, evaluating controls and developing remediation plans. Its scope is intended to cover all types of information, regardless of its form, which can include digitised data, documents, drawings, photographs, electronic communications and transmissions, and recordings.
Organisations that achieve ISO/IEC 27001 certification can reduce overall information security risks by protecting themselves against cyberattacks and preventing unwanted access to sensitive or confidential information. ISO/IEC 27001 simplifies compliance with applicable security regulations and requirements, and helps organisations foster an organisation-wide security culture.
Certification to ISO/IEC 27001 can represent an important step in an organisation’s efforts to protect its IT infrastructure, as it strengthens its ability to protect itself against cyberattacks and helps prevent unwanted access to sensitive or confidential information.
Organisations that certify their ISMS to the requirements of ISO/IEC 27001 gain a number of important benefits. For example, an ISO/IEC 27001-certified ISMS can help an organisation meet the legal and regulatory requirements applicable in many countries, as well as customers’ contractual requirements.
ISO/IEC 27001 also provides a formal, systematic approach to information security, as it increases the level of protection of sensitive and confidential information. This can result in a reduction in overall business risk and help to mitigate consequences when breaches actually occur. By protecting information confidentiality and ensuring the integrity of business data and IT systems availability, disruptions to critical processes and the financial losses associated with a security breach are minimised.
Rather than being seen as a cost to the organisation, ISO/IEC certification can actually lower the total costs of IT security by reducing the risk of security breaches and the costly consequences associated with data breaches, such as financial damage and reputational harm. Likewise, ISO/IEC 27001 certification demonstrates a strong commitment to the security of confidential information and can deliver a significant marketplace advantage, as stakeholders and customers will be confident that you are maintaining the highest information security standards. Furthermore, an increasing number of companies only work with suppliers that have implemented an ISO/IEC 27001 certified ISMS.
STEPS TO CERTIFICATION
Implementing an ISMS according to the requirements of ISO/IEC 27001, and obtaining certification includes a number of specific steps. Of course, not all ISMS implementation efforts are identical, since individual organisations will have unique issues to address, and vary in their degree of system readiness. However, the following steps apply to most organisations, regardless of their industry or level of preparedness:
- Obtain management commitment
The successful implementation of any management system, including an ISMS, requires a commitment from leadership at the highest level of the organisation. Without such a commitment, other business priorities will inevitably erode implementation efforts.
- Define the information security policy
At this stage, the organisation identifies and defines its information security policy based on the specific goals and objectives that it hopes to achieve. This policy will serve as a framework for future development efforts by establishing a direction and set of principles regarding information security.
- Define the scope of the ISMS
With its information security policy in place, the organisation must then identify the specific aspects of information systems security that can be effectively addressed within the scope of its ISMS.
- Complete a risk assessment of current information security practices
Applying the most appropriate methodology, the organisation should then conduct a thorough risk assessment to identify the risks that are currently being addressed, as well as system vulnerabilities and threats that require attention.
- Identify and implement risk measures and controls
Here, the organisation implements measures and practices to mitigate all of the risks identified in the risk assessment. The results of these measures and practices should then be monitored and modified as required to improve their effectiveness.
- ISMS audit
With a tested and proven ISMS in place, the organisation should conduct a certification assessment pre-audit to identify any potential issues that could negatively impact the outcome of the certification audit. Any nonconformities with the requirements of ISO/lEC 27001 can then be addressed and/or corrected.
Finally, an independent certification body should be employed to conduct a formal audit of the organisation’s ISMS for compliance with ISO/lEC 27001. A successful audit results in a recommendation for certification, which is then issued by the certification body.
Organisations that achieve ISO/lEC 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following certification.
EFFECTIVE INFORMATION SECURITY MANAGEMENT
An Information security management system (ISMS) is a critical element in the effort to control or mitigate the risk associated with cyberattacks against digitised data. ISO/IEC 27001 provides a formal framework for the implementation and maintenance of an effective ISMS, proving that an organisation has identified the risks, assessed the consequences and put in place effective controls that will minimise any damage from cyberattack. Not only does ISO/IEC 27001 give organisations confidence that information is protected, it is also compatible with other management systems standards, which simplifies the auditing process for organisations certified to multiple management systems standards.