229
All Enquiries
please call +44 (0)121 241 2299
ISO_27001_cybercrime_man_sat_at_computerThe ISO 27001 information security management system provides your organisation with a framework for improving and managing your valuable data.

Cybercrime is a growing problem and will continue to put organisations at risk of a security breach. This could have devastating consequences for employees, customers and business partners.

Many organisations are ISO 9001 certified and see this standard as a basic requirement for doing business and meeting customer expectations for quality and management. Far fewer companies have achieved certification to ISO 27001; however, a data security breach could potentially be just as harmful to your profits and reputation as the quality failure of a product.

Customers expect their data to be protected and if their details get into the hands of cyber criminals, the ensuing adverse publicity and damage caused to reputation, not to mention the cost of fixing the problem, makes the argument for prevention an obvious choice.

One of the latest widely reported breaches involved the Marriott hotel chain. Despite having cybersecurity insurance, the cost is still expected to run into millions over the coming years.
The introduction of GDPR also took data protection to a new level, requiring organisations to comply with the regulations or face large fines.

ISO 27001 provides the framework to mitigate the risks and meet the requirements of the latest regulations.

ISO 27001 benefits
Certification to ISO 27001 which has been audited by a 3rd party such as a UKAS accredited Certification Body will provide the reassurance that the management framework and information protection system you have adopted is robust and regularly audited.

This demonstrates to customers your commitment to maintaining an effective system of controls and organisational processes that will keep their data safe.

It will meet regulatory requirements that may be needed by your own industry and any wider obligations such as GDPR.

ISO 27001 certification will also give you a competitive advantage when you are tendering for new contracts, especially if your competitors do not have such a framework in place.

Why ISO 27001 is needed in your organisation
If your organisation relies heavily on data, you have sensitive data that could be used by cyber criminals, your competitors have ISO 27001 or similar or your sector is highly regulated, you will have to gain some form of information security certification.

If you are going to go through the process of certification, it makes sense to go to the next step and have your information security system audited by a UKAS registered Certification Body. This will provide an independent and impartial assessment of your framework and processes.

UKAS accreditation has international recognition and will ensure your certification is given maximum credibility when it is issued. Certification bodies accredited by UKAS will have been assessed to provide the competence and impartiality required to provide you with a robust framework for now and into the future.

You can find out more about what UKAS accreditation means for your organisation on their website https://www.ukas.com/about

Alternatively, contact one of our fully qualified lead auditors for more information.
There is a lot of confusion over the new GDPR (General Data Protection Regulation) and there appear to be different interpretations being put forward as to how businesses should comply.

GDPRThe new regulation reinforces best practices within the DPA (Data Protection Act) and PECR (Privacy and Electronic Communications Regulations) already in force in the UK.

A major factor that has made organisations take more notice of GDPR than the existing regulations are the significant fines that can be handed out for non-compliance:

Up to €10 million or 2% of annual global turnover of the previous year, whichever is higher. Or, up to €20 million or 4% of annual turnover of the previous year, whichever is higher. *

ISO 27001
Organisations that are already certified to ISO 27001 have a head start to help them comply with GDPR.

Certification will require a robust and auditable Information Security Management System (ISMS). This provides a solid base to meet GDPR.

The route to certification will include the implementation of a range of security and data management processes that are also relevant to GDPR compliance, including:
  • Regulatory and contractual compliance.
  • Risk assessment.
  • Security of systems and data.
  • Reporting of a breach to regulators and individuals affected.
  • Management process and control.
  • Data access control.
  • Encryption of data.
  • Continuous evaluation and improvement.
  • Improved communications to employees and customers.
Benefits of ISO 27001
Compliance with ISO 27001 goes beyond the requirements of GDPR and includes business continuity planning in the event of an incident, improving management processes and increasing profits by:
  • Carrying out risk assessments that will identify where data is held and areas that need to be improved to minimise threats to data security.
  • Giving customers greater confidence, through audits, that their data is being used correctly and is in safe hands.
  • Improving resilience to threats within the organisation and from external sources.
  • Providing effective procedures that will help the organisation to recover following an incident.
  • Improving tendering prospects for new business, particularly Public Sector, when compliance with certain standards are mandatory.
Certification provides proof that you have been externally audited to meet the standard and can give you an advantage over your competitors.

Call one of our team on 0121 241 2299 to discuss how ISO 27001 can help you meet your GDPR obligations.

*https://www.eugdpr.org/key-changes.htm
 
The government is aiming to make the UK “the safest place in the world for young people to go online” (https://www.gov.uk/government/news/government-launches-major-new-drive-on-internet-safety).

This is the latest of a long list of government initiatives put in place recently to combat cybercrime against the general public and businesses.

A recent report from the British Chambers of Commerce found that even though one in five businesses had been attacked in the last year, only 24% had security measures in place.

Cyber-InsuranceISO 27001
ISO 27001 information security management system provides businesses with a framework to identify, cope with and recover from a cyber-attack.

