Why should Boards say Yes to ISO 27001?

When we talk to Board members about how their information security strategy is managed, this is either not on their agenda or is at the bottom of the agenda. Cyber Risk Management is generally seen as an “IT Problem” for the IT department to manage. In reality, the management of information risk should be a top-line organisational risk issue.

The role of the Board towards the oversight and leadership of Cyber Risk Management is increasingly crucial. With data security breaches, ransomware and other malware attacks increasing, the ability organisations are challenged with what levels of organisation-wide cyber risk management are appropriate?

Many Board members think they have sufficient assurance as to how the organisation’s business strategy is supported by their information security strategy, but this is rarely the case. Can the following questions be answered:

1) Have we identified our core information assets?

2) Have we understood what our clients, suppliers and regulators require

3) What is at risk if there is an information security incident?

4) How do we measure our capabilities?

5) Have we tested our response to an incident?

6) Are we protected and if so how can, we be sure?

7) What is our most important data, and where is it being stored?

8) How do we currently measure Cyber Risk Management?

9) Are we prepared for any incidents? How fast can we get up and running after an incident?

10) How do we demonstrate due diligence when filling out third-party vendor questionnaires?

Board members who cannot answer these questions or say that this is handled by the IT department, you are on the wrong track!

If a breach happens and your organisation is not prepared, this will impact the organisation’s reputation, disrupt revenue-generating operations, reduce your sales opportunities, and potentially incur cost regulatory penalties, impacting existing revenue and future revenue.

It is becoming clear that there needs to be more of a structured management of the organisational information security strategy.

Strategically for Boards looking at improving and understanding their information security strategy, implementing a standard such as ISO 27001 is a great starting point. ISO 27001 is the only standard that sets out a specification for an information security management system. It is a globally recognised standard, that demonstrates that the organisation has identified risks and managed relevant risks by implementing organisational controls to minimise the adverse effects of a cyber security breach.

Once an organisation's Board complies with ISO 27001, every member of the board will be able to answer the questions confidently:

1) The appropriate control measures are being taken place to protect confidential and privileged information.

2) We know what data is important and where our data is getting stored

3) We are following an international best practice in order to mitigate our risks of cyber-attacks or cyber incidents

4) We have management processes in place that help us answer the due-diligence questionnaire

So where to from here? When the next Board meeting is set-up, have information security as a high priority on the Board agenda. Discuss the organisation's strategy, and how going in with the ISO-27001 standard could work for you. If you need a guide on how to get started have a look here Cybercraft ISO 27001