Information security management based on the ISO / IEC 27001 standard significantly reduces the risk of losing its basic attributes – confidentiality, integrity and availability. It also allows you to avoid a situation in which your business is exposed to the consequences of non-compliance with the law in the area of personal data protection.
The basic assumption of the ISO / IEC 27001 standard is the assessment of the risk of information security loss.
Carrying out the analysis process enables the development and application of adequate safeguards aimed at the proper protection of information resources and the preparation of standards for responding in the event of unauthorized access to information. The standard covers all categories of information, both those processed inside and sent outside the organization. The standard also applies to all types of information: written on paper, transmitted orally, graphically, in electronic form on the customer’s infrastructure or cloud solutions. The ISO / IEC 27001 standard may be used by any organization, regardless of the specifics of its activity, size, legal status or implemented processes.
Identification, classification and protection of assets
In order to effectively protect information, it is necessary to identify and classify the assets that will be protected and to determine the degree to which they should be protected. The organization must also diagnose threats that may cause the loss of basic attributes and estimate the likelihood of their materialization – by carrying out a risk assessment. Assets are understood not only as information, regardless of the type of carrier, but also fixed assets or personnel with the knowledge they have. The standard defines individual elements of control and methods of information security control. This allows the organization to choose the most appropriate security in relation to the specificity of its activities and the market environment. In addition to the requirements contained in the base content, the standard also has Annex A, defining a list of specific security measures recommended for implementation in the organization.
The implementation of Information Security Management Systems and support in their maintenance and improvement is one of the main activities of our company. Thanks to a group of experts consisting of specialists in the field of implementing the requirements of ISO standards, legal advisers, data protection inspectors, security architects and pentesters, we comprehensively solve problems encountered by our clients and propose practical solutions.
One of the elements required by the ISO / IEC 27001 standard is to ensure proper physical security of the organisation’s facilities. Based on the results published periodically by the Infowatch Analytics Center, it can be stated that each year about 10% of the largest information leaks are caused by the theft of documents or information assets – including from the organization’s premises.
As part of the proper security of the location, as part of the ISMS implementation, rules are developed covering, among others:
- division and zoning of rooms and facilities,
- implementation of protection rules and minimum security for individual zones,
- establishing the necessary systems to support physical security management (access control, video monitoring, etc.),
- protection against environmental hazards in special rooms,
- rules for the presence of guests and representatives of suppliers in individual zones,
- traffic rules in locations,
- use of tagging for people outside the organization.
Often, during training, we talk about the principle of the weakest link. In the field of information security, the weakest point is a human being – an employee of the company (currently employed or former), subcontractor, administrator, or even a representative of the top management. We write about it in more detail here , where we introduce the idea of a social engineering audit and employee awareness research.
Nevertheless, every organization implementing a systemic approach to information security management must plan several processes in the area of personal security. These are among others:
- recruitment, including verification of qualifications and authenticity of documentation confirming entitlements,
- onboarding and introductory training in the area of security,
- written confidentiality obligations,
- periodic training in the field of information security, internal ISMS regulations and awareness-building,
- offboarding processes and withdrawing rights to information and transferred resources,
- rules of disciplinary proceedings and fast-path revocation of authorizations in IT systems and information processing resources.
In the era of galloping digitization, a significant part of the security measures implemented under Information Security Management Systems concerns information processing in ICT systems. The implementation of the requirements contained in Annex A to the ISO / IEC 27001 standard mainly consists in establishing practical regulations, including:
- authorization management,
- user authentication,
- management of administrative passwords,
- shift management,
- backup management,
- use of cryptographic security,
- keeping records of administrators’ activities,
- securing the internal network and the contact with the public network,
- mobile device security management,
- ensuring the security of workstations,
- use of external media,
- securing logs and monitoring events in systems,
- relationships with suppliers,
- license management.
Many organizations decide to implement mechanisms to increase the level of information security and data processed due to the obligations arising from applicable law. This applies primarily to the implementation of the well-known GDPR, the Regulation on the National Interoperability Framework, the Act on combating unfair competition, or the Act on the National Cybersecurity System. Of course, these are not only regulations that require proper protection of personal data and protected information. Thanks to the knowledge of legal requirements, as part of the implementation of projects, we are able to both develop practical and effective data security mechanisms and ensure compliance with the relevant legal provisions.
It is a good idea to use tools that automate the identification of vulnerabilities, risk analysis, planning and monitoring of information security activities. You can find a market-leading tool here – BPM
We recommend that each ISMS implementation project begins with a pre-audit. Why? The answer is simple - to get to know the client's organization and make the most of the solutions that operate in the company. There are no companies that do not ensure the security of the processed data and information in any way, so it is worth using up-to-date solutions. The added value is a report presenting a detailed description of the level of compliance with individual points of the standard. The client obtains full information on requirements that it has already met and those that require improvement. In the event of failure to meet a requirement, we always describe the recommendations for their implementation.
Correctly designed and conducted risk analysis is half the success of ISMS functioning. When developing regulations on risk management in the ISMS, we try to use the customer's practices and enrich them with the guidelines contained in ISO 27005. The mechanism we recommend is linking the information classification process with risk assessment. At the beginning, together with the representatives of the substantive units, we make an inventory of the groups of information they process, assess their confidentiality, availability and integrity, and indicate where they are processed (in which IT systems / rooms). Thanks to this, we obtain knowledge about information processing resources and assess their criticality. For each resource, a list of potential threats is developed and, together with the owners of the resource, vulnerabilities are identified. This approach guarantees a comprehensive problem analysis - from information to risk and a risk treatment plan.
Each implementation of the requirements of the ISO / IEC 27001 standard, as well as other ISO standards, requires the development of comprehensive documentation. Its scope, level of detail and the method of integration with internal regulations is always agreed with the client. The approach we recommend is to develop a hierarchical structure including: - Information Security Management Policy - domain regulations: Physical Security Management Regulations, Personal Safety Management Regulations, IT Security Management Regulations - procedures and detailed instructions. This approach ensures transparency of regulations, ease of navigation through the ISMS documentation and no problems with ownership.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?