Increasing regulatory scrutiny and the rise of highly publicised cyber-attacks have forced cybersecurity to the top of the agenda for executives and boards. Once viewed as just an IT problem, it is now clear that a business-wide approach is required to effectively mitigate cyber risks.
All businesses should be taking a pragmatic and proactive risk-based approach in assessing their critical assets and business environment. It is key that the assessment includes the regulation and legislation landscape applicable to their industry. For example, providers of critical infrastructure are now obligated to implement a baseline level of security controls as prescribed in the Security Legislation Amendment (Critical Infrastructure) Act 2021. Failure to do so can have devastating consequences for a business and its operations, leading to regulatory scrutiny, reputational damage and financial penalties.
Addressing cybersecurity at scale across an organisation is no simple matter. It can be a daunting task especially for businesses without a dedicated cyber security resource, limited budget or minimal security expertise. An Information Security Management System (ISMS) is designed to help a business effectively manage its end-to-end cybersecurity posture.
What is an Information Security Management System?
An ISMS is a systematic approach to information security, comprising of a framework of policies, standards and procedures that define an organisation’s approach to protecting its information. The core objective of an ISMS is to address the confidentiality, integrity and availability of information assets to an acceptable level of risk. If implemented correctly, an organisation can certify their ISMS against a standard to externally demonstrate their commitment to cybersecurity.
ISO 27001 is a globally recognised standard and internationally regarded as the de facto standard for information security. It is a widely adopted framework used by many sectors. Organisations with an ISO 27001 certification benefit from:
Regulatory compliance – Many local and international cybersecurity regulations are based on or utilise the ISO 27001 standard as a control framework. Operating an ISO 27001 aligned ISMS ‘future proofs’ a business for emerging regulations and legislation, making other security certifications more attainable.
Business growth opportunity –Supply chain risk management has resulted in more and more organisations being required to demonstrate their cybersecurity assurance during the procurement process. Businesses with an ISO 27001 certification are seen as safer to engage with and thus have increased partnership opportunities and a wider market of potential customers.
Increased cyber resilience – The fundamental processes and technologies prescribed by an ISO 27001 ISMS position an organisation to best protect the data and information it manages and lowers the risk of falling victim to a cyber-attack.
Major changes in 2022
In keeping with the evolving cyber threat and data privacy landscape, the International Organisation for Standardisation (ISO) has recently released an update to ISO 27001. The update comprises several major changes to the standard, and 13 new control areas to address emerging technologies and threats. The revised structure categorises controls into ‘themes’ and reduces the number of controls from 114 to 93. The 93 controls are now grouped into four themes:
People – Controls that concern the people aspect of security
Physical – Controls that address the security of physical assets;
Technological – Controls that are addressed by technology; and
Organisational – Controls that are otherwise categorised as ‘organisational’.
The new controls are:
- Threat intelligence
- Identity management
- Information security for use of cloud services
- Information security during disruption
- ICT readiness for business continuity
- Physical security monitoring
- Configuration management
- Information deletion
- Data masking
- Data leakage prevention
- Monitoring activities
- Web filtering
- Secure coding
How to implement an ISMS?
Implementation will vary depending on the size and structure of an organisation. The process usually starts with undertaking a control gap assessment against a standard (such as ISO 27001). Following this, an organisation should define their scope and publish a Statement of Applicability. This scope will inform a strategic plan to reach target state goals and achievable objectives, which are implemented through strategic decision-making, policy and investments. Alternatively, an organisation can seek certification against their chosen standard through a third-party certifier.
The McGrathNicol Technology and Cyber team has extensive experience in designing, developing and implementing ISMS across all industry sectors. We can assist your organisation in achieving greater cyber resilience and regulatory compliance, while you securely grow your business.