Iso 27001 – The Fourth Standard?

Iso 27001 – The Fourth Standard?

ISO 9001, 14001 and 18001 – common standards across the maritime industry – the baseline of audits and integrated management review meetings.  Another Standard may be joining them.  ISO 27001 is the information security management system standard which offers a straight forward, auditable standard that is well known and widely accepted.

ISO27001 -the right way to protect your business?
ISO27001 -the right way to protect your business?

As cyber security has risen in the public perception particularly in the past year with attacks becoming a lot more prevalent, including attacks on multiple NHS Trusts, two subsequent data breaches at yahoo, each in turn the largest known data breach in the history of the internet.  ISO stepped in with a standard designed to provide a framework with which to approach information security.  Assigning responsibility and risk ownership across organisations for a new threat that historically has not been found on companies risk registers until recent times.

What is good about the standard is that it provides a holistic approach to Information Security Management considering not just the technical aspects of information security but also the Human, Systemic and Business Risks that can affect information security.  In this sense it reaches out from the technical side of cyber security to look at organisational security as a whole and how that leaves businesses open to exploitation through their employees, suppliers and contractors.

In this sense a business can look at ISO 27001 and utilise it as their go to framework for implementing information security across their business working through the following business risk areas implementing appropriate security controls,

  • Information Security Policies
  • Organisation of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical & environmental security
  • Operations Security
  • Communications Security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information Security Incident Management
  • Information Security Aspects of Business continuity management
  • Compliance; with internal requirements such as policies, and with external requirements, such as laws

Supply Chain Security

Perhaps where ISO 27001 can provide the most service is in the security of the supply chain.  Within the Maritime and Superyacht community the number of Cyber Security breaches has been rising.  Within the yachting community malicious malware has emerged purporting to be emails innocently distributed from prominent industry organisations such as MYBA and the International Superyacht Society (ISS).

As both MYBA and ISS had emails sent purporting to be from them as opposed to being sent from their actual email servers their security is not in question.  What is in question is our own levels of cyber security now that criminal elements have begun to focus on the Maritime and Superyacht industry as a cash cow.

ISO 27001 provides a straightforward road map for implementation of cyber security into a business.  Certification and Accreditation may not be necessary, it is ultimately the thorough implementation of the processes outlined in the standard that will result in cyber security and not the accreditation.

It should be noted that all of the controls mentioned in the bullet points above can be excluded from a companies Information Security System and they can still be certified to the Standard.  As such a companies certification to the Standard cannot be taken as an indication that they have a thorough Informations Security System in place.  You need to personally check your supplier approach to cyber security to see what controls they have implemented and how regularly these are reviewed and audited.

In summary, accreditation to ISO 27001 is not a guarantee of an organisations cyber-security.  It provides business owners with a roadmap to achieve a level of Cyber Security.  However each of the individual elements of the Standard need to be executed and regularly reviewed to ensure a company has a level of security proportionate to the threat against it.

An alternative to ISO 27001 is the Cyber Essentials Scheme which is UK a government supported, scheme to help organisations protect themselves against common cyber crime. It’s a set of basic technical controls for organisations to use. Backed by the FSB, The CBI and a number of insurance organisations; it enables organisations to gain 1 of 2 new Cyber Essentials badges.

A point to note is the government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.  It does not require companies to be accredited to ISO 27001 when bidding on the same contracts.