Huge multinationals and small or medium enterprises face security breaches on a daily basis and thus have to ensure they can thwart attacks on their operations and eliminate – or at least reduce – the impact of such breaches.
Evolving technology equals evolving risks
A corollary of the ever faster pace at which technology advances is the rapidly evolving nature of security risks. Keeping up with new technologies, trends and threat intelligence is a challenge that businesses must tackle if they want to prevent information security breaches that cost vast amounts every year in stolen intellectual property and confidential data.
For years, “the traditional approach,” as explained by the TechTarget website, “has been to focus resources on crucial system components and protect against the biggest known threats, which meant leaving some of the components undefended and not protecting systems against less dangerous risks.”
The positive outcome of the numerous security breaches affecting all kinds of companies throughout the world in recent years may be the way they have changed their approach to security and implemented information security management systems (ISMSs) to address their needs and vulnerabilities.
An information security management system (ISMS) is a set of policies, procedures and controls that protect the integrity, confidentiality and accessibility of a company’s sensitive data. It encompasses processes, data, technology as well as employee behaviour. When enforced comprehensively, it is bound to become part of the company’s culture.
Enhancing information security
To help organizations enhance their information security, the joint technical committee on information established by IEC and ISO, ISO/IEC JTC 1, through one of its subcommittees, SC 27, published ISO/IEC 27001:2013, Information technology— Security techniques — Information security management systems — Requirements.
The international standard specifies requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organization, as well as the assessment and treatment of information security risks tailored to the organization’s needs. The requirements are generic and intended to be applicable to all organizations, regardless of type, size or nature. It makes recommendations regarding leadership, commitment and policies, as well as actions to address risks and opportunities. It also covers support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.
Multiple aspects of ISO/IEC 27001
ISO/IEC 27001 goes further than cyber security and covers how an organization manages the security of information it holds, both for its own operations and from external sources, such as suppliers, customers, etc.
A management system that meets ISO/IEC 27001 will look at overall security such as:
- Are there locks on the front doors?
- Who can have keys and how is the allocation of keys/passwords to enter the building managed?
- Under what conditions can external organizations have access into the building, e.g. cleaners, service organizations, essential services, etc.?
- Is there a policy to lock up files overnight to prevent security staff and cleaners from seeing sensitive information on desks?
- How are old records – paper and electronic – disposed of?
- What happens with the hard drives of computers that are discarded and replaced?
ISO/IEC 27001 also addresses threats that come from deliberate cyber attacks.
There are many benefits in using the holistic approach of ISO/IEC 27001: compliance with national and/or regional regulations; resilience and better response to cyber threats; reduced costs through a centrally-managed system that gets rid of multiple and ineffective procedures; well-informed employees aware of their security responsibilities.
By achieving certification to ISO/IEC 27001, an organization demonstrates to its stakeholders and customers that it is committed to managing information and securely. In short, the company can be trusted.
While certification to ISO/IEC 27001 has existed since the standard was published in 2013, it is only recently that IECQ, the IEC Quality Assessment System for Electronic Components, has set up a scheme for the certification of ISMS.
IECQ is part of the solution
The ever-growing need for organizations to provide independent proof of compliance with ISO/IEC 27001 for their information security management system (ISMS) has led industry to request that IECQ certification bodies (CBs) be able to cover the assessment and certification to ISO/IEC 27001 under the approved process scheme (AP scheme) while conducting other IECQ assessments, for example avionics or hazardous substance process management.
What drove industry to approach IECQ recently was the lack of harmonization among the many certification bodies that offer their own individual certificates and apply their own individual interpretations of ISO/IEC 27001. Over time, this has resulted, in different approaches and differences in what is accepted by the various certification bodies. Thus, industry felt that IECQ was able to offer a single approach to the application of ISO/IEC 27001. All certificates can be found on the IECQ website.
IECQ provides industry with a supply chain verification tool for seeking assurance that electronic components, assemblies, processes and related materials conform to declared technical standards and specifications. IECQ certificates are used worldwide as a tool to monitor and control the manufacturing supply chain, thus helping to reduce costs and time to market, and eliminating the need for multiple re-assessments of suppliers.
IECQ is an essential player and a key partner of industry that helps companies manage their all-encompassing and complex information security systems.