Guest Blogger - Stuart Barker on Cybersecurity

ISO 27 I don’t think so

ISO 27001 is the international standard for information security and there is one thing most technical security professionals can agree on it: it won’t stop you getting hacked. Now I agree to some extent with that sentiment but is not intended for that purpose. What ISO 27001 is is an information security management system. What that means in practical terms is it is a management system backed by a lot of documents. You can be looking in the region of 27 core documents for the ISMS and some 23 policies depending on what your products and services are. As a standard it covers managing information security not out of the box securing your business. What does cover securing your business is Annex A, often referred to as ISO 27002. This is a list of 114 controls that cover all aspects, disciplines, departments and parts of your business as they relate to thing you are trying to secure. These are a list to chose from formulated by industry experts as the low level entry and most commonly agreed controls. The standard doesn’t tell you how to implement the controls and that is where the magic of network security professionals comes in but it does look at the common controls that you would want. By way of example: 13.1 Network security management Objective: To ensure the protection of information in networks and its supporting information processing facilities. 13.1.1 Network controls Networks shall be managed and controlled to protect information in systems and applications. 13.1.2 Security of network services Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. An ISO 27001 certification is usually a requirement of your clients and customers. No one is going to the hassle for the laugh. There is a compelling commercial reason to do it. The way it works is that the certification body will audit you against the standard AND the controls that you say you have. Let's face facts, no all auditors are experienced in all aspects. It is likely technically you can run rings around them when it comes to network security. That isn't in the spirit of what is intended but it is possible to bamboozle an auditor into these are the droids he is looking for and pass. The upshot is that yes, ISO 27001 on its own does not stop a business being hacked or make it inherently more secure. But it gets a business to think about it and demonstrate to those customers that you take it seriously and someone has checked it. For me it makes senses when the clients and customers say it makes sense.

Author: Stuart Barker - The Data Security Guy

Stuart at High Table specialises in fin tech and financial services companies with over two decades of experience delivering legal and regulatory compliance for data. He specialises in getting and keeping companies compliant for data security which usually means ISO 27001, PCI DSS, SOC 1 and SOC 2 certification and regulations like the FCA regulations for data security. He started, built and successfully sold a cyber security business. Now he advises companies and builds data security capability allowing them to meet the needs of their customers, the needs of their funders and the needs of the law. Usually in that order. He is also a driver in addressing isolation, wellbeing and mental in business and building emotionally intelligent people networks.