Security controls should not be chosen or implemented arbitrarily. They should flow out of an organisation’s risk management process, which begins with defining an overall IT security strategy, then its goals. This should be followed by defining specific control objectives - practical ways the organisation plans to effectively manage this risk. This is where ISO 27001 comes in. Unfortunately, the security controls in operation today typically only address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organisation. The ISO 27001 standard was introduced to address these issues. The basic bones of ISO 27001 requires that you:
Yes, there is a lot of detail around the standard, but its essence is actually as simple as this. What you’ll be doing when implementing ISO 27001 There are a series of core requirements in the standard, then the actual controls are detailed in an annex at the back of the standard, called Annex A. The idea with these controls is that you choose to implement them subject to the risk assessments and risk treatment work that you’ll have done in the first part of the standard. So one of the fundamental core requirements in the main body of ISO 27001 is to identify, assess, evaluate and treat information security risks. Doing this risk management process will help determine which of the ISO 27001 Annex A controls may need to be applied in the management of those security-oriented risks:
One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative; and by function: preventative, detective, and corrective. Control Types Physical controls describe anything tangible that’s used to prevent or detect unauthorised access to physical areas, systems, or assets. This includes things like fences, gates, guards, security badges and access cards, biometric access controls, security lighting, CCTV, surveillance cameras, motion sensors, fire suppression, as well as environmental controls like HVAC and humidity controls. Technical controls (also known as logical controls) include hardware or software mechanisms used to protect assets. Some common examples are authentication solutions, firewalls, antivirus software, intrusion detection systems (IDSs), intrusion protection systems (IPSs), constrained interfaces, as well as access control lists (ACLs) and encryption measures. Administrative controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organisation’s security goals. These can apply to employee hiring and termination, equipment and internet usage, physical access to facilities, separation of duties, data classification, and auditing. Security awareness training for employees also falls under the umbrella of administrative controls. Control Functions Preventative controls describe any security measure that’s designed to stop unwanted or unauthorised activity from occurring. Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing. Detective controls describe any security measure taken or solution that’s implemented to detect and alert to unwanted or unauthorised activity in progress or after it has occurred. Physical examples include alarms or notifications from physical sensor (door alarms, fire alarms) that alert guards, police, or system administrators. Honeypots and IDSs are examples of technical detective controls. Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorised or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system. Putting an incident response plan into action is an example of an administrative corrective control. The table below shows how just a few of the examples mentioned above would be classified by control type and control function: The idea is that you implement a combination of security controls based on stated control objectives tailored to your organisation’s needs and regulatory requirements. Ultimately, the goal of both control objectives and controls is to uphold the three foundational principles of security: confidentiality, integrity, and availability - also known as the ‘CIA Triad’.
This Triad of confidentiality, integrity and availability is considered the core underpinning of information security. Every security control and every security vulnerability can be viewed in light of one or more of these key concepts. For a security programme to be considered comprehensive and complete, it must adequately address the entire CIA Triad. Put simply, confidentiality means that data, objects and resources are protected from unauthorised viewing and other access. Integrity means that data is protected from unauthorised changes to ensure that it is reliable and correct. Availability means that authorised users have access to the systems and the resources they need when they need them - there’s no point in having a system so secure that the people who need the information can’t get at it. If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
0 Comments
ISO 27001 is an information security standard, part of the ISO 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. The family of standards is vast (39 at time of writing), but, as with the other standards, our main focus is on the requirements of ISO 27001. ISO grew out of the British Standard BS 7799 originally published in 1995, having been written by the old Department of Trade and Industry (DTI), and consisted of several parts. The first part contained best practices for information security management, and the second part focused on how to implement an Information security management system (ISMS). Part 3 covered risk analysis and management. Each part became adopted separately at different times by ISO (Part 1 in the year 2000, Parts 2 and 3 in 2005), but since the last review of the standard in 2013 very little reference or use is now made to any of the BS standards in connection with ISO 27001. A quick note about one quirk with this standard - you may see reference to either ISO 27001:2013 or ISO 27001:2017 (note the change in