Information security is the preservation of confidentiality, integrity and availability of information. In other words:
- Confidentiality – ensuring the privacy of information, ensuring that ‘information is not made available or disclosed to unauthorized individuals, entities’;
- Integrity – ensuring that information cannot be amended or incorrectly deleted, and maintains ‘accuracy and completeness’; and
- Availability – ensuring that information is where you want it when you want it, and is ‘accessible and usable upon demand by an authorised entity’.
Types of Information
In order to be able to protect your information, it is critical to understand the nature of the data and information that is of importance. This is not usually just client data, despite the tendency to focus on this. Other elements that could be equally critical will include staff data, corporate information, such as financial, product specifications, supply chain data, and any other information that is essential for the running of the organisation.
Types of information security
Given recent concerns, there is often a tendency for people to focus on ‘cyber security’ but cyber and IT issues are not the only security concerns. Other critical aspects include physical and environmental, staffing and supplier security, to name but a few. As an example, do you know what information assets are in all your filing cabinets?
Why do Information Security
You have probably heard of cyber security in the news, and will already have implemented a number of information security practices which will be second nature to you; locked doors, passwords, secret PIN numbers, and other such techniques, and may be wondering why you would need to implement an Information Security process. However, the implementation of an effective Information Security management system will help you to understand the nature of the data and information that you hold, and the vulnerabilities of that data.
By properly understanding the risks, you will be able to implement effective risk treatment and control, and will be able to monitor the effectiveness of the protective steps that you have taken. Additionally, you will be able to have a better understanding of the legislative and regulatory regime for you and your key stakeholders, knowing what all parties require for the confidentiality, integrity and availability of their information.
There are additional benefits to adopting a comprehensive information security management system, which may include:
- Greater confidence for clients and other interested parties;
- Improved data retention and disposal procedures, resulting in reduced requirements for back-up and archiving;
- Improved responses to security events and incidents; and
- Competitive advantage over similar organisations.
Approach
Implementation of effective information security within an organisation may require a change in the culture, with a change in perception that “everything is generally permitted unless expressly forbidden” instead of “everything is generally forbidden unless expressly permitted”. However, this has to be balanced against information requirements for innovation and productivity.
The implementation of an effective information security management system can be demonstrated through certification to ISO 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems. Further information supporting the requirements specification can be found in the ISO 27000 series, particularly:
- ISO 27002 – Code of Practice for Information Security Controls
- ISO 27005 – Information Security Risk Management
How can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2013.
View some case studies of recent Information Security projects.
Further information is available in our Downloads section.