Services

In today’s digital age, information security is paramount. Businesses of all sizes must protect sensitive information from cyber threats, data breaches, and other security risks. One way to achieve this is by implementing an Information Security Management System (ISMS) that conforms to ISO 27001. In this article, we will discuss ISO 27001, its benefits, and why businesses should consider implementing it.

What is ISO 27001?

ISO 27001 is an international standard that sets out the requirements for an Information Security Management System (ISMS). It is a framework for managing and protecting sensitive information, such as personal data, financial information, and intellectual property. ISO 27001 provides a systematic and proactive approach to managing information security risks, ensuring that businesses can protect their critical assets.

Benefits of ISO 27001

1. Protection of Sensitive Information

Read more

Diversified Management Systems provides ISMS Solutions to our clients.  We help you meet your information security objectives faster and ensure security for you and your customers. In the final analysis we save time and money, using our customer-centric approach to implement a management system leveraging our experience and your leadership.

We learn your business goals and market requirements to streamlined ISMS implementation.  We help educate you about the boundaries and scope of ISO 27001 requirements.

• Prepare a GAP analysis and Risk Assessment
• Initiate the Information Security Management System
• Develop the ISMS and move to Certification

No matter the size of your organization, there is only so much that is needed to obtain ISO 27001 certification and we work to understand your business objectives and why you are pursuing ISO 27001. With that information, we focus our efforts on meet your goals and objectives. We will make suggestions for improving your information security management system.  Our value comes by meeting your objectives in the shortest time possible.

Contact us to schedule an introductory meeting and to answer any of your questions or concerns.

The main requirements are found in clauses 4 through 10. Below are a summary of each:

Clause 4 – Context of the organization

Implementing an Information Security Management System successfully requires an understanding the context of the organization. External, internal issues, and interested parties, need to be identified and addressed. Typical requirements include:

• regulatory issues
• competition
• cultural
• political
• strategic direction
• internal capabilities

Given the context, the organization must define the scope of ISMS.

Clause 5 – Leadership

The requirements of ISO 27001 for leadership are many and various. The commitment of upper management is mandatory and essential. The ISMS objectives must be developed in concert with the strategic direction and objectives of the organization. Management must provide the necessary resources, as well as support personnel in their responsibilities with the ISMS.

In addition, upper management must establish a top-level policy for information security. These policy statements need to be documented and communicated within the organization and to all interested parties.

Roles and responsibilities need to be assigned, to meet the requirements of the ISO 27001 standard and to report on the performance of the ISMS.

Clause 6 – Planning

Risks and opportunities should be accounted for during planning. A risk assessment for an ISMS provides a foundation on which to build. Objectives from the risk assessment must be aligned with the company`s overall objectives, and need to be adopted within the company. The objectives provide the security goals to work toward. From the risk assessment and the security objectives, a risk treatment plan is derived using the controls in Annex A.

Clause 7 – Support

The key areas for support include:

• • Resources,
  • competence of employees,
  • awareness,
  • communication
  • documentation

Information needs to be documented, created, and updated, as well as controlled. A series of documentation, including a communications plan, must be maintained in order to support the success of the ISMS.

Clause 8 – Operation

Processes used to implement information security are wheels to the ISMS. These processes must be planned, implemented, and controlled. The risk assessment and objectives have to be put into action.

Clause 9 – Performance evaluation

The requirements of the ISO 27001 standard necesitiate monitoring, measurement, analysis, and evaluation of the Information Security Management System. Key performance indicators must be created and monitored. Internal audits are conducted on a regular and scheduled basis to check the success of the implementation. Upper management needs to review the organization`s ISMS and ISO 27001 KPIs frequently at first, then on a scheduled basis.

Clause 10 – Improvement

After evaluation improvement follows. During an audit nonconformities are documented. They then need to be addressed through an action plan resulting their elimination. A process for continual improvement should be documented and implemented. The traditional PDCA (Plan-Do-Check-Act) cycle is recommended. It provides a solid structure and fulfills the requirements of ISO 27001.

Annex A Information security controls reference

This Annex provides a list of 93 controls that can be implemented to decrease risks and comply with security requirements from interested parties. The selected controls that are implemented must be designated in the Statement of Applicability.

 

The human element is a key driver of 82% of information and IP breaches.  This emphasizes the importance of having a strong security awareness program.

Social engineering is used for a range of malicious activities through human interactions. It uses psychological manipulation to trick users into giving away sensitive information.

Social engineering attacks happen occur in one or more steps.  The perpetrator learns about the victim to gather background information, such as points of entry and weak security protocols. The attacker moves to gain the victim’s trust and provide positive reinforcement for further actions that break security.

The types of Social Engineering are:

• Baiting
• Phishing
• Spear phishing
• Scareware
• Pretexting

Baiting

These attacks use a false promise to entice a victim’s greed or curiosity. They lure the victim into a trap to steal personal information then inflicts their systems with malware.

Phising

These scams are email and text messages aimed at creating a sense of urgency, curiosity or fear. It then moves them into revealing sensitive information, clicking on links to malicious websites, or opening attachments containing malware.

Spear phishing

This is a more targeted version of the phishing scam. The attacker chooses specific individuals. They tailor the messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.

Scareware

Scareware involves bombarding the victim with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit or is malware itself.

Pretexting

The attacker starts by developing trust with the victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that required to confirmation of the victim’s identity, where they gather important personal data.

 

Most think information security is a technology problem to solve. Often we think anything pertaining to securing information or protection from cyber attacks is only for the I.T. team. Nothing could be further from the truth.

Every member of the organization is responsibility for carrying out the Information Security policies. All employees are a part of the ISMS. If you do not train them properly, your organization is open for exploit. Every employee is a vital part of your defense. They are also a significant vulnerability.

When looking for an ISO 27001 consultant it is critical that you find one with experience.  Our main ISO 27001 consultant has experience with the U.S. Armed Forces securing classified material.

From the International Standards Organization, “ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2022 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”

In today’s world information and information system security can be as important as cash flow.  If you loose it, you could perish.

Contact us today.