In Part 1, (yes, I know it was a long time back now), I covered GDPR and the Privacy Act’s impact to Australian Businesses and explored how having an Information Security Management System (ISMS) would help address some of the compliance requirements. However, there are tonnes of benefits that not everyone might be aware of.
Why Should the Board be Interested in Setting up an ISMS?
If you are a Business Owner, an aspiring CISO, CIOs, on the Board, or the Executive Management, this will be interesting if you:
Desire the secrets to 'locking in' annual security funding year after year
Want to minimise financial losses attributed to cyber attacks
Absolutely abhor time wasters
Alright, let's dive right into this.
The secret to 'locking in' annual security funding?
You must show tangible value to the business. The big question is HOW.
It is easier to gain significant competitive advantage with an ISMS in place. With a certification in ISO 27001, it enables your company to do businesses far more effectively with companies in certain regulated sectors where such certification might be a pre-requisite.
Your chances of being invited to AND winning tenders immediately goes up. It is important to note that for more and more tenders, having an ISO27001 certification (the latest version is published in 2013) is actually a specific requirement. A case in point, both AWS and Microsoft Azure are ISO 27001 certified.
Another popular publication is ISO27002 which is a guideline of best practice security controls. ISO27001 is the one companies certify to, whereas ISO27002 acts as a guideline for controls, not management systems.
If you are an IT Security Manager and you struggle with getting the business to invest into Security, this is it! Things change when you are able to demonstrate to the Board that you can bring in more business with an ISO 27001:2013 certificate.
It is not difficult to get one, unlike what most people think (see below section on Debunking More Myths). After a year of seeing a tangible difference in new tenders being won, the board will have to support the continued investment in Security and eventually, you will be able to build a team under yourself as your role evolves into a CISO.
If you are a business owner and you are thinking of going global, being compliant to ISO 27001 also gives you access to the global markets. You can compete with international competitors comfortably. For some countries, this would be a major entry requirement!
What about minimising financial losses?
In the age of disruptive technology and human behaviours, having implemented best-practice information security standards ensure that the probability of data breaches occurring is minimised.
Compliance to the standard can help organisations avoid heavy fines and penalties that may result otherwise. Implementing information security may seem like an expense, but it is even more costly for the business if incidents were to keep occurring frequently.
Secondly, having a structured management process for security risk is helpful in ensuring your security costs are managed more effectively.
Finally, most people are unaware that other than financial loss, the reputation damage to the company can be so much more detrimental. With the ISO 27001 certification, you are demonstrating commitment to Information Security Management and you are sending a signal to clients, employees and other stakeholders that you are serious about Information Security. Your adherence to ISO 27001 or other security standards shows that you are not only proactive, but you give the assurance to your customers and business partners that your business is doing things the correct way.
According to an IT Governance Survey which reviewed organisations implementing ISO 27001 across 53 countries, 98% saw an improved information security posture as the most important benefit.
A common thing I have always heard when I speak to some executives, is that they are either a fan of ISO 27001 or NIST. It’s either one or the other. Now this is not entirely true. It depends.
ISO27001 is a governance framework to manage risk. NIST 800-53 and the others are CONTROL-base standard. They are a list of best proactive controls. Nothing stops you from using these controls to mitigate your risk, using your ISMS. In fact, we help organisations implement ISMSs using and managing NIST and PCI controls everyday.
I probably should write another article someday on NIST CSF (Cybersecurity Framework), which is more high level in scope, focusing on the methods of accessing and prioritising security functions, which reduces the document as compared to NIST 800-53’s 460 pages to just 40 pages. The CSF builds on and does not replace security standards like NIST 800-53 or ISO 27002.
That being said, having an ISMS that adheres to one of the recognised standards is a great starting point for organisations looking to improve their cyber security.
At a recent C-suite panel session that I had the privilege of moderating, a number of questions came up focusing on the art of communicating to the board and best approaches.
