top of page
Search

How to ensure your ISO27001 programme isn't a Titanic Disaster!

Updated: Aug 2


Consultants review RMS Titanic Plans and discuss ISO27001
ISO27001 plans for Titanic

What do ISO27001 and Information Security and the RMS have in common? It’s a good question, but there is a lot to consider when it comes to this fantastic ship and disastrous tale.


Ironically, in information security presentations, many professionals will use images of icebergs to visualise clear web, deep web and dark web. We use the iceberg to demonstrate that what we see on the surface isn’t always the biggest risk we face.


But there’s more to this story that just an iceberg.


Allow me to explain.


First, let me explain I’m a bit of a fan of the RMS Titanic, and like many people I’ve been obsessed with the disaster since childhood. So every year I write a blog in memory of the 1,723 people who lost their lives on the Titanic on the 15th April 1912.


This year I’ve decided to look at the disaster through the lens of ISO27001:2022.


Let’ start at the beginning   


The RMS Titanic was a modern marvel, built and equipped with state-of-the-art technology for its time, including a Marconi wireless communication system. It was built for luxury, and complied with the legislation of its day.


However, when the designer Thomas Andrews suggested there should be 83 lifeboats, the owners (White Star) pointed out that regulations only required 20 lifeboats. 


Lesson: ISO27001 Compliance


Don’t treat compliance to regulations and standards, like the General Data Protection Regulation (GDPR) and ISO27001 as a ‘tick box’ and ‘good enough’ exercise.  Security and safety of the people you are responsible for should be the focus.


Before setting sail


ISO27001 Is a risk based management system. Everything you do, should be based on an aspect of risk, and the first step in this process is identifying what risks there are.


The Captain Edward James Smith, along with his crew, knew the journey they were taking would take them through waters that were littered with icebergs and icefields. They were seasoned professionals, but they either ignored the risks they were sailing into, or were wildly overconfident in the new ship they were operating.


Lesson: ISO27001 Risk assessments


Risk assessments are vitally important to ISO27001, and this means working as a team to evaluate known and unknown threats.  ISO27001:2022 new Annex A Control, A5.7, Threat Intelligence, expects you to identify sources of threat intelligence and act upon it.


On the lookout for danger


Fredrick Fleet and Reginald Lee, were the lookouts that night, and they stated that they hadn’t been equipped with standard binoculars to spot bergs and growlers.  Had they had them, perhaps we wouldn’t be discussing the RMS Titanic today. But we are.


Lesson: ISO27001 (A8.8) Technical Vulnerabilities


Threat intelligence is not only about risk assessments. You need to arm your teams with the tools they need to scan the horizon for dangers. ISO27001:2022 Annex A control A8.8, Management of technical vulnerabilities states that information about technical vulnerabilities of information systems in use shall be obtained. But also, you shall evaluate your exposure to such vulnerability and take measures to address them.


Penetration testing, vulnerability scans and Cookie reviews all go someway to address this requirement, but also ensure that you’re not blind to the issues coming out of the darkness.


Training and Awareness


There wasn't a requirement for crews to be trained in using lifeboats, or for passengers to have lifeboat drills. Certainly, onboard the Titanic, they would have seen this as completely unnecessary.


This meant that on the night of the disaster, the crew made several mistakes in filling the lifeboats. Some crew members believed they should fill the boats with women and children first. While others thought the rule was women and children only.


The crew's lack of knowledge on how to use the davits hampered lowering the lifeboats. The lack of training led to delays in launching the boats, which no doubt contributed to further loss of life.


Lesson: Training


Training on how to use equipment, especially if it is security tools and systems is essential.  ISO27001:2022 Annex A control A6.3 expects three things; Awareness, education and training. This should be appropriate to the audience, including your ‘passengers’, aka – clients, employees, and other interested parties.


Your training and education programme should include regular drills for the people who are going to use your plans, so that any delays or misunderstandings can be addressed. 


Why they thought she was unsinkable


Prior to the disaster, people reported the RMS Titanic as practically unsinkable. The word ‘practically’ was dropped following the disaster, to emphasise the hubris and overconfidence of White Star line owners. 


The various safety features and state-of-the-art design led people to believe that she was practically unsinkable.  She had layers of safety features in place, much like organisations have multiple security layers (or ISO27001 controls) in place.  But no ship is truly unsinkable and there is no such thing as 100% secure.


We must take steps to understand the risks we face, put measures in place to manage these risks, and processes to react and respond to the risks, should they crystalise.


Perhaps if White Star Line had used ISO27001:2022, or even ISO9001, the standard focused on quality, they would have been better prepared and able to respond more effectively to the disaster. This is something we could never know. 


But the RMS Titanic speaks to us across the years and there are key lessons for us to learn. We must listen.


More questions?


If you’re like to know more about ISO27001, or RMS Titanic(!) Please do get in touch. We have an FAQ section, and we’ve even published a book on how to implement ISO27001, “The Real Easy Guide to ISO27001” which is available on Amazon.

25 views

Recent Posts

See All

Comments

Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page