By accepting you will be accessing a service provided by a third-party external to https://www.manycaps.com/
ISO27001 Principle 7: Integrated Security
When you think about your information systems, repositories and sources of information within your organisation have you built security into them or is it a bolt on after the fact? Is it there at all? Keeping in mind that Information Security is about more than just your IT systems and what's stored there but about all information have you built in the right steps for simple things like ensuring that your competitors can't see your strategy written up on that meeting room whiteboard you left on full view of that big window? The thing about your Information Security Management System is that it needs to be integrated, it needs to be there from the ground up so that it's front and centre of everyone's thinking and their systems.
Information Security has a few key elements that it's important that everyone in your organisation understands and should be part of your training program within the organisation.
Vulnerabilities are the weak points in your systems, these are the areas where it gives access to your information to someone who shouldn't get access. Think about it as the open window showing your whiteboard, the password that is password or the front of house reception that is completely unattended and unmonitored that lets anyone walk directly into the building and out again with anything they want. All of these examples mean that someone has unauthorised access to your information because of a gap in your Information Security Management Systems (ISMS).
2. Threat and 3. Threat Agents
Threat is about the possibility that someone could take advantage of any of the gaps in your Information Security Management System for their, or indeed someone else's, benefit. The threat agent is the thing, the entity that takes advantage of that vulnerability, which could be a person, or it could be a virus or system bot for example.
This is pretty simple to work out, it's the combination effect of chance that someone, or something (the threat agent) will take advantage of that threat to attack the vulnerability in your Information Security Management System and then factoring the level or severity of resulting outcomes of that vulnerability being exploited. In here we are thinking about business or personal impacts and potential losses as a result of those things.
Exposure, as the name suggests is the window of opportunity that exists where your Information Security management system is vulnerable to the attacks and hence losses by the threat agent. The aim obviously is to make this as small as possible!
6. Treatments and Controls
These are the steps and controls that you are going to put in place within your ISO27701 Information Security Management System that will reduce the risk, close out any vulnerabilities that you have limit or eliminate exposure and generally make your ISO27001 system work really well and protect your information.
Any system is only as good as the people who use it, that means you need to ensure that your people are clear on the requirements of your Information Security Management System and are kept up to date on a regular basis of any new vulnerabilities and threats so they understand the treatment and controls that need to be put in place and why they are important to them and you. Talking about it once at induction doesn't count as communicating, you need to do it over and over and over again and be consistent in the message and the approach you want people to take.
The balancing act is of course that you need to put adequate treatments and controls in place to remove vulnerabilities and threats but don't make it impossible for people to actually do their jobs. When it gest too hard to follow the rules then people will find work arounds that you don't know about and that creates a massive new vulnerability for you that you may only discover when its too late. Be sensible about the approach you take and way up the steps you are taking with the real risk, not some worst-case scenario that will only really happen in a James Bond movie.
If you want to achieve a great ISO27001 Information Security management system then you need to understand these 6 elements, constantly communicate them and remind everyone that it's about information, not IT. Your ISO27001 system isn't an IT system, it's a business system and everyone needs to be actively involved in it for it to truly work, it needs to be completely integrated into the day to day way of working so that it's a habit, it's just what you do.
© Many Caps Consulting | All Rights Reserved