The ISO 27001 Information Security Management System (ISMS) has rapidly increased in popularity in the last few years. The primary driver is, of course, concerns about the security of digitally stored data.
But with ISO 27001, it’s not just about online hacks; the system encompasses all information in whatever format it’s held. And as well as the tech stuff, as auditors we also need to consider the approach of management to building, supporting and maintaining the entire system.
So, in this list of nonconformities that our Auditors uncover, I’ve selected those that regularly crop up and which, truth be told, are relatively easy fixes for you.
1. Lack of senior management commitment
As with all ISO management systems, everything starts from the top. One of the key requirements of ISO 27001 is that top management must be able to demonstrate their commitment to, and support for, the ISMS. Too often, auditors find not only a lack of involvement but a lack of awareness from top management. Whilst the technical tasks in running your ISO 27001 system can be delegated, the overall responsibility cannot.
2. Inadequate security controls for third-party providers
You must ensure that any third-party providers that have access to sensitive information are also adhering to appropriate security controls. In effect, they must be working to the same standards as you as a minimum (in fact, outsourcing is often done because a supplier can do things better than you can) - and you have to be able to prove that to the auditor. Show how you select them, manage them and monitor them.
3. Inadequate physical security
ISO 27001 is not just about software (or, indeed, cyber security). So you must also take into account physical security risks such as unauthorised access to your premises. All too often businesses forget the simple things like regularly changing access codes, clearing desks at the end of the day, locking sensitive paperwork away - don’t fail on such basics.
4. Lack of regular security testing
It’s all very well having plans to tackle security risks, but you need to test that they will actually work. Do it regularly, identify areas for improvement, and implement the changes. ‘Continuous improvement’ is at the heart of all ISO management systems. Develop a schedule, stick to it, write it all down and show it to the auditor. You need to provide the evidence.
5. Not maintaining and updating business continuity plan
Sometimes, things just go wrong, despite all your planning and testing. You can’t foresee every eventuality. So you must have a plan in place for how to continue operations in the event of something going wrong - we’re not just talking floods, fires and catastrophic data losses - even just modest disruptions like key staff being off sick. You need to have a plan and regularly test it. To take this to the next level, you may want to consider implementing the ISO 22301 Business Continuity Management System.
6. Inadequate monitoring of privileged access
Access to sensitive information and systems should be granted only to authorised personnel, and the activity of these privileged users should be closely monitored to prevent unauthorised access or misuse. Nonconformities in this area often arise from a lack of procedures for managing user access. Pay particular attention to staff moving departments or leaving the business or access given to third parties like temporary staff, agency workers and suppliers.
7. Failure to conduct regular risk assessments
You’re required to regularly assess the risks to information assets and implement controls to mitigate those risks. Without regular risk assessments, you may not be aware of new or emerging threats, or may not have sufficient controls in place to protect against those threats. You need to establish a schedule - and stick to it.
8. Inadequate monitoring of mobile devices (including laptops)
This is a bit of an old chestnut. How often do we hear about laptops left on trains? The use of mobile devices has become increasingly common especially with the move toward working from home. There are also the risks from staff using their work devices for personal use, visiting websites they shouldn’t do, downloading who-knows-what. You must have appropriate security controls in place to protect against all the risks presented by this.
9. Failure to comply with legal and regulatory requirements
This is a bit of a catch-all. While the auditor looks for compliance with your own ISMS, by definition it also means you must be compliant with legal and regulatory requirements within the territories you operate. Failing to do so can not only result in nonconformities, if you’re caught out by the authorities it can result in fines and penalties .Keeping up with regulations can be difficult - but it’s your responsibility to do so.
10. Inadequate security training
Employees may be your greatest assets, but they are often the weakest link in an organisation's information security defences - normally just through innocent mistakes. To mitigate this risk, it’s essential to provide employees with regular security training to help them understand the importance of information security and their role in protecting the organisation's assets. This area is at higher risk as budgets are tightened.
What you can see here is that ISO 27001 is not just about cyber security - it’s a management system that’s as much about your approach to security and people.
If you are ready to start your certification journey, ISOQAR can give you a free no obligation quote.