ISO27000 and the Need for a Standards Approach

It’s been interesting to note that in recent weeks, several customers have expressed the need to incorporate some information security standards within their organisation. The reason behind this has been the requirement from their customers to have certain minimum qualifications in place in order to bid for business.

Not untypical of supply chain management, it’s often the crucial missing ingredient that gives certain standards a push.  Although there are a number of standards around, perhaps the most widely used is the ISO 27000 family.  Derived from a British Standard (BS7799), it has been adopted – with a few adjustments – by ISO. In the retail sector, businesses using credit cards have been forced into adopting and complying with PCI DSS (Payment Card Industry Data Security Standard) in order to continue offering them as a form of payment.

True of most standards, their impact is often felt years after the initial adopters have bought into them by the supply chain. Also true, standards are often not taken aboard as a “must have” until there is either supplier, customer or regulatory pressure applied. It’s an understandable situation as there is a cost involved in achieving a standard’s accreditation and the benefit of so doing may not be altogether obvious. With Information Security, there are, perhaps, some compelling reasons for incorporating best practices into the organisation and formalising the approach, starting at the board and working down through the layers of the business.

Computer Weekly reports that Cyber attacks on the UK have reached "disturbing" levels, according to Ian Lobhan, director of communications intelligence agency GCHQ. The attacks are targeting sensitive data on government computers and defence, technology and engineering firms' designs, he said in The Times.  According to Lobhan, "Such intellectual property theft doesn't just cost the companies concerned; it represents an attack on the UK's continued economic wellbeing.”

Speaking at the London Conference on Cyberspace earlier this month, William Hague stated that “it will become harder to protect users and prevent defences from being swamped as the scope for malignant activity widens alongside advantages.” Putting this in perspective, more than six million unique types of new malware were detected by industry in the first three months of 2011 alone, according to Hague.

Heavy stuff.  Scary too, especially if you haven’t got your corporate defences in good shape, which is  quite likely given current cost, time and understanding constraints.   Worst of all, it’s the good old IT department’s neck on the block.  But if you look at how information security standards, like ISO27000, are shaped, it’s actually a business problem that is - or at least should be - owned by the CEO and their heads of departments. It’s not the IT that’s at risk: it’s the business.  Too many organisations are too slow in getting this message through to their senior management.

By taking a high level look at what ISO27000 and other information security standards are aiming to achieve, senior management should start to get the picture, taking a great deal of pressure away from the IT department as well as making budgetary funds available to implement mitigation strategies and solutions.

Vioptim is positioned to help promote this high level view and engage with the necessary consultancies to move towards standards compliance and accreditation.

 http://www.vioptim.co.uk