How does ISO 27001 fit in to your businesses Risk Management Strategy?
Friday 28 October, saw another Australian operation make a public apology after a “data” breach.
The Australian Red Cross, stated that personal data (which included, names, addresses and dates of birth) from over 500,000 donors had been placed on a website which is managed by a contractor on behalf of the service.
Red Cross Chief Executive Shelly Park stated the breach had occurred “due to Human Error”.
So, in this case, what is “Human Error?” Was this the case of a “Contractor” not following a process stipulated by the business, or does this go deeper into an organisations ability to view “Risk” and have a significant ability to foresee potential events that may expose a business to significant damage and brand harm? Only the Red Cross will know the answer to this question.
Back in 2013 PWC reported on behalf of the UK’s Department for Business, that a massive 87% of small Businesses reported some form of data or security breach (in FY 12-13).
Whilst Data can be stored securely, it’s worth noting that not all businesses see a Data Breach as a Risk, let along discuss this at Senior Management Level.
ISO 27001:2013 can’t guarantee that your data will be safe for
ever and a day, but it can help a business start putting the foundations in place to help protect your workers, clients and customers data.
So how can a standard like ISO 27001:2013 help your business? ISO 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
You may not feel that the financial investment of certification for your business adds any value, but by implementing the “best practice” outlined within the Standard, your business may just have the upper hand against the next generation of cyber criminals.
Remember, include cyber-crime and data breaches on your businesses Hazard or Risk register, look at business continuity and some counter measures. Run your IT team, through an “Emergency Drill” to see how they would react to a significant data breach incident and consult with peers and other businesses on how they manage the risk of data breaches.