George Osborne has warned today of the threat of deadly cyber attacks. This follows a spate of information security breaches, most famously that of Talk Talk.
It is, perhaps, unlikely that any system will ever be 100% secure, particularly where there are requirements for the general public to be able to enter data through a variety of networks using different means (computers, tablets, mobile phones). Encryption, firewalls and other such tools will be utilised to mitigate against any form of attack, but it is essential that companies are able to deal with the aftermath should any such attack occur.
Take the specific example of Talk Talk: City AM have considered the how Talk Talk shares have fared since the hack was made public on 22 Oct 2015.
Much of this deterioration in share price could be linked to the way in which Talk Talk are perceived to have handled their response to the incident, and the way in which they have dealt with concerns from the public.
It is worth noting that Talk Talk certified to ISO 27001 in 2012, although I am not sure whether they still hold this certification. However, this latest in a series of breaches demonstrates that certification, and that subsequently following the steps to maintain certification to a standard, do not indicate any level of invulnerability. Moreover, in the case of Talk Talk, this also serves to highlight the glaring lack of incident management requirements within ISO 27001.
ISO 27001 lists a number of Control Objectives and related controls, mainly related to physical, infrastructure and process protection of data. It is up to the certifying organisation which of the controls they choose to adopt, although it would be surprising if they did not have controls for A16 ‘Management of information security incidents and improvements’. However, whilst listing controls such as ‘A.16.1.5 Response to security incidents’, and ‘A.16.1.1 Responsibilities and procedures’, there is a telling lack of detail regarding communication with interested parties.
ISO 27002, the Code of Practice which supports ISO 27001 suggests that ‘procedures for response including those for escalation, controlled recovery from an incident and communication to internal and external people or organizations’ should be considered. However, the ‘response’ section referring to A.16.1.5 appears to be much more focussed on evidence collection and forensics.
Contrast this to ISO 22301 , the international standard for business continuity; which has a full clause devoted to incident response and an additional requirement for a communications procedure, complete with a further clause on ‘warning and communication’. Given the potential for information security incidents to have such an impact on businesses, we would advise any business that is implementing just ISO 27001 to ensure that they do have an adequate incident response capability, including an effective communications procedure.
Written by Helen Molyneux