Cloud computing, off-shore data management and outsourced services and information have impacted the way, most, if not all, Australian businesses manage and store customer and company data. And while most have implemented some sort of software security solution, they have not always adopted a holistic approach to information security.

The newly released and improved standard for Information Security Management Systems (ISMS) ISO/IEC 27001:2013 can help organisations develop this much needed 360 degree approach to information security practices.

“By implementing the principles in ISO/IEC 27001:2013, security practice management, including usage and data needs, are continually being monitored. This level of evaluation ensures greater efficiency when it comes to risk management,” said David Simpson, Information Security training facilitator at SAI Global, the Australia’s business-performance training company.

“And with ever-evolving cyber security threats and the pace of change in our information-rich age most organisations require this level of commitment to managing their critical data. In this context it’s essential for businesses to be up to date with the very latest international standards for information management to protect not only their businesses, but their customers and stakeholders,” said David.

The ISO/IEC 27001:2013 Standard is the new international benchmark for evaluating  information security risks and it contains the tools to assist businesses set up the frameworks and processes required to manage not only newer forms of technologies such as cloud computing and off-shore data management, but  complete information security needs.

David works with SAI Global to develop transition strategies and provide training on the new international ISO/IEC 27001:2013 standard.  Here he shares his five key learnings to assist with bringing your ISMS up to date.

1.      It’s not enough to just leave it with the IT guy. ISO/IEC 27001:2013 stresses the importance of executives taking an active role in the management of their ISMS and sets out guidelines for companies to document the needs, interests and expectations of all stakeholders in the ISMS plan. This takes management of ISMS into a regulatory function and places responsibility into the hands of executives who should consider the ISMS as part of their business plans. “This is a significant shift-of-power within organisations away from the IT department to areas of the business that assess and manage risk” said David.   

2.      With the new standard, you walk the talk. “One of the key learnings from the new ISO 27001:2013 standard is to take responsibility and "walk the talk" to make sure organisations are living up to their obligations and responsibilities in managing the information under its control,” said David. To do this, it’s essential to have a very clear idea of what you are trying to protect, and to document both your business and security objectives.

3.      You can’t blame it on a third party.   The new ISMS standard stresses the importance of taking ownership for your information system. “It’s not enough to simply outsource and set and forget. The fundamental risk is to your business.  Your cloud provider is not going to be the one that suffers if security is breached. Your business will,” said David. ISO/IEC 27001:2013 encourages the documentation of roles and procedures between any organisation and third party information management or storage service.

4.      The days of tick and flick compliance are over. What was once a onetime activity done for simply the sake of removing it from the to do list, now requires continuous improvement. “With the pace of change accelerating, organisations cannot rely on the threat landscape remaining unchanged and must continually review their security systems to protect their organisations,” said David. To ensure your system is robust put in place a process for ongoing risk assessment, evaluate your response to any incident and refine, refine, refine.

5.      Interconnected worlds are now recognised.  ISO/IEC 27001:2013 recognises that most organisations are now more closely connected and that this interconnectivity brings new challenges. “While this allows organisations to be more effective, it also increases the risk from data breaches and if things go bad, they go bad very quickly. The learning from the standard is to document what you trying to protect and develop an action plan to manage it, as quick reflexes in an interconnected world are essential to handling any crisis,” said David.