Who needs ISO 27001?

Author: Gary Hibberd

Date: 13th July 2020

Who needs ISO 27001? The simple answer to this question is, everyone.

ISO 27001 is the international standard for building an Information Security Management System (ISMS). It lays out the measures you need to follow, in order to build a process for handling Data.

Any organisation that handles Data can benefit from implementing ISO 27001, but I guess the real question is; Who needs ISO 27001 and why?

False Positives

For a very long time now there has been a battle between Information Security specialists, IT specialists and the general population (let’s call them the ‘Bored’ (Not to be confused with the ‘Board’)). The Bored in most organisations include those sat in the Boardroom, but also includes the general business population.

When the Bored think of Information Security and Data Protection they often assume we’re talking about technology, and more specifically Information Technology (IT). Information security has long been seen as a problem for the IT department to solve, and the IT department hasn’t been much help in dispelling this myth.

When faced with the question, “How are you protecting Data?” the response is often focused on IT. “The Data is on the Cloud”, “We have Malware protection”, and “We have a Pen Test once a year”. All of these responses give the Bored a false sense of security. They believe by focusing on the technology everything is safe and secure.

But this false positive is a dangerous way to think about Information Security.

Brum Brum. Beep Beep.

Imagine I have just purchased a new car. It’s shiny. It’s sleek black and has all the latest gadgets. Now, imagine I’ve asked you and your loved ones to come along for a drive with me. Would you base your decision purely on the look of the car, on me, or on both? 

The car may look like it’s mechanically sound, but how do you know? Because I said so? What about me? Do you know if I’m a good driver? Am I insured? Do I have any driving convictions?

If you treat this scenario the same way you treat Data, you’re basing all your decisions to put your loved ones in the car, on the basis that a mechanic told you everything is ok.

Information security is about more than IT

The ISO 27001 standard forces the Bored to think about Information Security more deeply than perhaps they ever have before. It’s not an IT security standard, it’s an Information Security Management standard. 

It clearly states what you need to consider, in order to demonstrate that you’re taking all appropriate technical and operational measures to protect Data. Areas and topics covered include;

1. Development of Security related Policies and Procedures
2. Carrying our Risk Assessments and determining Risk Treatments
3. The methods you use to hire new people
4. The training you provide to those involved in Information Security
5. The awareness training you give to key roles, and define their responsibilities
6. The method you use to audit your security controls
7. How you manage your physical and technical data assets
8. How you manage relationships with third parties
9. What technical controls you have in place to protect Data
10. Methods used to classify and protect data
11. How you handle the onboarding (and offboarding) of employees from systems
12. Physical and environmental controls that you have put in place to protect Data
13. Change control processes
14. Systems and network security controls
15. Processes to handle security incidents, and Business continuity issues

Of the fifteen areas listed above, perhaps five of them are specifically related to IT. The rest don’t go near the topic.

So who needs ISO 27001?

If you’re still of the mindset that Information Security is an IT issue, then you need to look closely at what ISO 27001 is, and you need it. Because I guarantee if you think that Information Security is all about IT, then if you haven’t already had a Data breach, it’s going to happen sometime soon.

There are too many gaps in your thinking if you’re looking at this from a one-dimensional point-of-view.  It’s worth knowing that the largest fine levied (in the UK) under the General Data Protection Regulation (GDPR) was to a pharmacy.

On 20 December 2019, the Information Commissioner’s Office (ICO) fined the London-based pharmacy £275,000 for failing to ensure the security of special category data. Was it an IT failure? Did they not secure back-ups? No.

They were fined for the ‘careless’ storage of patient Data;

“Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.”

Security is a journey – so you need a map

As the saying goes, “Information Security is a journey. Not a destination.” If this is true then you need a road map.  If you’re struggling to understand how to implement good security, or you’ve tried doing it and it’s all got a bit out of hand! Then you need something that will help guide you.

You need ISO27001 if you’re lost on the journey towards protecting Data. ISO 27001 Gives you clear directions to what is needed, and what is involved in developing a management system that works for you, not against you.

Conclusion

The title of the blog is “Who needs ISO 27001?” I firmly believe any organisation dealing with Data needs to align to the standard or be fully committed and certified to it. 

ISO 27001 forces the Bored to think more holistically about Data security, and requires them to think about all aspects and touch points for Information Security; People, Physical, Policies, Processes, PCs, and Providers.  It’s a framework and a roadmap to follow.

Who needs ISO 27001? Go back to the start of this blog and read the first line again.