Let's assume that the standard states that backups must be done every 24 hours. Do you think this is the right way to go? This might be the right measure, but many companies will find this inadequate. Data is changing so quickly that backups are required, if not immediately, at least every hour. There are some companies, however, that will not consider the one-a-day backup sufficient. The rate at which their data changes are slow means that they need to be protected more often.
It's important to realize that this prescriptive approach cannot be used if the standard is meant to fit all types of companies. It is therefore impossible to decide not only the backup frequency but also which technology should be used and how each device should configure.
This Is The Central Idea Behind ISO 27001
It's possible to wonder why you would need a "standard" that doesn’t provide concrete information.
ISO 27001 certification offers a framework that allows you to choose the best protection. In the same way that you cannot copy a marketing strategy from another company, the same principle applies to information security. However, you must tailor it to suit your needs.
ISO 27001 says that you must perform a risk assessment, and then treat the risks. This is nothing more than a systematic overview of the potential dangers that you face (assessing the risk), and then deciding on the best safeguards to protect yourself from those negative consequences (treating the risk).
This is the whole point of this article. You should only put in place the controls required by the risks and not just those you like.
IT Alone Does Not Suffice
If you work in IT, you probably realize that the majority of incidents don't happen because computers crash, but because people from the business side are using the information systems incorrectly.
Such wrongdoings cannot just be prevented by technical safeguards. They also require clear policies, procedures and training. Based on real-life experience, it has been proven that the greater the number of safeguards used, the higher the level of security.
If you consider that not all sensitive data is in digital form (you most likely still have paper documents with confidential information), then the conclusion is IT safeguards are inadequate and that the IT department, while very important in an information security program, can't manage this kind of project by itself.
Getting Top Management Aboard
ISO 27001 doesn’t stop at the implementation and monitoring of various safeguards. Its creators understood well that IT professionals, as well the employees in other positions, won’t be able to achieve great things if the top managers don’t act.
A new policy may be proposed to protect confidential documents. But if the top management does not enforce this policy with all employees (and they don't comply), it will never gain ground in your company.
ISO 27001 offers a systemic checklist that shows what top management must do.
- Set your business goals (objectives), for information security
- Publishing a policy to determine if those expectations have been met
- Designate your main responsibilities regarding information security
- Give enough money and resources
- Recheck regularly to see if all your expectations have been met.
You Must Not Allow Your System To Become Unreliable
If you have worked in a company for a while, you may be familiar with how new initiatives/projects are run. At first, they look shiny and everyone is doing their best to make things work. As time passes, however, the enthusiasm and enthusiasm for a project start to fade.
One example is a classification policy you had that was good at first but has become obsolete due to technology changes, organizational changes, or people changes. It is also likely that people will not want to adhere to an obsolete document. This can lead to increased security.
ISO 27001 has listed a few ways to prevent this. They also use those methods to increase security over time. These methods include monitoring & measurement, internal auditors, corrective measures, and others.
ISO 27001 should not be dismissed. While it may appear vague at first, this framework can help you resolve many security problems within your business. It can also make it easier for you to do your job and earn more respect from the top.