year designation). The 2017 change was introduced to indicate approval by CEN/CENELEC for the EN designation (‘European Standard’), the background to which I’m not going to bore you with here. Needless to say, in practical terms, nothing has changed between the 2013 and 2017 versions of the ISO 27001 standard except for a few minor cosmetic points and a small name change. Either version of the standard is perfectly acceptable and certification can be against either one, it makes no difference. Why get an Information Security Management System? Information is the lifeblood of any business – this is especially true if your clients have entrusted their valuable data to you. Maintaining an Information Security Management System (ISMS) is the most effective way of reducing the risk of suffering a data breach. An ISMS is a systematic approach to managing the security of sensitive information and is designed to identify, manage and reduce the range of threats to which your information is regularly subjected. There are a whole host of benefits to putting in an ISO 27001 management system, such as:
The majority of organisations will generally have a range of different information security controls in place. However, without a formal ISMS these controls tend to be somewhat disorganised, haphazard and disjointed. The reason for this is that the controls have often been implemented over a number of years to firefight specific solutions for specific problems. For example, you used one IT company to put up a firewall but get your antivirus software from an online subscription; you use access cards, but it’s only in the last few years you’ve started collecting them from people leaving the company; you’ve started issuing guidelines to new starters that define business practices applying to employee equipment and internet usage, but don’t know if it’s been issued to employees who’ve been with you for a while now. If you would like to look at how to implement an ISO 27001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). ISO 45001 is a standard created with various requirements to help organisations improve employee safety, reduce workplace risks and create better working conditions. Some of these are: Hazard identification and assessment of risks and opportunities You’ll need a process for ongoing and proactive hazard identification, which will take into account many factors – how work is organised, social factors, leadership, culture, routine and non-routine activities, infrastructure, equipment, physical factors, human factors, past and potential incidents and emergencies, people in the workplace, in the vicinity of the workplace and workers at a location not under direct control of the organisation (e.g. mobile workers or workers who travel to perform work-related activities at another location), actual and proposed changes and changes in knowledge. These hazards and the methodology you’ve used to assess them needs to be documented. Incident, nonconformity and corrective action This is all about how you are reporting, investigating and taking action on incidents or nonconformities. You need to: react in a timely manner to control, correct and deal with consequences; evaluate, with participation of workers and other relevant interested parties as appropriate; analyse to determine and eliminate root causes; formally investigate if deemed significant; determine if similar incidents have or could occur; review existing risk assessments; review effectiveness of the action taken; check that corrective actions are appropriate. Consultation and participation of workers You should have a process for consultation and participation of workers at all applicable levels and functions, including workers’ representatives as necessary, in development, planning, implementation, performance evaluation and improvements of your OH&S system. You need to provide time, training, resources, access to information and remove obstacles and barriers to participation. You should ensure consultation of non-managerial workers on needs and expectations of interested parties, policy, roles and responsibilities, etc. Determination of legal requirements and other requirements Similar to ISO 14001, the organisation should have a process to determine and have access to health and safety (as opposed to environmental) legal requirements and other requirements applicable to its OHSMS, and to determine how these requirements apply to the OHSMS. The process should cover:
Then there are ‘other’ requirements, and this is used as a catch-all term for a range of sources which may or may not apply to you, such as:
Eliminating hazards and reducing OH&S risks You’ll need to establish, implement and maintain processes for the elimination of hazards using the ‘hierarchy of controls’. This concept is key in health & safety, where risks should be reduced to the lowest reasonably practicable level by taking preventative measures, in order of priority. The table below sets out an ideal order to follow when planning to reduce risk from construction activities, and you should consider the headings in the order shown - do not simply jump to the easiest control measure to implement: Management of change