If only there was a simple way of putting a dollar value on risks…
That’s when I learnt about the Factor Analysis of Information Risk (FAIR) framework published by the Open Group. It’s an approach for assessing and quantifying risk assessment by putting a dollar value on risks to facilitate risk ownership and decision making at the business level, particularly useful in the financial sector. Cyber risk quantification can be useful for calculating ROI (Return on Investment) on cyber security investments as depicted in the diagram below:
How do they fit together?
FAIR can be used as a complementary quantification tool to the ISO 27001 standard, to prioritise top risks based on their business impact, evaluate the remediation options and its results against the actual risk reduction.
FAIR can be seen as an empowerment framework which gives a voice to your SMEs who run your risk processes. The FAIR framework analysis flow is depicted below where the “Experts” are your SMEs.
What about the SMEs?
For an organisation experiencing sudden growth, it is only a matter of time before you will find that problems start arising in relation to the roles and responsibilities of information assets. In complying with ISO 27001, you will automatically define roles and responsibilities which will strengthen your organisational structure. It ensures the entire organisation is covered by security, including staff, technology and procedures, and creating an organisational culture that is conscious of information security. Best practices and setting the right security culture is usually easiest to inculcate at the very the beginning.
The board and executive management are ultimately responsible for the governance of information security. We can't outsource our security responsibilities to our cloud partners, third-party vendors, or even to our IT/ Security employees.
Security is a shared responsibility.
Is having an ISMS really worth my time though?
If you have seen the in-depth ISO-based security questionnaires that you have to complete in every single tender, being already compliant to ISO 27001 saves you so much hassle. From responding to auditors for every new client that you gain, you can have a much faster turnaround now when you have an ISMS in place. This framework actually helps ensure the fulfilment of commercial, contractual and legal responsibilities.
And are you aware that these days, most clients require ISO 27001 as a prerequisite anyway or at least you have security controls that are equivalent to ISO 27001? Why not save your time by meeting these prerequisites right at the beginning?
Debunking More Myths
Have you seen the Annex A controls? ISO27001 is nearly impossible!
It is such a painful and long process. The average time it takes an organisation to complete a project is at least 6-12 months.
Do you not know the struggles of getting budget for Security?
Interesting objections to getting an ISMS even after all the benefits listed in the above. So here's the thing. Security officers commonly mistaken Annex A 144 security controls (e.g. strong password, access cards, encryption, etc.) with the ISO 27001 standard clauses. That is not the case. In fact, the good thing about the ISO 27001 certification is that it factors in the risk appetite of each company. It considers the ability for an organisation to manage their security risks. It is not necessary to have all Annex A controls implemented before one can achieve certification. It is OK to have deficiencies as long as you are aware of them (i.e. your risk assessment process is working) and they are managed under your ISMS.
Hence, you can get yourself certified without needing to implement all the annexure controls! Clauses 4-10 is a lot more important.
Now, for many who are not skilled in building an ISMS, yes it would seem incredibly complex. Sometimes, companies have made the decision to hire internally but the cost of doing a 6 to 12 month job far outweighs the cost of engaging with an ISMS expert.
Take for example, my team would know the ins and outs of what it takes to build an ISMS in the most cost-effective way since a number of the renowned names in Australia have achieved certification through our assistance.
It is crucial that your ISO implementer knows how to engage with your auditors and focus on meeting the intent of the standards.
Unfortunately, most implementer would not want to deal with the auditors as well. Hence, it is best to get one who WILL deal with the auditors on your behalf, and has extensive experience dealing with them. Very often, you will need to push back the auditors and it is easier to do that when you know the clauses inside out.
Finally, it might not be common knowledge, but the fact that the ISO 27001 requires security risks to be formally owned by the business and executives, means that the accountability for Security is now shared with the business, and no longer just an IT problem! This means that the business has to give you a repeatable flow of risk-based security investment. At the end of the day, ISMS is a relatively low cost and delivers credentials to the business. To keep these credentials, the business will have to invest in security. Happy days!
Would love to hear my readers' thoughts and experience on the above. If you have any questions about meeting your compliance or security needs, you can always leave a comment here.