Information security breaches costing billions
A 2013 Information Security Breaches Survey, commissioned by the UK Department for Business, Innovation and Skills, revealed that 93% of large organizations and 87% of small businesses in the UK had been victims of an information security breach during the year, with affected companies experiencing roughly a 50% increase in breaches over the previous year’s figure. The total cost to UK businesses amounts to billions and has approximately tripled over a year.
This second edition of ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, "takes account of past user experiences, improvements in security controls suitable for today's IT environment, namely identity theft, risks related to mobile devices and other online vulnerabilities, and aligns with other management systems", says Prof Edward J. Humphreys*, convenor of ISO/IEC JTC (Joint Technical Committee) 1 SC 27: IT security techniques, WG 1: Information security management systems. "Cyber security is not just an IT challenge, it is critical to the running of any business", he adds.
Giving clients assurances
Humphreys stresses* that "the broad applicability and usefulness of ISO/IEC 27001 provides unlimited business opportunities for managing risks and building customer confidence".
Humphreys quotes Fujitsu Chief Information Security Officer Brendan Smith as saying that "Fujitsu Australia uses ISO/IEC 27001 for internal security management, as well as integrating it with ISO/IEC 20000 [Information technology – Service management] to provide secure services to our managed clients".
Covering a wide domain
ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
The Standard outlines requirements regarding the understanding of the organization and of its context, the needs and expectations of interested parties and determination of the scope of the information security management system.
It makes recommendations regarding leadership, commitment and policies, as well as actions to address risks and opportunities.
ISO/IEC 27001:2013 also addresses support matters such as resources, competence, awareness, communication, operational planning and control, information security risk assessment and issues including treatment and performance.
As Brendan Smith remarked: "A key benefit of using an internationally recognized Standard such as ISO/IEC 27001 is that it gives our clients the assurance that we have implemented security management to a common level".
* ISO Focus November/December 2013