Cyber threats continue to plague governments and businesses around the world. These threats are on the rise as cyber criminals increase their focus and know-how. The problem demands an international solution. ISO/IEC 27001 provides a management framework for assessing and treating risks, whether cyber-oriented or otherwise, that can damage business, governments, and even the fabric of a country’s national infrastructure.
Information security incidents are on the rise as cyber criminals increase their focus on both large and small businesses. An in-depth study of the state of information security by the Department for Business, Innovation & Skills has highlighted the scale of information security threats in the UK. The study – The 2013 Information Security Breaches Survey – reveals that attacks against small businesses have increased by 10 % in the past year, costing up to 6 % of their turnover.
Surprised? Don’t be. The threat landscape of mobile security is moving at a very rapid pace. Mobile hackers are on the prowl, cooperating with cyber criminals to pass on stolen private and business information. What’s more, threats in the mobile landscape are becoming smarter and targeting mobile devices. According to reports from CNN Hong Kong and NQ Mobile, the dramatic growth in mobile malware is intensifying, estimated to be up by 163 %. An astounding figure by no measure.
Identity thieves have also regained the upper hand, suggests a 2013 survey released by fraud research firm Javelin Strategy & Research. The firm’s annual survey reports that, in 2012, identity fraud incidents increased by more than one million victims and fraudsters stole more than USD 21 billion, the highest amount since 2009.
More and more organizations are embracing online opportunities to promote their business and solidify their position in the marketplace through the use of mobile devices and apps, not to mention social networking sites. In so doing, these companies are magnifying the number and sophistication of threats targeted at them. Today’s companies have no choice but to protect themselves by implementing the ISO/IEC 27001 standard.
Used internationally since 2005, ISO/IEC 27001 has helped thousands of organizations boost their information security. The popular management system standard has recently been updated and is now available in a new and improved version – ISO/IEC 27001:2013. This second edition takes account of past user experiences, improvements in security controls apt for today’s IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems.
BUSINESS BOOM AND BUST
Cyber security is not just an IT challenge, it is critical to the running of any business. According to Prinya Hom-anek, President of ACIS, Thailand, the benefits of using a framework for managing cyber risks cannot be overstated: “To tackle the cyber problem, we not only need more robust technical solutions, we need management solutions to improve the business processes to handle the risks to confidentiality, integrity and availability of information and, very importantly, to improve the awareness and skills of staff and users to achieve this protection.” He also notes: “ISO/IEC 27001 […] has helped us to improve our defences against cyber-attacks and, in turn, enabled us to offer better security in the services we provide our customers. As a result, our customers have greater trust and confidence in us as a secure business partner.”
Cyber risks cause much harm to online markets by compromising electronic transactions and inflicting costly damage. For José Renato Hopf of GetNet, one of the suppliers of managed technology solutions and business services for electronic transactions in Latin America, it is important for companies to stay ahead of the cyber security game: “GetNet decided to implement an effective Information Security Management System (ISMS), based on ISO 27001:2013, to protect its Data Centre located in Campo Bom, Rio Grande do Sul (Brazil), against threats and vulnerabilities, and to preserve the confidentiality, integrity and availability of its information. In addition to the adoption of the best information security practices […] ISO 27001:2013 will increase the confidence of our clients, partners and others interested parties.”
SERVICE AND SECURITY COMBINED
Establishing and maintaining customer confidence is key to all successful businesses. Organizations such as CINDA, one of the big-four asset management companies representing the financial industry in China, have benefited commercially from building customer confidence through the combined use of an information security management system based on ISO/IEC 27001 with an IT service management system based on ISO/IEC 20000-1.
Jioa Yuan, General Manager at CINDA’s IT Department, comments: “In the financial sector, CINDA was the first company to gain the two management standards certifications from both domestic and international certification bodies. Our ISMS has been improved continually to meet business development and to adapt to the corporate culture. With the establishment and operation of the ISMS, the company has been constantly improving its corporate information management security, and helping to win the confidence of customers and regulators.”
The broad applicability and usefulness of ISO/IEC 27001 provides unlimited business opportunities for managing risks and building customer confidence. According to Brendan Smith, Chief Information Security Officer at Fujitsu, the benefits of using integrated management systems makes for a win-win situation: “Fujitsu Australia uses ISO/IEC 27001 for internal security management, as well as integrating it with ISO/IEC 20000 to provide secure services to our managed clients. We appreciate having a framework that can cover both scenarios, and enable a single management overview of the state of our security implementation.”
“As a global organization, we deliver services from diverse locations. A key benefit of using an internationally recognized standard such as ISO/IEC 27001 is that it gives our clients assurance that we have implemented security management to a common level.”
And there’s more. Fujitsu builds communities of security professionals at executive and management levels within a common framework defined by ISO/IEC 27001. In the long term, Fujitsu Australia will continue to improve the implementation and use of ISO/IEC 27001 (and related standards) throughout its business areas including information services and cloud computing.
MARKET ENABLER
Organizations that manage their information security risks through ISO/IEC 27001 certification are well recognized by the marketplace. Tony Plummer of Stralfors UK explains how ISO/IEC 27001 establishes credibility and allows the company to differentiate itself from competitors.
“ISO/IEC 27001 certification has come to be regarded as a prerequisite for the vast majority of existing and prospective clients. Simply put, our qualification to ISO/IEC 27001 provides us with a ‘ticket to the game’. This may be evidenced by the fact that certification is mandatory for organizations like Stralfors that wish to print or personalize cheques. There is no doubt that compliance to ISO/IEC 27001 has seen us improve our own approach to all aspects of information security and physical security. In addition to this, particular benefits have been seen in colleague awareness and supplier selection and management.”
WEAPONS OF CHOICE
ISO/IEC 27001 has become synonymous with information security. It has been an outstanding success in the business community, reaching out to provide protection and benefits to organizations across all sectors, regardless of size and nature of business.
The businesses questioned above are just the ‘tip of the iceberg.’ Thousands of organizations around the world use ISO/IEC 27001 to manage their information security risks. And in a world increasingly plagued by cyber-attacks and other threats, anything else would be unthinkable.
“This article first appeared in the November/December 2013 issue of ISOfocus — the magazine of the International Organization for Standardization (www.iso.org/isofocus ) — and is printed here with permission.”