Let's start from the top. What is ISO27001?
ISO 27001 is an international standard that outlines best practices for information security management. It helps organisations demonstrate that they know how to protect their sensitive information, such as financial data, personal information, and intellectual property, from unauthorised access, disclosure, alteration, or destruction.
Notice I say 'demonstrate'. Having ISO27001 is not a silver bullet that suddenly means you are fully protected from every threat, vulnerability or attacker. It is a way to implement information security in a structured manner – Cybersecurity is an 'ecosystem', that is made up of people, processes and technology working harmoniously to protect data.
Who is it applicable to?
In a word; Everyone. If you use data, then that data needs to be protected.
Q: How can you protect that data?
A: Implement appropriate security controls.
Q: How do you go about implementing these controls?
A: Use a management system like ISO27001
There is a lot to ISO27001, and these are going to be covered in a new series of videos we're going to record for you. But for now, just know that different aspects of security will be of key importance for different sectors.
Let's look at a few examples.
In the manufacturing sector, ISO 27001 is critical because it helps companies to protect their confidential information, such as product designs, production processes, and supplier information. This can help to prevent industrial espionage and protect a company's competitive advantage.
For example, would you be upset if one of your sales teams had access to all your product design information and took this to a competitor? Apply appropriate Access Controls and Segregation of Duties, and suddenly this risk is being managed more effectively.
In the education sector, ISO 27001 is important for protecting sensitive teacher and student information, such as home details, grades, personal information, images, and disciplinary and/or health records. It also helps to manage the risk of data breaches, which can have serious consequences for students and the institution.
Students are quite rightly inquisitive, so who do you imagine is a school's biggest 'threat'? Students have been known to try and hack their schools' systems, 'just for fun', and then bring down the entire network. Of course, there are far darker forces at play, as external groups have the desire to access all the personal contact details of teachers and students alike.
In the IT sector, ISO 27001 is important for protecting against cyber-attacks and data breaches, and this is particularly important for those providing cloud hosting or support. IT helps organisations secure their networks, systems, and data, preventing the loss of sensitive information and financial losses. If the IT company can't protect itself, how will it survive and support its customers and clients?
An IT provider supporting over 2,300 websites had an outage in their data centre. Except, it wasn't a 'data centre'. It was merely a Comms room in their premises, with a rack of servers. The air conditioning unit failed, causing the heat in the room to rise significantly, resulting in a catastrophic failure of the system. The outage lasted three days. This is why ISO27001 has controls related to physical and environmental aspects of information security.
In the health sector, ISO 27001 is important for protecting sensitive patient information, such as medical records, personal information, and financial information. It can also help prevent data breaches, which can have serious consequences for patients and healthcare organisations.
In relation to the GDPR, health records are categorised as 'sensitive' and therefore require a higher degree of security. Imagine the impact on an individual who is seeking medical assistance for a drug or alcohol-related illness, where their data is leaked or exposed accidentally by being sent to the wrong address.
Numerous cases of lost or misplaced medical records abound. It's worth mentioning that health records include mental health too. Therefore where lone mental health workers are making notes in their notebooks or recording sessions, it's worth asking – how is that data being managed and shared?
Finance & retail
In the financial and retail sector, ISO 27001 is essential for protecting sensitive financial information, such as account numbers, credit card information, and personal information. It can also help to prevent data breaches, which can have severe consequences for customers and financial institutions.
Most of us will immediately consider the financial sector as applying to banks, but it also includes any organisation we shop with. This is why the Payment Card Industry Data Security Standard (PCI-DSS) exists for organisations taking banking details.
Cybercrime is on the rise because, ultimately, Cybercriminals are trying to make money from us. Therefore if they can gain access to our bank accounts or persuade us to buy goods and hand over our hard-earned money or our banking details, then that's what they will do.
The importance of privacy and ethics cannot be overstated when it comes to protecting sensitive information. Organisations must ensure that they handle personal information responsibly and ethically and follow all relevant laws and regulations. This includes implementing appropriate security measures, such as those outlined in ISO 27001, and regularly reviewing and updating those measures to stay current with the ever-evolving threat landscape.
It's worth remembering that in addition to ISO 27001, the UK Data Protection Act and the General Data Protection Regulation (GDPR) are important for protecting personal information. The UK Data Protection Act is the UK's implementation of the EU Data Protection Directive, and the GDPR replaces the Data Protection Directive. Both laws are designed to protect the privacy of individuals and ensure that organisations handle personal information responsibly.
In conclusion, ISO 27001 is an important standard for protecting sensitive information in a variety of sectors, including, but not limited to, manufacturing, education, IT, health, and finance.
It helps organisations secure their networks, systems, and data and prevent breaches. The UK Data Protection Act and the GDPR are also important for protecting personal information. Organisations must also be mindful of privacy and ethics when handling sensitive information, and although these aren't explicitly covered in ISO27001, the use of the standard demonstrates that an organisation is indeed being mindful and doing their best.