You should have a process for implementation and control of planned temporary and permanent changes. This can involve (but is not limited to!) new products, services and processes; workplace locations; work organisation; conditions; equipment; workforce; legal and other requirements; and knowledge about hazards and risks and developments in technology. You need to review the consequences of any unintended changes and take action to mitigate any negative H&S impacts. If you would like to look at how to implement an ISO 45001 H&S management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). It’s a sobering thought that 95% of all injuries and accidents are caused by unsafe employee acts, not unsafe conditions. For example, you may develop very effective standard operating procedures only to discover that nobody is following them. You may provide safety glasses and hearing protection, but find no one is wearing them. You may build an ergonomically friendly workstation only to observe poor posture or a ‘creative’ workstation setup. Because workers’ compensation is a ‘no fault’ system, the costs of injuries that result from lack of employee compliance will still be borne by the organisation, so the only way to ensure a truly successful safety programme is to make the management team responsible for actually preventing injuries and accidents. In order to accomplish this, a bit of psychology is required. Before managers can take steps to prevent unsafe behaviour they need to first understand what causes people to behave unsafely. This might sound obvious, but when you consider that no one sets out to get injured intentionally, you realise that the complexities of human nature are indeed at play. There are a range of reasons employees perform unsafe acts. For example, they don’t know the right procedures. Management assumes people will exercise good common sense and therefore does not adequately train employees. Often this is the outcome of safety instruction that is far too general – for example ‘be careful’. Conversely, it may result from handing an employee a large safety rules guide and simply instructing them to read it and sign the dotted line. Either way, the employee does not really understand – and is therefore not able to follow – correct safety procedures. They also take short cuts. Sometimes this occurs because an employee simply gets lazy, and believes it’s just easier to not follow the rules. On the other hand, it can also occur because management has inadvertently encouraged not following the rules by placing unrealistic demands on employees or undertaking poor planning, which in turn results in undue pressure to cut corners to meet deadlines. Then they can get complacent. Statistically, we know that employees can perform an unsafe act hundreds – even thousands – of times, with no resulting accident. This lack of negative consequence reinforces the unsafe behaviour, creating bad work habits and the attitude that “it will never happen to me.” We know, however, that the more times unsafe acts occur, statistically the more frequently an accident or injury will result. The key, then, to eliminating injuries and accidents, and ultimately the associated costs, is to eliminate unsafe behaviour by counteracting the scenarios outlined above. What you’ll be doing when implementing ISO 45001 As with ISO 9001 and ISO 14001, there is a lot of commonality between the ISO 9001 and ISO 45001 standards. Both require you to:
However, ISO 45001 has in essence beefed up the following elements:
And it introduces these six distinct requirements in addition to all of the above:
If you would like to look at how to implement an ISO 45001 quality management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). Last month we looked at why a H&S management system is important. This week we’ll take a closer look at what sort of things are in a H&S management system, the kind of issues that it will need to address. So, for starters, the sort of things that you'll need to consider would be:
Why you should use ISO 45001 as your Health & Safety Management System Workplace accidents and injuries significantly damage the productivity and efficiency of your operations. Studies have estimated that for every £1 of direct costs incurred in treating and providing disability benefits to an injured employee, employers incur an additional £4 in indirect costs, such as management time spent investigating and handling the claim, lost productivity of the injured worker, hiring and retraining a replacement employee, associated property damage and more. The cumulative consequences of injuries and accidents are sobering. Such incidents seriously affect bottom-line profit by adding unnecessary costs to your operations and subjecting your company to potential fines and penalties. These costs can range from tens to hundreds of thousands of pounds, depending on the size and scope of your business. In fact, in February 2016, the H&S punishments regime was considerably beefed up - when the court embarks on its consideration of the appropriate financial penalty, it is required to consider a number of separate steps including:
Courts expect full financial accounts to be served and will consider wider financial information such as details of director remuneration, assets, loans, etc, to establish a clear picture of the company’s financial resources. The guidelines are clear - the fine must be sufficiently substantial to have a real economic impact and bring home to management and any shareholders the need to comply with health and safety legislation. The need for putting in an OHSMS has never been greater, and ISO 45001 fits the bill perfectly. Once your organisation has embraced the need to prioritise workplace safety, the standard gets you to focus on two interrelated, yet distinctly different, objectives: compliance and accident prevention. Many organisations, however, make the mistake of limiting their efforts to this first objective, and neglect the second, much greater, challenge: accident prevention. A successful workplace safety programme requires that an organisation address and achieve both objectives. If you would like to look at how to implement an ISO 45001 H&S management system, then simply contact us. Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses). |
WelcomeHere you'll find the latest blog articles on all things compliance, particularly focussed on quality, environment, health & safety and information security. Get a completely free, no obligation, totally tailored ISO Gap Analysis for your business...
Categories
All
Archives
April 2024
|