Enhance your IT Strategy using ISO 27001

With cyber crime on the rise helping to keep the cost of information security breaches at an historical high, what effective solutions can be brought to play in keeping key information assets secure? Rob Acker, a Lead Assessor at LRQA discusses how the information security management (ISM) standard, ISO 27001 provides a solution.

With over 2 billion users on the internet, organisations of all sizes recognise its power in communicating brand value and helping shape reputation through to simply doing business. However, with opportunity and innovation also comes risk - the risk of unauthorised access to key information systems. The media identifies such security breaches, with ever increasing regularity

The 2012 Information Security Breaches Survey carried out bi-annually by Infosecurity Europe, shows that security breaches remain a significant threat. Of those who responded, 93% of large and 76% of smaller businesses reported having been affected. The incidence of significant hacking attacks has doubled over the last two years and the fall-out can be substantial. Larger organisations put the cost of its worst incident at anywhere between £110,000 and £250,000 and up to £30,000 for smaller organisations. Equally significant is the cost to reputation and the organisation’s capability in returning to business as usual.

’10 Steps to Cyber Security’

Helping keep the cost of information security breaches high is the growing threat from cyber crime. Recognising the specific threat that cyber attack poses to business and in turn the health of the economy, CESG – the information assurance arm of GCHQ – issued ’10 Steps to Cyber Security’ in Sept 2012 advising business leaders on how they can improve cyber security and so better protect their information assets within their own organisations.

The central message of the CESG advice is the need for businesses to establish an effective information risk management regime or culture, which sees senior management take ownership of information risk by setting policy which is then driven through the organisation and beyond to sub-contractors and trading partners. Importantly, top management need to then continue to engage with the cyber risk to ensure impetus is kept and the necessary resource is made available to meet the threat from a dynamic risk environment.

ISO 27001 and 10 Steps

The measures and steps identified by CESG are in the realm of information security management (ISM). ISM identifies the assets you value, for example personal or customer data, commercial or financial business information and seeks to protect them. An organisation who implements an information security management system compliant to ISO 27001 has gone through the process of identifying assets, undergoing a vulnerability & threat analysis, determining the level of risk and putting in place controls to minimise, or where possible eradicate the vulnerability.

We believe there is close alignment between the measures identified by the CESG and the ISO 27001 information security management system standard. The 10 Steps gives practical advice and a useful first step for companies looking to establish an ISMS. ISO 27001 can then be used by top management to be more selective in their choice and design of control measures based on the company’s appetite for risk and hence the principle of matching control to risk is the strengthened.

We have carried out an exercise comparing the identified 10 steps against some of the requirements within ISO 27001 which are shown below:

10 steps to cyber security 27001 control clause Key point

Home, mobile working


It's important to ensure that information is kept secure even when an employee is working from home, at client premises or on the move.

User Education & Awareness


All employees and third party contractors need to be aware of key risks and how to report incidents. This can be achieved through security briefings as part of a new starter induction programme which are then followed up regularly throughout their time with the company.

Incident Management

A.13 and A.14

The ability of any organisation to contain an incident and then return to business as usual as quickly as possible is vital following an information security event. ISO 27001 requires organisations to include information security within their business continuity management process.

Information Risk Management Regime

Section 4.2, A.5 & A.6.1

Management sets the tone in any organisation. Where top management take information security management seriously, it will help instil a risk-aware culture throughout the company. ISO27001 is explicit in requiring top management to give their support and clear direction.

Managing User Privileges


Users can be a major source of information leakage and only allocating access based on role will reduce errors and support the responsibilities incumbent on the user to ensure they follow good security practices.

Removable Media Controls


With the rise in availability of memory sticks and other portable devices, it is critical for organisations to have procedures in place for managing their use but we should not overlook wider issues such as ensuring safe disposal of media.



Keeping an eye out for unexpected activity makes good business sense. Audit logging of user activities gives valuable evidence in the event of a breach and can help in any future investigation.

Secure Configuration

A.12.4, A.12.5 & A.12.6

Understanding your systems and controlling changes to them helps to maintain their integrity and ensure that they are appropriately protected

Malware Protection

A.10.4 &

Ensuring your systems are patched up to date will reduce the potential for malicious or mobile code to exploit known vulnerabilities

Network Security

A.10.6 & A.11.4.

Knowing and controlling who has network access and what it is used for reduces the potential for unauthorised access by individuals or devices.

A system approach

A systematic approach to protecting key information assets is a powerful weapon in combating information risk and while the risk of cyber attack is on the increase, the risk from other sources shouldn’t be forgotten. Breaches in data protection, data loss and fraud are all significant issues that can cause loss in service, increased costs and impact to reputation.

Assessing risk is the foundation on which an ISMS is built. It provides the focus for the implementation of security controls and makes sure that they are applied where they are most needed and are cost effective. The risk assessment helps to answer the question: ‘How much security do we need?’

As part of the risk assessment process, an organisation will not only identify but place a value on the information asset before determining the response strategy and the controls that should be put into place to manage those risks. One of the strengths of ISO 27001 is that it helps organisations establish a proportionate system. Risks that cannot be treated directly can be accepted (with subsequent periodic review and confirmation). Those that can be treated may already have adequate controls or may benefit from 3rd party services (e.g. holding data in an ISO 27001 certified data centre). This is the value in a management system approach.

From looking at the available evidence the most significant breaches occur where there are multiple factors, where people, processes and technology combine. Being too focussed on specific controls will run the risk of not paying sufficient attention to the bigger picture. The development of an information security management system compliant with ISO 27001 however requires an organisation to take this holistic approach giving assurance that security issues are being addressed in accordance with currently accepted best practice.

Having the management system externally scrutinised to ISO 27001 by an accredited third party such as LRQA gives organisations an independent and unbiased view of the appropriateness and effectiveness of the system. Importantly, it demonstrates capability to the outside world.

As an ISMS assessor, I often hear our clients talk of ‘preparing for the audit.’ When we certify our client’s systems, we don’t just give them a certificate but we ask them to commit to an ongoing relationship as part of the certification programme. We visit our clients on average every six months as part of a programme of surveillance. This means they are regularly opening themselves up to external scrutiny. Speaking to some of our clients, I have noticed that this triggers certain behaviours that ensure they are primed, ready for the surveillance visit. The upshot is that this periodic ‘challenge’ keeps them in a state of preparedness.

Advice, such as that given by CESG and the CPNI can help to make the management system theory real and so provide practical solutions. An effective system though provides protection against the known - and more importantly - unknown threats. It challenges us to look at our own vulnerabilities and ask ourselves whether we have confidence in our controls. In preventing the cyber criminal from logging in, let’s not inadvertently allow them to walk through the door.