THE BENEFITS OF ISO 27001 Information Security Management Systems Certification
Element is one of the fastest growing testing, inspection, certification and calibration businesses in the world. Globally we have over 7,000 brilliant minds operating from 200 sites across more than 30 countries. Together we share an ambitious purpose to ‘Make tomorrow safer than today’.
bmtrada.com
ISO 27001 – ALL YOU NEED TO KNOW WHY SHOULD I BE CONCERNED ABOUT INFORMATION RISK? Information security has become an area of increased concern, with the introduction of General Data Protection Regulation (GDPR) rules – and fines – in 2018, and more recently, with the increase in people working from home because of the COVID-19 pandemic. While organizations acted quickly in response to COVID-19, to enable business to continue without interruption, safety measures were often neglected. This has introduced new levels of risk and there has been a significant rise in cyber-attacks since 2020. Those who had systems such as ISO 27001 already in place were in a much better position to transition safely, while others have left themselves vulnerable and much more open to attack. At the same time, the threat of significant GDPR fines and potential reputational damage at a time when businesses are facing economic turmoil is something not to be ignored. With a maximum fine of €20m (or 4% of total annual income if higher than €20m) and people being more conscious of data security than ever before, a GDPR breach can be business ending.
Tele-working is now the biggest risk for information breaches. With employees working alone from home, they are also much more susceptible to cyber criminals who see this as a perfect opportunity to strike. The Department for Digital, Culture, Media and Sport (DCMS) revealed in its Cyber security breaches survey 2020 that, on average, almost half of businesses (46%) report having some kind of cyber security breach or attack in the past 12 months.
BM TRADA
CONTENTS
BM TRADA
•
Introduction to ISO 27001
•
Why ISO 27001?
•
The Certification Process
•
The process
•
Case Study: ISO 27001 offers a secure choice for NHS Organization
•
About BM TRADA
INTRODUCTION TO ISO 27001 ISO 27001 is an information security management system (ISMS) applicable to organizations of all sizes, which outlines a framework of policies and procedures to mitigate the risk of a security breach.
•
Risk Management: If an unexpected crisis arises – such as a pandemic – having a defined and implemented information management system is a significant benefit to a business. Roles have already been assigned and employees are trained in building awareness and applying sound security measures through a systematic approach. With a business continuity management system and risk assessment framework in place, organizations are already one step ahead in a crisis and ready to act if or when required.
•
Business Culture: Many businesses with ISO 27001 certification report that the most important benefit is the culture change that it creates. All employees are expected to understand and follow the policies and procedures, which leads to a much more risk-aware team.
As well as covering IT and cyber security, the certification provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. It covers all aspects of an organization’s information risk management process. Any organization holding high levels of personal data are required to abide by data legislation, such as the GDPR. ISO 27001 certification is one step in the process to legal compliance.
THE BENEFITS •
•
Business Development: ISO 27001 certification provides assurance to customers, employees, stakeholders and the wider industry, that an organization takes data security seriously and that their data is safe. This can be a significant benefit in terms of business retention and development. Business Security: Certification helps organizations demonstrate their willingness to comply with legal obligations, as well as potentially preventing fines, legal repercussions and reputational damage resulting from security breaches.
BM TRADA
WHAT OUR CUSTOMERS SAY: “Processes and policies are great, but you need people to buy into them to really succeed. ISO becomes part of the ‘business as usual’ and changes the way that everyone works as a result. It has certainly changed the culture when assessing risk. Our team understands the value of what we’re doing, and once the framework was in place, everyone could see how useful it was; making things much easier and safer all round.”
ANNEX SL As with all ISO management systems, ISO 27001 follows Annex SL, which follows a high-level structure (HLS). This champions leadership, worker participation and engagement, and crucially, requires input from every level of the business. Annex SL consists of 10 core clauses.
ANNEX SL
HIGH LEVEL STRUCTURE OF CLAUSES
3
4
1
2
SCOPE
NORMATIVE REFERENCES
5
6
TERMS AND DEFINITIONS
CONTEXT OF THE ORGANIZATION
LEADERSHIP
SUPPORT
7
8
9
10
PLANNING
OPERATION
PERFORMANCE EVALUATION
IMPROVEMENT
The Annex SL link also aligns ISO 27001 with other ISO management systems which some businesses may already have in place, such as quality (ISO 9001), occupational health and safety (ISO 45001) and environmental (ISO 14001). This streamlines processes and delivers efficiencies, saving organizations time and money.
WHY ISO 27001? ISO 27001 works on a three-year certification cycle, with organizations required to revisit it every year and keep evidence and audit trails. Rather than simply implementing a system as a one-off exercise, ISO 27001 requires a culture change within the organization and annual audits to ensure that the system is working as it should be. While some other schemes require upgraded servers and software, and provide a set of basic technical controls, ISO 27001 takes a longer-term view. The focus is not on the latest systems, but on procedures, business improvement and the continued demonstration of risk-based thinking. It requires third party certification and regular audits, to ensure that the business has completely taken the process on board.
BM TRADA
ISO 27001 also looks at all data assets that a business holds, not just IT. It considers information regardless of where it is found (e.g. paper, information systems, digital media, etc.), and includes intellectual property as well as personal information. Some clients demand certification prior to engaging with businesses – something which is becoming much more prevalent, particularly for Government-related work.
In the UK, the majority of reported data breaches are non-cyber incidents, such as accidental disclosures of personal data or a failure to set the correct access controls, so it’s important to not purely focus on cyber security when considering information safety.
