According to a recent survey conducted by the NCSA (National Cyber Security Alliance), 70 percent of small businesses claim to not have any formal Internet security policies, causing huge risks toward company safety.
As a person in charge of information security within a business or organisation, it is important to understand risk management standards and procedures. Compliance with the ISO/IEC 27001 code of practice is essential to ensure integrity, confidentiality and availability of your business data.
Svana Helen Bjornsdottir, ISO/IEC 27001 Lead Auditor and CEO of Stiki Information Security, defines the desired scope of your ISMS (Information Security Management System) implementation for the ISO/IEC 27001 security standards.
Bjornsdottir believes that discussing with your co-workers at all levels and performing information security profiling within your organisation is the best way to start risk management.
“Always check the ISO/IEC 27005, a sub section of the 2700x standard series, before deciding your risk assessment approach,” Bjornsdottir said.
Once determined, carry out these risk assessments exercises within the scope of your ISMS – ranging from people, buildings, and everything else. These assessments should involve identifying relevant threats towards these assets, the impact of a threat and the probability of a particular threat becoming a reality.
“A ‘Risk’ can be defined as the interrelationship between an ‘Asset’ and a ‘Threat’. Suggest controls from ISO/IEC 27001 that prevent these identified risks. Guidelines on the implementation of these controls are in ISO/IEC 27002. You may need to define your own specific controls…The most important report you will see is the SOA report or the Statement of Applicability, which will display the necessary security risk information” Bjornsdottir explains.
“It is important to make employees’ aware of information security in every department of your company by holding training courses to help your employees evolve.”
Risk Assessment is just the first of three stages needed to fully implement ISO/IEC 27001. The other two are ‘Business Continuity Planning’ and the ‘Development of an Organisational Manual’, such as procedures, processes and policies. For more information on Stiki and how they can help you visit www.riskmanagementstudio.com