By implementing a companywide management process and recovery strategy, ISO 27001 goes further than other solutions such as Cyber Essentials to help your organisation combat cybercrime.

Cyber Essentials is a government initiative set up to help businesses protect themselves against cyber criminals. Achieving the badge will help to identify risks to your business and protect your organisation from common cyber threats.

However, Cyber Essentials is not a replacement for ISO 27001 but can be used to compliment your security management system. For example, if you are bidding for government contracts, this is a mandatory requirement for some ICT products and services.

Achieving ISO 27001 certification gives you a solid foundation and makes getting a Cyber Essentials badge more straightforward.

ISO 27001 rerelease 2017
Though the actual content of the standard has not changed, there has been a recent update to reflect the new EN status.

BS EN ISO 27001:2017 has now been ratified by each of the 34 CEN-CENELEC member countries.

If you already have ISO 27001 certification, this will not change any of your current management systems for the time being. Updates will be published in the future and we will keep you advised if anything changes.
After 4 years of preparation the EU Parliament has finally approved the GDPR. This directive harmonises all the data protection laws across Europe and comes into effect from 25th May 2018. Heavy fines can be expected for non-compliance.

ISO_27001_and_GDPRWhat about Brexit?
If you sell goods or services to other EU members
and hold data about individuals in those countries, then you will have to comply with the new regulations. Even if you only sell within the UK, it is expected that our regulations will follow the GDPR to maintain access to the EU digital market. Some adjustments may be made once we leave the EU but the fundamental guidance is expected to remain.

What are the implications?
Organisations in breach of the regulations can be fined up to a maximum of 4% of annual global turnover or 20 Million Euros (whichever the greater). The regulations apply to both controllers and processors.

If your organisation holds personal information, you will be responsible for:
  • Identifying where the data is held
  • Managing the risks that could lead to a data breach
  • Maintaining and monitoring security
  • Implementing a robust Information Security Management System (ISMS)
Key points
There is an entire website dedicated to the new regulation and a link is provided at the bottom of this article if you need to find out more. For now, we are simply going to focus on what your business can do to help you comply with the new regulation.

The aim of GDPR is to protect all EU citizens from privacy and data breaches. That means “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Conditions for consent
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

*Taken directly from the GDPR website (link below).

The website provides detailed information about the implications of not collecting or storing data in the correct way, but does not give much guidance on how to go about preventing a data breach.

A good starting point would be to gain ISO 27001 certification. This international management standard provides a framework for your organisation to identify the risks, implement management systems and continually monitor your procedures to minimise the impact of a security breach.

ISO 27001 certification and GDPR
This international standard covers the security and protection of data and how it is used. Loss or damage could be caused by natural disasters such as fire or flood, accidental loss or mismanagement, corrupted or stolen data. The effects of any of these losses can have catastrophic consequences for organisations.

By integrating an Information Security Management System into your organisation, you will manage the risks and minimise the effect of an incident.

This proven framework will provide the management system needed to help you comply with the new GDPR.

GDPR Website: www.eugdpr.org
 
Further information is also available from:
UK Information Commissioner’s Office ico.org.uk

 
A 17 year old from Norwich recently pleaded guilty to seven hacking offences relating to data breaches suffered by the communications giant Talk Talk.

The cyber-attack cost the company £42 million and it was fined £400,000 for security failings which enabled the teenager to access customer’s data “with ease”.

These breaches are becoming more frequent and with this in mind, the government has recently announced a new 5 year plan to tackle the problem. The government will pump £1.9 billion into a scheme to help fight cyber-crime and develop a world class cyber security industry and workforce.

Part of the strategy is to ensure organisations have the necessary processes in place to help prevent cyber-attacks.

Cyber-crime_1National Cyber Security Strategy 2016 to 2021
Chancellor of the Exchequer, Philip Hammond said:
“Britain is already an acknowledged global leader in cyber security thanks to our investment of over £860 million in the last Parliament, but we must now keep up with the scale and pace of the threats we face. Our new strategy, underpinned by £1.9 billion of support over 5 years and excellent partnerships with industry and academia, will allow us to take even greater steps to defend ourselves in cyberspace and to strike back when we are attacked.”

Protect your business with ISO 27001
It is not only large corporations that are under attack; small and medium sized organisations are also being targeted and reporting a rise in cyber-attacks on their businesses.

One way of ensuring that your management team and employees are working to effective processes for minimising the risk of a cyber breach is to achieve ISO 27001 certification. The standard is internationally recognised and establishes processes for identifying data at risk, assessing threats and putting in place systems, controls and procedures to minimise the risk.

ISO 27001 will provide a strategic plan for your business that will ensure you and your workforce are capable and ready to deal with a cyber threat.

ISO 27001 certification will also demonstrate to your customers that you have implemented controls and procedures that will help to maintain continuity of supply and security of their data. In some cases, it may be a requirement when tendering for business, particularly in the public sector.

Find out more about what is involved in achieving ISO 27001 by talking to one of our experienced advisors.