You are in: ISO 27001 - The Facts

Management/ Staff questions

ISO 27001 – Your Involvement, whatever job you do

Top Management

The legal situation regarding corporate governance in UK, USA, Canada, Europe and the Far East requires you to look at ways to protect the Confidentiality, Integrity and Availability of Information in your organization and the most comprehensive system for doing this is to install the Information Security Management System ISO/ IEC 27001: 2005

Finance

The security of financial data is paramount in any organization but IT Systems create vulnerabilities. The ISO is the way to “close the doors” on the vulnerabilities.

IT

The users create the vulnerabilities and problems. ISO 27001 gives you control of the users as the only route to a truly secure and reliable system. If you attend any Information Security exhibition you will see a large amount of security hardware and software that you can buy to help improve security. However, covering the issue in this ad-hoc way is not the most economical or reliable method. The ISO starts with the Information Assets, moves on to the Risks and from that to a Management Policy on Information Security. Armed with this solid base the Security Controls can be designed and put in place. They are usually a combination of free (e.g. user instructions on procedures to follow) low-tech and inexpensive (e.g. locks on doors) and sometimes hi-tech (e.g. encryption) to create a system that achieves the objective – the required level of security to meet company policy, no more and no less.

HR

Control of the IT system users starts in the HR Department with Recruitment Policies, Security Checks, References, Contracts of Employment, Job Descriptions etc.

Companies' most significant threat to the integrity of their technology systems is not hackers and other outsiders trying to steal information - it's the employees. From stealing trade secrets to something as seemingly careless as sending confidential information through unencrypted email, according to a recent article in the Wall Street Journal this is what keeps the IT experts in companies awake at night. The article notes that about 29% of security incidents originated from in-office employees or remote employees. Some of the more typical practices observed include: leaving open email unattended, sending confidential information over insecure servers, keeping passwords on post-it notes nearby, etc.

Many organizations attempt to minimize these threats by asking their IT departments to draft comprehensive policies. However, without coordinating these efforts with human resources, there is often a lack of focus on training and reinforcement. When the information technology department and the human resources department work together on an important issue such as this, organizations can significantly reduce their risks.

Sales

Security of Customer Service is vital to long term customer relationships. Being able to prove it also opens doors to new business. Security of customer information – where you have access to it, is another strong motivation to engage with ISO 27001 and increasingly customers (particularly large ones) are demanding it. However it can take 3 to 6 months to become compliant – do you really want to wait that long before you can start supplying?

Line Management

All your staff need to be clear about their responsibility for Information Security. Its part of their job!

Staff

You need to be clear about operating procedures. You do not want to be blamed for something that is not your fault or disrupted from doing your job by something which could have been prevented.

Shareholders

The Intellectual Property is a key asset of the company – sometimes the most valuable asset even though it does not appear on the balance sheet. Intellectual property is also impossible to Insure. You need to ensure your investment is protected with ISO 27001.

Control of the IT system users starts in the HR Department with Recruitment Policies, Security Checks, References, Contracts of Employment, Job Descriptions etc.

Companies' most significant threat to the integrity of their technology systems is not hackers and other outsiders trying to steal information - it's the employees. From stealing trade secrets to something as seemingly careless as sending confidential information through unencrypted email, according to a recent article in the Wall Street Journal this is what keeps the IT experts in companies awake at night. The article notes that about 29% of security incidents originated from in-office employees or remote employees. Some of the more typical practices observed include: leaving open email unattended, sending confidential information over insecure servers, keeping passwords on post-it notes nearby, etc.

Many organizations attempt to minimize these threats by asking their IT departments to draft comprehensive policies. However, without coordinating these efforts with human resources, there is often a lack of focus on training and reinforcement. When the information technology department and the human resources department work together on an important issue such as this, organizations can significantly reduce their risks.

[ Back to top ]