The Courier & Advertiser (Fife Edition)
Why you need to be looking at ISO27001
INSURANCE AND RISK MANAGEMENT: Data security
First off let’s start by clearing up something: ISO27001 is the best known standard in the family that provides the requirements for an Information Security Management System.
Still reading? Great, now as soon as we pair up the words ‘information’ and ‘security’ we automatically think IT and so pass it over to Dave in the IT department with the remit of looking into it.
Stop! information isn’t just electronic, think wider. look at everywhere your data sits – on hard drives, in filling cabinets, even in people’s heads. ISO 27001 is a Management standard not an IT one, it requires the buy in and continual support of senior management to succeed.
Secondly businesses can think that the aim here is to just get certified.
Yes, being certified to ISO 27001 can help with demonstrating to prospects and customers that you take the security of their data seriously, it may even be a requirement for tender or what stands you out against the competition, especially with all the high profile data attacks hitting the headlines. It can even be seen as a positive when it comes down to renewing your insurance.
But ISO 27001 isn’t a target, it’s a continual process that needs to be embedded into your business operations – it’s really important to remember this and not to just see it as a ‘do it once and get it out the way’ standard.
With that said, it’s time for some good news. If you know what you are doing the ISO 27001 isn’t as complicated as it looks when you first get your hands on it, it’s about managing risk which is something we all do every day.
If you don’t have the resources or expertise in-house then don’t be afraid of bringing in a third party, getting someone in that has done this before can not only save you a lot of time but they will bring with them the experiences of past jobs. They will be able to help you with building one of the core parts of the standard, your statement of applicability.
Now this is a key part of ISO 27001. You are basically building the list of things that you will be measured against. You will also have to develop all of your control documentation. No need to panic though, you may already have some of this in place, carrying out a Gap analysis will help you to identify this, again if you don’t have the skills in- house then engaging a third party can remove a lot of the work here.
Other good news is that you don’t actually need to get all of your business accredited in one hit, you could potentially start with one division then gradually roll it out as you develop you expertise internally.
ISO 27001 brings with it a lot of benefits, more than can be covered in 500 words, and if you haven’t considered it yet then you really should, especially with the EU GDPR less than a year away.
Data is the life blood of a business and it’s your responsibility to protect it.
Data is the life blood of a business