PLAN-DO-CHECK-ACT ISO 27001 is based on the Plan-Do-Check-Act (PDCA) cycle, which can be applied to the management system as a whole, as well as to each individual element to provide an ongoing focus on continuous improvement.
ACT Improvement
Auditing
COMMITMENT
Policies
Monitoring and measurement
INITIAL REVIEW
Organization and personnel
Operational control
CONTEXT AND REQUIREMENTS
Compliance
Objectives Competency Management programme
DO
BM TRADA
PLAN
CHECK
Management review
THE CERTIFICATION PROCESS The ISO 27001 certification requires a focused effort to identify all potential data security risks. The process is as follows:
4 EASY STEPS
IDENTIFY THE RISKS
RE-CERTIFICATION
To start the process, an organization must define the scope of the certification.
Certification is valid for three years and maintained through a program of annual surveillance audits to ensure continuing compliance. ISO 27001 is a three-year audit lifecycle, with two surveillance audits – one after 12 months and one after 24 months, followed by re-certification.
This should consider: • • • •
Why the certification is being undertaken What the focus is Whether it is concentrated on a particular product Which of the 114 Annex A controls from The Statement of Applicability (SOA) apply
EVALUATION
The initial certification process is carried out in two distinct stages.
A vital part of the ISO 27001 implementation is evaluation. An annual management review is required, with mandatory topics for discussion. As the meetings must all be minuted, this enables auditors to look at outputs which demonstrate continual improvement and a focus on evaluation.
The first planned visit is a review of the documented system where it formally evaluates against the requirements of the standard, checking whether the framework has been established and the mandatory policies, management review meetings and internal audit have taken place.
Key to the evaluation process is breadth of correction and preventative actions. This includes the handling of nonconformities and root cause analysis; determining why problems were able to happen and what the reason was for them; and implementing corrective action.
CERTIFICATION
Stage Two is a sample-based audit. A site assessment is carried out to verify that the system has been successfully implemented; that it is being followed by the entire team; and that the requirements of ISO 27001 are being met in practice. BM TRADA
THE PROJECT In 2019, Phil Scott, IT Security Manager at NHS Greater Manchester Shared Services (GMSS), and his team began working towards ISO 27001 certification with BM TRADA. The certification was awarded in mid-June 2020, by which time the benefits of the process were clear to see.
THE CHALLENGE When the global pandemic hit the UK in March 2020, millions of people were ordered to work from home, including all GMSS employees. With a significant rise in people working remotely, cyber security would be threatened, which is a serious issue for data safety. Working as a partner in the health and care system, GMSS customers include GPs, NHS Foundation Trusts and Clinical Commissioning Groups, so data protection is an area of significant concern for their clients. The team at GMSS needed to consider not just its employees but also the 13,000 service-users through its clients.
THE SOLUTION Fortunately, Phil’s team had spent months working with BM TRADA on ISO 27001 certification in order to offer the highest level of security. An information security management system (ISMS) outlines a framework of policies and procedures to mitigate the risk of a security breach. ISO 27001 certification provides a model for establishing, implementing and operating an ISMS, as well as monitoring, reviewing, maintaining and improving it. It covers not just IT security, but all aspects of an organization’s information risk management process. By the start of 2020, GMSS had a business continuity management system and risk assessment framework in place, which meant they started planning for COVID-19 much earlier than most. At the end of February – when people were just starting to talk about a potential epidemic – the team at GMSS undertook a tabletop exercise to see what would happen if there was an outbreak in the UK and if there were infections in their offices. This outlined the weaknesses that they needed to address, resulting in 13 learnings to consider, such as increasing remote access capacity. As a result, they anticipated some of these potential problems and dealt with them in advance.
THE RESULTS By the time the Prime Minister announced that everyone should stay home, GMSS had a process in place to act immediately.
All 350 GMSS employees were able to work from home safely the following day.
2,300 laptops deployed between March and June.
Increased capacity from 2,000 concurrent users to 10,000.
Businesses that needed support most urgently could continue to work seamlessly.
“We knew ISO 27001 certification would make us leaders in our field, but we didn’t realize what a difference it would make as we faced a global pandemic. Our staff and customers could work from home quickly and easily, while other parts of the health care system were struggling months later. Feedback from customers was overwhelmingly positive, boosting team morale at an incredibly difficult time.” Phil Scott, IT Security Manager, NHS Greater Manchester Shared Services
BM TRADA
ABOUT BM TRADA Part of the Element Group, we specialize in providing a comprehensive range of independent testing, inspection, certification, technical and training services. We help organizations to demonstrate their business and product credentials and to improve performance and compliance. Our team has many decades of experience and provides a certification process that is thorough and robust, striving to provide clarity and support along the way. And, using a UKAS-accredited certification body like us ensures the ISO 27001 certification will be readily accepted by many regulators, suppliers and purchasers across the world. We exist to help our customers to make certain that the management systems, supply chain and product certification schemes they operate are compliant and fit for purpose.
BUILDING ASSURANCE SOLUTIONS FOR A COMPLEX WORLD CER
INSPECTIO N
ADVISORY
TESTING
Building assurance in the minds of our customers and offering solutions for a complex world underpins everything that we do at Warringtonfire. To consistently deliver on our promise, we work to three guiding principles, technical excellence, operational excellence and customer excellence.
TIFIC ATIO N
To find out more contact: cert.admin@bmtrada.com +44 1494 569 750
bmtrada.com BM TRADA