Category Archives: iso 27001

Law firms report increase in staff-related security incidents

Staff can jeopardise a firm’s security with a single moment of carelessness. 2018 saw a significant rise in the number of law firms reporting security incidents concerning their own staff, up from 33% in 2017 to 46% in 2018 according to research by PwC. These incidents included the loss or leakage of confidential information, highlighting the need for better information security management within the legal sector.

Look closer to home – insider threats

Law firms may regard external cyber criminals as the key threat and be tempted to focus their resources on protecting against them, but it is also imperative to look closer to home.

Staff pose one of the biggest security threats, so firms should ensure that their employees receive appropriate training to prevent them making mistakes. Learning to recognise phishing emails is essential; while technology plays an important role, no spam filter is 100% effective, meaning your staff are the last line of defence.

Staff need to know how to respond if they mistakenly click a link in an email, including who to notify to escalate the issue and minimise the firm’s exposure. Combining this with a device-level backup process that prevents the spread of malware will ensure your firm has robust cyber resilience.

Get your firm on track with staff awareness training

Educate your employees on information security and cyber security with staff awareness training, which will teach them the basics of data security and how to deal with threats. Interactive e-learning courses are a cost-effective way to educate staff on key issues in a structured manner.

Train your team with e-learning from IT Governance

We offer e-learning courses on cyber security, the GDPR (General Data Protection Regulation), appropriate use of Cc and Bcc in emails, secure social media use and how to spot phishing scams. These can be purchased off-the-shelf or customised to offer bespoke e-learning solutions to larger firms.

To find out more about our staff training solutions for the legal sector, complete an enquiry form to contact our experts or call our team on +44 (0)333 800 7000 to discuss your firm’s requirements.

The post Law firms report increase in staff-related security incidents appeared first on IT Governance Blog.

How to create an ISO 27001-compliant risk treatment plan

An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.

It’s one of the mandatory documents you must complete as part of your ISO 27001 implementation project, and forms the final stage of the risk assessment process.

What are your risk treatment options?

Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organisations take one of four actions:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

Selecting appropriate controls

The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.

Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:

  • Information security policies: how policies are written and reviewed.
  • Organisation of information security: the assignment of responsibilities for specific tasks.
  • Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • Asset management: identifying information assets and defining appropriate protection responsibilities.
  • Access control: ensuring that employees can only view information that’s relevant to their job role.
  • Cryptography: the encryption and key management of sensitive information.
  • Physical and environmental security: securing the organisation’s premises and equipment.
  • Operations security: ensuring that information processing facilities are secure.
  • Communications security: how to protect information in networks.
  • System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
  • Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
  • Information security aspects of business continuity management: how to address business disruptions.
  • Compliance: how to identify the laws and regulations that apply to your organisation.

Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.

For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.

As with all major security decisions, you should run your decisions past senior management.

Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.

Before you begin

It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.

You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.

Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.

That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.

Help with creating your risk treatment plan

Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.

Risk Treatment Plan (RTP) Example Template

Example of the risk treatment plan template included in the ISO 27001 ISMS Documentation Toolkit

Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Learn more >>

The post How to create an ISO 27001-compliant risk treatment plan appeared first on IT Governance Blog.

ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference?

A version of this blog was originally published on 25 June 2018.

Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?

This blog will help you make that decision. We take three of our most popular training courses – ISO27001 Certified ISMS Internal AuditorISO27001 Certified ISMS Lead Auditor and ISO27001 Certified ISMS Lead Implementer – and explain what they cover and who they are suitable for.

ISO 27001 Certified ISMS Lead Implementer

A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.

What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.

Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.

Length: Three days

ISO 27001 Certified ISMS Lead Auditor

A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.

What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.

Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as the BSI.

Length: Four and a half days

ISO 27001 Certified ISMS Internal Auditor

An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.

What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.

Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.

Length: Two days

What are the differences between these courses?

Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.

An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.

Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.

Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.

Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.

Interested in other ISO 27001 training courses?

These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?

With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.

Find out more about our ISO 27001 training courses >>

The post ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference? appeared first on IT Governance Blog.