Security starts at the door
Security is not just about computers. It encompasses all areas, operations and divisions of any company. It really starts at the entry point to the building.
- How are the premises accessed? Are keys, badges, passwords, codes, or biometrics used?
- Who has access to the premises? Are there restricted areas that can only be entered by authorized personnel?
- Under what conditions can external organizations have access into the building, e.g. cleaners, service organizations, essential services, etc.? How is the vetting of visitors done? Are there cameras fronting the building?
- Is there a policy to lock up files overnight to prevent security staff and cleaners from seeing sensitive information on desks?
- What is the procedure to report lost or stolen company files, computers, phones, credit cards? What happens to the information stored on the device? How is the information secured? Similarly, how is client information secured?
- How are old records – paper and electronic – disposed of?
- What happens with the hard drives of computers that are discarded and replaced?
And so forth. Those are a series of basic questions, by no means exhaustive that any company should address.
An ISMS is the answer
The answer to all these questions is to set up an information security management system (ISMS) that will protect the company’s assets. Having an ISMS will help prevent sensitive information from being damaged or destroyed, and will make sure it doesn’t fall into the wrong hands.
An ISMS is a set of policies, procedures and controls that protect the integrity, confidentiality and accessibility of a company’s sensitive data. It encompasses processes, data and technology as well as employee behaviour. When enforced comprehensively, it is bound to become part of the company’s culture.
Only the effective implementation of an ISMS, meaning integrating information management into the company culture and training employees to comply with it, will provide a high degree of protection from data breaches.
Enhancing information security
The joint technical committee on information established by IEC and ISO, ISO/IEC JTC 1, through one of its subcommittees, SC 27, published ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements.
The international standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization, as well as the assessment and treatment of information security risks tailored to the organization’s needs. The requirements are generic and intended to be applicable to all organizations, regardless of type, size or nature. It makes recommendations regarding leadership, commitment and policies, as well as actions, to address risks and opportunities. It also covers support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.
Multiple aspects of ISO/IEC 27001
ISO/IEC 27001 goes further than cyber security and covers how an organization manages the security of information it holds, both for its own operations and from external sources, such as suppliers, customers, etc.
ISO/IEC 27001 also addresses threats that come from deliberate cyber attacks.
There are many benefits in using the holistic approach of ISO/IEC 27001: compliance with national and/or regional regulations; resilience and better response to cyber threats; reduced costs through a centrally-managed system that gets rid of multiple and ineffective procedures; well-informed employees aware of their security responsibilities.
By achieving certification to ISO/IEC 27001, an organization demonstrates to its stakeholders and customers that it is committed to managing information and securely. In short, the company can be trusted.
While certification to ISO/IEC 27001 has existed since the standard was published in 2013, it is only recently that IECQ, the IEC Quality Assessment System for Electronic Components, has set up a true single standardized way of assessing and certifying an ISMS to ISO/IEC 27001.
IECQ is part of the solution
The ever-growing need for organizations to provide independent proof of compliance with ISO/IEC 27001 for their ISMS has led industry to request that IECQ certification bodies (CBs) be able to cover the assessment and certification to ISO/IEC 27001 under the approved process scheme (AP scheme) while conducting other IECQ assessments, for example avionics or hazardous substance process management.
What drove industry to approach IECQ recently was the lack of harmonization among the many certification bodies that offer their own individual certificates and apply their own individual interpretations of ISO/IEC 27001. Over time, this has resulted, in different approaches and differences, in what is accepted by the various certification bodies. Thus, industry felt that IECQ was able to offer a single approach to the application of ISO/IEC 27001. All certificates can be found on the IECQ website.