Are you a listener or are you a reader? In any case, we have got you covered. Dive into the details of how to implement ISO 27001 in your organisation, you can read all about it or listen to what Luke Desira has to say.
Hi, I am Luke Desira and in this video, I wanted to give you a bit of information about how you can go about the task of implementing ISO 27001 within your organisation.
Let’s start a little bit with an introduction about what ISO 27001 is. So as you might know, ISO 27001 talks about information security, and over the past decade I would say the threats relating to information security and cyber security have drastically increased, especially since companies are heavily investing in their digital landscape.
When it comes to the standard, we should not only be concerned about the term ‘cyber security’ but about the broader term of ‘information security’. We also have to protect other information; for example, information relating to our employees, information relating to the intellectual property being generated by the company, sensitive commercial information that might be stored on digital or paper-based formats. So ISO 27001 does not only concern cyber threats that might be available for your organisation from the online world; however, when it comes to information security we are also talking about sensitive, paper-based information that you might have within your organisation.
Once again, ISO 27001 is an information security management system and the main aim is to protect your organisation from internal and external hazards relating to information security. The goal of any management system based on an ISO standard is to create a management system that is designed for continual improvement. This is a conversation that I like to have with my clients whereby I understand that nothing will ever be perfect, no matter how much we try to improve our management system, it will still not be perfect.
Moreover, implementing ISO 27001 certification does not mean that you are protected from all possible threats that relates to information security. Having an ISO 27001 certification means that you have the systems and procedures in place to be able to mitigate information security risks and make sure that issues don’t happen. If and when they do occur, you’ll be able to quickly respond to those issues and you’ll also be able to have a plan B or plan C of how to tackle a particular situation that might occur within your organisation.
Some organisations, unfortunately, feel like they have to be perfect before actually even starting the process of implementing an ISO Management System. I am here to tell you that that is not the right approach. The right approach is to have the mindset that enables you to understand that we will never be perfect and that we should use ISO standards to help us refine and continually improve our systems. We have to ensure that all systems are complying with the international standards for information security and have all the systems in place to collect the data that we will need to take informed decisions of where our actions to improve our information security management system should be directed.
That is the first element that I wanted to discuss.
Which companies can implement ISO 27001?
ISO 27001 can be used by any organisation in any industry of any size. There are some organisations, for example, financial institutions, who have recently become subject to the Digital Operational Resilience Act, an EU regulation specifically targeting financial institutions and their element of information security. Therefore companies within the financial sector would greatly benefit from implementing ISO 27001, however, there are other companies, for instance, gaming companies who might need ISO 27001 to be able to register themselves as operators of specific jurisdictions.
Another example; might be, software houses, either companies creating tailor-made software or companies selling software as a service who might want to implement ISO 27001 to make sure that their client data and possibly the client of their clients is being adequately protected.
There are other companies who might want to implement ISO 27001, for example, a client of mine is a security company and of course, if you’re a security business installing CCTV cameras in different locations, you have to understand that your employees must have access to whatever those cameras are seeing at any given point in time. Having an ISO 27001 certification will ensure that your clients have increased peace of mind knowing that only the relevant and right employees will have certain limited access to what is visible on such cameras which will in turn improve the reputation of your organisation.
Depending on the size and complexity of the industry that you operate in, the way in which ISO 27001 will be implemented in your organisation will change. Companies that are prone to certain risks will need to focus on certain elements, while other companies might focus on other risks.
Implementing ISO 27001 as based on the high-level structure
Ultimately, ISO 27001 is also based on a high-level structure like any other ISO Management System and since 2015 we have been using the risk-based approach. In the risk-based approach, the standard asks us to consider what might be the internal and external factors and or issues that might have an impact on our organisation. Then we will need to prioritise those risks and opportunities to be able to take effective action on the elements that will have the most impact on our organization.
Now when it comes to ISO 27001, while we are talking about the risk-based approach, I have to mention that there is another element that is not included in other standards but is included in ISO 27001; that is Annex A.
Annex A for ISO 27001:2022 has 93 controls and when implementing the standard within your organisation, you will need to go through these 93 controls. You will need to prioritise them based on the needs of your organisation, and you will need to determine which ones apply to your organisation or not. Based on the prioritisation exercise that you need to do whilst going through these 93 controls within Annex A, you will eventually determine which elements you will need to focus on when improving your information security management system.
Implementing the latest version of ISO 27001
The next thing that I wanted to talk about is about the current version of the standard.
When it comes to ISO 27001, the first version was launched in 2000. As a standard, ISO 27001 gets updated roughly once every eight years. The latest version of the standard, as I have previously mentioned, is that of 2022, and the version before that was of 2013.
The major difference between the current version of the standard and the previous one is that the controls within Annex A have slightly changed. Of course over the past 10 years, the world has experienced radical changes in the way that we operate a business. We also endured a pandemic, which resulted in a huge increase in people working remotely, As a matter of fact, Annex A also has a control that aims at tackling the risks associated with remote working.