Information security is the preservation of confidentiality, integrity and availability of information. This is not just about client data, despite the tendency to focus on this. Other elements that could be equally critical will include staff data, corporate information, such as financial, product specifications, supply chain data, and any other information that is essential for the running of the organisation.
You have probably heard of cyber security in the news, and will already have implemented a number of information security practices which will be second nature to you; locked doors, passwords, secret PIN numbers, and other such techniques, and may be wondering why you would need to implement an Information Security process.
However, the implementation of an effective Information Security management system will help you to understand the nature of the data and information that you hold, and the vulnerabilities of that data.
By properly understanding the risks, you will be able to implement effective risk treatment and control, and will be able to monitor the effectiveness of the protective steps that you have taken.
Additionally, you will be able to have a better understanding of the legislative and regulatory regime for you and your key stakeholders, knowing what all parties require for the confidentiality, integrity and availability of their information.
There are additional benefits to adopting a comprehensive information security management system, which may include:
Implementation of effective information security within an organisation may require a change in the culture, with a change in perception that “everything is generally permitted unless expressly forbidden” instead of “everything is generally forbidden unless expressly permitted”.
However, this has to be balanced against information requirements for innovation and productivity.
The implementation of an effective information security management system can be demonstrated through certification to ISO 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems.
Further information supporting the requirements specification can be found in the ISO 27000 series, particularly:
ISO 27002 – Code of Practice for Information Security Controls
ISO 27005 – Information Security Risk Management