ISO 27001

Anyone with an interest in information security will have encountered ISO 27001, the international standard that describes best practice for an ISMS (information security management system). However, you might not be as familiar with ISO 27002. It’s a supplementary standard that provides advice on how to implement the security controls listed in Annex A of ISO 27001. Although ISO 27001 is the more well-known standard – and the one that organisations certify to – neither can be considered in isolation. This blog explains why that’s the case, helping you understand how each standard works and the differences between them. What

The post ISO 27001 vs. ISO 27002: What’s the difference? appeared first on IT Governance UK Blog.

Read More ISO 27001 vs. ISO 27002: What’s the difference?

People are the weakest part of any organisation’s security defences. You can spend months designing flawless processes and investing in state-of-the-art technology, but these both only work if the people using them know what they’re doing. That’s why information security policies are among the most crucial element of an organisation’s defence. They contain a list of instructions for staff to follow in various scenarios and cover a range of topics, such as acceptable passwords and how often to back up data. What do information security policies do? Information security policies are usually the result of risk assessments, in which vulnerabilities

The post What is an information security policy? appeared first on IT Governance UK Blog.

Read More What is an information security policy?

When organisations begin their ISO 27001 certification project, they must prove their compliance with appropriate documentation. That involves documenting your information security risk assessment process. In this blog, we explain how you can do that. Elements of the ISO 27001 risk assessment procedure Clause 6.1.2 of the Standard states that organisations must “define and apply” a risk assessment process. An information security risk assessment is a formal, top management-driven process and sits at the core of an ISO 27001 information security management system (ISMS). There are five simple steps that you should take to conduct a successful risk assessment: Establish a risk

The post How to write an ISO 27001-compliant risk assessment procedure appeared first on IT Governance UK Blog.

Read More How to write an ISO 27001-compliant risk assessment procedure

Cyber security affects companies of all sizes in all sectors. Moreover, threats are constantly evolving and your legal and regulatory requirements have become major issues – particularly with the introduction of the the GDPR (General Data Protection Regulation) and NIS Directive. All of this means that regular communication between management and the board regarding cyber security is more important than ever. It’s only by discussing these issues regularly and in a formal environment that you can protect your sensitive data and company interests. As you have probably seen, failure to do that could result in staggering financial penalties. So how should

The post 12 cyber security questions to ask your CISO appeared first on IT Governance UK Blog.

Read More 12 cyber security questions to ask your CISO

Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability). In this blog, we explain what an SoA is, why it’s important and how to produce one. What is a Statement of Applicability? An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001. Clause 6.1.3 of the Standard states an SoA must: Identify which controls an organisation has selected to tackle identified risks; Explain why these have been selected; State whether

The post The importance of the Statement of Applicability in ISO 27001 – with template appeared first on IT Governance UK Blog.

Read More The importance of the Statement of Applicability in ISO 27001 – with template

As you start your ISO 27001 implementation project, you probably want to know about much as possible. Some people attend training courses to pick up the knowledge of ISO 27001, and others go one step further, hiring an ISO 27001 consultant to guide them through the process. Those are both excellent options for those with the time and budget, but what if you’re looking for a less expensive approach? In those cases, you can never underestimate the influence of a book. Indeed, most information security professionals begin their journeys by picking up a book or two on ISO 27001, because

The post 3 must-read books on ISO 27001 appeared first on IT Governance UK Blog.

Read More 3 must-read books on ISO 27001

Organisations that implement ISO 27001 must write a secure development policy. The requirements for doing this are outlined in Annex A.14 of the Standard: System acquisition, development and maintenance. In this blog, we explain how you can use ISO 27001’s guidelines to create your policy, and take a look at some of the controls you should implement. What is a secure development policy? A secure development policy is a set of rules that help organisations mitigate the risk of security vulnerabilities in development environments – i.e. the workspaces where organisations make changes to software and web applications without affecting the

The post How to create an ISO 27001 secure development policy – with template appeared first on IT Governance UK Blog.

Read More How to create an ISO 27001 secure development policy – with template

Protecting your organisation against cyber attacks can sometimes feel like a never-ending game of security whack-a-mole. As soon as you’ve secured one weakness, another one appears. This can demoralise any organisation and make them believe that good information security practices are impossible. However, there is a solution – but it requires a different way of thinking. Organisations must stop looking at each individual threat as it arises and instead build defences that are equipped to handle whatever cyber criminals throw at you. Doing that is simpler than it sounds. That’s because, as much as cyber criminals’ tactics evolve, they tend

The post 5 ways to improve your information security in 2021 appeared first on IT Governance UK Blog.

Read More 5 ways to improve your information security in 2021

We’re not going to lie: implementing an ISO 27001-compliant ISMS (information security management system) can be a challenge. But as the saying goes, nothing worth having comes easy, and ISO 27001 is definitely worth having. If you’re just getting started with ISO 27001, we’ve compiled this 9 step implementation checklist to help you along the way. Step 1: Assemble an implementation team Your first task is to appoint a project leader to oversee the implementation of the ISMS. They should have a well-rounded knowledge of information security as well as the authority to lead a team and give orders to

The post ISO 27001 checklist: a step-by-step guide to implementation appeared first on IT Governance UK Blog.

Read More ISO 27001 checklist: a step-by-step guide to implementation

Information security policies are essential for tackling organisations’ biggest weakness: their employees. Everything an organisation does to stay secure, from implementing technological defences to physical barriers, is reliant on people using them properly. It only takes one employee opening a phishing email or letting a crook into the premises for you to suffer a data breach. Information security policies are designed to mitigate that risk by helping staff understand their data protection obligations in various scenarios. Organisations can have as many policies as they like, covering anything that’s relevant to their business processes. But to help you get started, here are five policies

The post 5 information security policies your organisation must have appeared first on IT Governance UK Blog.

Read More 5 information security policies your organisation must have