In today’s competitive business environment, information is critical to the day – to – day operation, compliance and strategic planning of your business. As a vital business resource its value means that it is constantly under threat from being deliberately or accidentally mis-used, damaged, lost or even stolen from individuals inside or outside the organisation. Protecting one’s reputation and information is of high importance for all companies, as being trusted is a key element of success.
To fulfil these tasks, it is necessary to implement and operate an information security management system which fits a company’s characteristics and relies on the internationally recognised ISO 27001 standard’s comprehensive framework. ISO27001 is recognised as the standard for information security management. It provides a framework to minimise the threats to Information and Communication Technology assets and the business.
ISO 27001 framework covers commercial, governmental and not-for-profit organisations, and specifies the requirements for establishing, implementing, monitoring and improving an information security management system (ISMS).
To ensure an effective and successful ISMS implementation, organisations should consider the following, in no particular order:
Information security policy
Information security policy and its supporting standards correlates to legal and regulatory requirements applicable to our organization. Mandatory and recommended policy statements span nearly a dozen widely recognized information security areas, including but not limited to:
- Access control
- Asset management: classification and control
- Communications and operations security
- Human resources security: personnel
- Information systems acquisition, development and maintenance
- Physical and environmental security
- Risk assessment
Technical security controls
Approach to information security does not rely solely upon written security policy or standards, also require to maintain the confidentiality, integrity and availability of information through the protection of our technology resources and assets. Measures include, but are not limited to:
- Desktop and laptop full disk encryption
- Removable media encryption tools (e.g., USB “thumb” drives)
- Desktop and laptop firewalls
- Antivirus and anti-malware software (server, endpoint, gateway)
- Multifactor authentication solutions
- Automated patching and security vulnerability assessments
- Strong physical, environmental and perimeter controls
- Intrusion detection and prevention technologies
- Monitoring and detection systems
Training and awareness programs
As attack methods change, so must the information, guidance and training. Raising awareness of threats to data privacy and information security should be an ongoing and dynamic process. It is required to conduct formal training for professionals to drive awareness within the entire organisation.
Control effectiveness assessments
Control effectiveness assessments are required to verify controls are implemented and operating effectively which should include:
- Network and application vulnerability assessments, which focus on the technical aspects of the global information security policy, such as patch management, application security and infrastructure security
- Operating effectiveness assessments, which focus on review of technical controls and build processes of components such as operating systems, databases and infrastructure
- Ongoing operational monitoring of control effectiveness, to validate that the security controls are implemented and configured appropriately
Disaster recovery program
The disaster response and system recovery procedures for all critical business applications should been carefully planned and tested. The disaster recovery methodology should incorporate the following:
- Business impact analyses
- Mission-critical disaster recovery plans built on industry-leading standards
- Support from certified disaster recovery planners like E Com Security Solutions
- Regular testing of disaster recovery plans to verify operational readiness
Vendor assurance program
Vendor management due diligence process to cover third-party activities related to information security, procurement, contracts, data protection and independence, including:
- Evaluation of prospective vendors for compliance with ISO 27001/2 aligned global policies and controls
- Due diligence reviews, including preparation of risk ratings and findings
- Mitigation of risk findings
E Com Security Solutions help Organizations in implementing and maintaining an effective ISMS to protect against cyber attacks and help organizations foster the development of a culture of security. This will also enable Organizations for measuring and evaluating the effectiveness of the outsourced IT services.
E Com Security Solutions comprehensive auditing and certification services help organisations in effective implementation of ISMS according the requirements of ISO 27001 and to achieve ISO 27001 certification.