Information is now globally accepted as being a vital asset for most organisations. As such, the confidentiality, integrity, and availability of vital corporate and customer information may be essential to maintain a competitive edge, cash-flow, profitability, legal compliance and commercial image. ISO 27001 is intended to assist with this task.

Increasingly organisations want to know how safe suppliers IT systems are; ISO 27001 Information & Data Security is a standard for controlling an organisations security systems. The standard systematically examining the organisations information security risks, taking in to account threats, vulnerabilities and impact.

ISO 27001 is suitable for any organisation, large or small, in any sector or part of the world. Many small and medium sized businesses rely heavily on their IT networks whilst handling surprisingly large amounts of sensitive data. System crashes, data corruption and other problems can have disastrous consequences, and could even cause a business to fail completely. To anticipate problems and minimise any damage caused you will need to set up and implement an effective Information Security Management System. (ISMS)

The potential for catastrophic consequences is high for an organisation that has its information compromised, lost, destroyed, corrupted, burnt, flooded, sabotaged or misused. The organisation will incur high direct costs, such as downtime and the cost of remediating.Indirect costs are harder to determine; a business may be underperforming for many reasons, so any estimate of the reputational impact of a breach is approximate. Reputational damage may well come under the spot light in the future as companies may not be able to simply cover up an incident. An organisation’s trust and integrity will be difficult to recuperate.

The purpose of information security management is to ensure business continuity and reduce business damage by preventing and minimising the impact of security incidents.

The Audit Commission has stated that fraud or cases of IT abuse often occur due to the absence of basic controls, with 50% of all detected frauds being found by accident.

Even when organisations introduce controls (which might be policies, procedures, structures, software), these are often disorganised and disjointed. This is because they have  often been implemented in response to a specific situation or incident or simply as a matter of convention.

Robust information security is only possible when the specific security objectives of an organisation are identified and then addressed. This means the organisation is better able to manage their vulnerabilities. This is the systematic framework – or information security management system (ISMS) – that ISO 27001 specifies.

Requirements of Senior Management for an effective ISMS

• Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities and impacts.
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
• Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.
• ISO 27001 Information and Data Security has also been designed so it can be integrated with other management system standards  such as ISO 9001 Quality Management System– saving time and avoiding duplication of work.

Benefits of ISO 27001 Certification

Certification from a third party certification body demonstrates that you have addressed, implemented and controlled the security of your information. There is also the comfort employee, customers, trading partners and stakeholders gain in the knowledge that your information and systems are secure.

Demonstrating credibility and encouraging trust. Avoiding just a single information security breach can save your organisation money and unnecessary downtime.

Following the ISMS specified in ISO 27001 Information & Data Security provides your organisation with the confidence that you are following globally-agreed good practice with regard to the protection of information assets.

As an auditable standard it also helps users to win new business and provides assurance in supply chain management.

• 51% of IT experts whose job roles focus on the cloud don’t trust the cloud for any of their personal data such as contact lists, music, photos, or Webmail
• 86% of IT experts polled don’t trust the cloud for their organisation’s more sensitive data – preferring to keep it on their own network
• 88% said that they believe that there is a chance that the data their organisation keeps in the cloud could be lost, corrupted or accessed by unauthorised individuals

65% of organisations are not confident data is protected during migration

• While 95% of organisations move data at least once per year, 65% of those surveyed admitted that they were not confident sensitive data was protected during a migration.
• 96% of respondents reported concerns when performing data migrations, with many leaving their data overexposed and vulnerable.
• Respondents listed the most challenging and time consuming aspects of performing data migrations as maintaining availability (68%), identifying and cleaning up old, unused or redundant objects (67%) and keeping data safe by ensuring correct access permissions (59%).

4 in 10 IT Staff Can Access Executives’ Private Data

• 39% of IT Staff can get unauthorised access to sensitive information – and 20% have already done so
• 68% of respondents believe that, as an IT professional, they have more access to sensitive information than colleagues in other departments such as HR, finance and the executive team
• 11% of respondents would abuse their administrative rights to snoop around the network if they thought their job was at risk
• If laid off tomorrow, 11% would be in a position to take sensitive information with them. Nearly a third confirmed that their management does not know how to stop them

On average, organisations continue to spend significant amounts on their security defences, as they expect the assault from breaches to continue. Main drivers for information security:

• Preventing customer information
• Preventing downtime and outages
• Complying with laws/regulations
• Protecting the organisations reputation
• Maintaining data integrity
• Business continuity in a disaster situation
• Protecting intellectual property
• Enabling business opportunities
• Improving efficiency/cost reduction
• Protecting other assets (e.g. cash) from theft

It can be printed or written on paper, transmitted by post or using electronically, shown on films, or spoken in conversation.

Growing dependence on information systems, shared networks and distributed services like cloud computing, means organisations are now even more vulnerable to security threats.

Poor supervision of staff and lack of proper authorisation procedures are frequently highlighted as major causes of security incidents.

Companies vary in their approach to preventing breaches: some prohibit everything, making mundane tasks difficult; others are too lax and permit access to all by all, exposing themselves to a high degree of risk.

For an organisation to run efficiently they need the right balance: this is where the international management standard ISO 27001 Information and Data Security assists organisations large and small.

Computer security

• Install a firewall and virus-checking on your computers.
• Set up your operating system to receive automatic updates.
• Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities.
• Only allow your staff access to the information they need to do their job and don’t let them share passwords.
• Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
• Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information.
• Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk)
• Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and update.

Email Security

• Consider whether the content of the email should be encrypted or password protected. Your IT or security team should be able to assist you with encryption.
• When you start to type in the name of the recipient, some email software will suggest similar addresses you have used before. If you have previously emailed several people whose name or address starts the same way, the auto-complete function may bring up several addresses. Make sure you choose the right address before you click send.
• If you want to send an email to a recipient without revealing their address to other recipients, make sure you use blind carbon copy (bcc), not carbon copy (cc). When you use cc every recipient of the message will be able to see the address it was sent to.
• Be careful when using a group email address. Check who is in the group and make sure you really want to send your message to everyone.
• If you send a sensitive email from a secure server to an insecure recipient, security will be threatened. You may need to check that the recipient’s arrangements are secure enough before sending your message.

Fax Security

• Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email.
• Only send the information that is required. For example, if a solicitor asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.
• Double check the fax number you are using. It is best to dial from a directory of previously verified numbers.
• Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.
• If the fax is sensitive, ask the recipient to confirm that they are at the fax machine ready to receive the document and there is sufficient paper in the machine. Ring up or email to make sure the whole document has been received safely.
• Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.

Other security

• Shred all your confidential paper waste.
• Check the physical security of your premises.

Train your employees

• So they know what is expected of them.
• To be wary of people who may try to trick them into giving out personal details.
• So that they understand they can be prosecuted if they deliberately give out personal details without permission.
• To use a strong password – these are long (at least seven characters) and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.
• Not to send offensive emails about other people, their private lives or anything else that could bring your organisation into disrepute.
• Not to believe emails that appear to come from your bank that ask for your account, credit card details or your password (a bank would never ask for this information in this way).
• Not to open spam – not even to unsubscribe or ask for no more mailings. Instruct them to delete the email and either get spam filters on your computers or use an email provider that offers this service.

Friday is the day of the week when ATMs are most frequently used.

The name of the European currency “Euro” was suggested to the European Council by a German delegation led by Germany’s then Minster of Finance Theo Weigel.

A total of 18 animals are depicted on all Euro coins.

UK – The £ sign developed over the years from the letter ‘L’, the initial letter of the Latin word libra meaning a pound of money.