PC PORTAL

Experienced. Trusted. Solutions.

ISO 27001

By

Using ISO 27001 to guide your GDPR breach response plan

Among the many changes GDPR will usher in, one of the biggest for many organisations will be mandatory breach reporting. From May 25, all organisations holding personal data about European Union residents must disclose a breach if it is “likely to result in risk to personal data”.

What’s more, organisations must report such breaches within 72 hours of discovering one. Reacting in such a short timeframe calls for a robust response plan. Unfortunately, experience to date suggests such plans tend to be conspicuously absent. The ISO 27001 Information Security Standard can help.

ISO 27001 can enable organisations to map an incident response plan that covers not just IT, but also people and processes. A good plan will cover the following steps:

  • Detect
  • Contain
  • Eradicate
  • Remediate
  • Recover
  • Review
  • Communicate.

Who implements the plan?

Incident response often falls solely – and unfairly – on the shoulders of the IT team. “It can’t just be the IT person’s job. It has to involve the whole business: this is a business risk and a business issue,” said Brian Honan. He added that GDPR applies to physical information, not just data on IT systems. Brian was speaking as part of a panel discussion on GDPR at the ISO 27001 Ireland event last week.

He recommended that a security response team should include representatives from information security, operations, HR, legal, PR, and facilities management. HR should be involved because if it’s an internal breach, the organisation may need to discipline a member of staff. Recovering from a breach often creates a fraught, high-pressure environment. HR can also play a role by helping to coach employees and manage their time. “Breaches don’t just happen between the hours of 9 and 5,” Brian said.

Involving a legal team is also important because organisations will probably need to deal with the appropriate data protection authority. “Speak the right language to the right people. You don’t want to open a can of worms by saying wrong thing to the regulator,” Brian said.

Sending the right message

Too often, organisations fall back on stock answers like “a sophisticated breach” when there’s little evidence to support the claim. Having PR expertise on the incident response team helps to ensure the organisation’s public statements are consistent, timely and truthful.

Brian also recommended including a representative from facilities management on the team. That’s particularly useful if a breach involved a break-in where CCTV cameras and physical security could prove vital.

“The key thing is, engage early with the business, find out what is important to them. Find out what you need to have in place. Establish relationships. Know who you need to contact in the regulator’s office or the supervisory office, find out what way you will contact them. And other relevant bodies you may need to contact. And think about what external expertise you may need. It’s important that you have those contact details already,” Brian said.

Ensuring transparency

To make sure the response process is repeatable, Brian recommended documenting all policies and procedures. “Transparency is important… It’s very easy to get caught in heat of moment in a breach, but then afterwards, can you recall what happened?”

Data breach notification also brings suppliers under its umbrella since many organisations now outsource their data hosting to third parties. “If your data is in a data centre or with a hosting provider, do you have an agreement in place so that they will let you know if they have had a breach? That’s a new thing to worry about. You may have to report a breach because one of your suppliers has had a breach,” Brian said.

Alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach. The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage. Teams should identify tools or software they will need both to detect possible breaches and to manage the response process. Brian suggested using examples like last year’s Equifax breach as the scenario for a desktop exercise to practice breach response. “If your vulnerability scanner didn’t work, how would you act? Use it as a learning mechanism,” he said.

People power

Staff training can also strengthen an organisation’s ability to spot potential breaches as well as responding to them. Brian referred to the Verizon Data Breach Investigations Report which found that many breaches come to light not via tools but through people noticing something strange. “The number one detection tool we have is our staff,” he said.

The last reason for implementing a breach response plan is simply reputation management. “It’s not that you’ve had a security breach that will damage your brand, it’s how well you respond,” Brian concluded.

The post Using ISO 27001 to guide your GDPR breach response plan appeared first on BH Consulting.

By

Business benefits for ISO 27001 certification, and five steps to making it work

A person marks on their notepad, possibly to write down a password, while their phone and laptop are beside them.Whether you want to reassure a board – or yourself – that your security programme is operating optimally, the ISO 27001 Information Security Standard gives you that confidence. Here are some business-focused benefits to becoming certified, and some tips for making that process run smoothly and successfully.

Choosing to get certified

First, let’s address a misconception: when it comes to certification, size doesn’t matter. It has nothing to do with how large your organisation is. It’s better to think of ISO 27001 in terms of how important you consider your organisation’s or your customers’ data. That could be business plans, financial information, intellectual property, payroll details, or credit card numbers. BH Consulting has certified a three-person company. Another SME client had just 10 employees when it obtained ISO 27001 certification. When a US multinational subsequently acquired that company, it turned out security was the easiest part of the due diligence process because of the certification.

External validation

The main reason I like to recommend ISO 27001 is because it’s an internationally recognised standard of good practices around cybersecurity. It is vendor- and technology-neutral. Being certified to ISO 27001 means you’re being verified at least once a year by an external independent body that you operate your security in the way you claim. That differentiates the standard from other self-regulated standards like NIST 800, for example.

It also helps businesses that regularly sell to larger corporates. The larger the customer, the more rigorous their supplier due diligence tends to be – and rightly so. Security questionnaires now feature regularly in many tendering processes. Third-party risk is a legitimate concern for large businesses – think of how attackers breached Target’s network through a supplier.

GDPR assistance

I have noticed a growing number of companies and public bodies looking at ISO 27001 to support compliance with GDPR. Similarly, ISO 27001 is useful for managing compliance with security frameworks such as the EU NIS directive, or HIPAA.

Cyber insurance is a hot topic right now, and I know of many companies thinking seriously about taking out policies. Some insurers are giving discounts to ISO 27001-certified companies. (Personally, I believe there’s lots of hype around cyber insurance. I think it’s better to spend the money on good defences. Otherwise, it’s like choosing not to put seatbelts in your car, but taking out insurance against a crash instead.)

To sum up the benefits, ISO 27001 takes a risk-based approach to securing information. By definition, any organisation that has undergone the certification process can prove it operates a robust risk assessment process.

Ensuring successful certification

So, with a solid business case for getting certification, how do you ensure the process itself is a success? Here are some points to consider:

  1. Do it for the right reasons: to assure customers, stakeholders or external overseer that you keep data secure.
  2. Do obtain full support from senior management. Ensure they’re bought into the programme and that they provide the right resources and budget to ensure success.
  3. Do get buy-in from all parts of the business. ISO 27001 is an information security standard, not an IT standard.
  4. Don’t chase certification purely to satisfy a sales requirement or for marketing purposes. Otherwise you don’t get the correct level of focus on the standard. Treating it as a box-ticking exercise makes it very difficult to achieve and maintain certification.
  5. Do ensure information security is a regular agenda item on senior management meetings, not just an annual review. Have management actively review and sign off on security policies, and attend security awareness training.

If I’m auditing a company, and management aren’t attending, then I know the company isn’t serious about certification. It shows whether the effort goes beyond lip service to embedding a lasting, mature security culture. In many ways, it’s a classic chicken-and-egg scenario: without full support from management, successful implementation is unlikely. Yet a successful implementation ensures you have full support.

The post Business benefits for ISO 27001 certification, and five steps to making it work appeared first on BH Consulting.