FOCUS CYBERSECURITY
SECURE STANDARD
David Goodfellow, UK Business Assurance Manager at TÜV SÜD advises that adopting the leading
security standard ISO/IEC 27001 can help ensure FMs avoid damaging cybersecurity breaches
The prevalence of cyberattacks and data
breaches is making companies increasingly
concerned about the protection of data when it
comes to the provision of facilities management.
For example, organisations with critical
infrastructure like airports, public utilities and
public authorities must keep data protection at
the forefront when engaging building automation
services. As the control of building’s facilities
becomes smarter, with the increased use of
tech such as energy saving solutions and real
time monitoring, it also creates large amounts
of sensitive data. Breaches of such data could
compromise security, potentially resulting in
significant financial damage and reputational
harm.
An e ective information security management
system (ISMS) can help enterprises of all sizes
defend themselves against cyberattacks and other
malicious data breaches that could have serious
legal or business continuity implications.
ISO/IEC 27001 is the leading international
standard for information security management. It
provides a practical framework for the development
and implementation of an e ective ISMS to protect
against the root cause of information-security
risks. This is achieved by o ering a well-established
methodology for prioritising assets and risks,
evaluating controls and developing remediation
plans. Its scope is intended to cover all types of
information, regardless of its form, which can
include digitised data, documents, drawings,
photographs, electronic communications and
transmissions, and recordings.
Organisations that achieve ISO/IEC 27001
certification can reduce overall information security
risks by protecting themselves against cyberattacks
and preventing unwanted access to sensitive or
confidential information. ISO/IEC 27001 simplifies
compliance with applicable security regulations
and requirements, and helps organisations foster an
organisation-wide security culture.
BUSINESS BENEFITS
Certification to ISO/IEC 27001 can represent an
important step in an organisation’s e orts to protect
its IT infrastructure, as it strengthens its ability
to protect itself against cyberattacks and helps
prevent unwanted access to sensitive or confidential
information.
Organisations that certify their ISMS to the
requirements of ISO/IEC 27001 gain a number
of important benefits. For example, an ISO/IEC
27001-certified ISMS can help an organisation meet
the legal and regulatory requirements applicable in
many countries, as well as customers’ contractual
34 MARCH 2021
requirements.
ISO/IEC 27001 also provides a formal, systematic
approach to information security, as it increases
the level of protection of sensitive and confidential
information. This can result in a reduction in overall
business risk and help to mitigate consequences
when breaches actually occur. By protecting
information confidentiality and ensuring the
integrity of business data and IT systems availability,
disruptions to critical processes and the financial
losses associated with a security breach are
minimised.
Rather than being seen as a cost to the
organisation, ISO/IEC certification can actually lower
the total costs of IT security by reducing the risk
of security breaches and the costly consequences
associated with data breaches, such as financial
damage and reputational harm. Likewise, ISO/
IEC 27001 certification demonstrates a strong
commitment to the security of confidential
information and can deliver a significant
marketplace advantage, as stakeholders and
customers will be confident that you are maintaining
the highest information security standards.
Furthermore, an increasing number of companies
only work with suppliers that have implemented an
ISO/IEC 27001 certified ISMS.
STEPS TO CERTIFICATION
Implementing an ISMS according to the
requirements of ISO/IEC 27001, and obtaining
certification includes a number of specific steps.
Of course, not all ISMS implementation e orts are
identical, since individual organisations will have
unique issues to address, and vary in their degree
of system readiness. However, the following steps
apply to most organisations, regardless of their
industry or level of preparedness:
Obtain management commitment
The successful implementation of any
management system, including an ISMS,
requires a commitment from leadership at the
highest level of the organisation. Without such
a commitment, other business priorities will
inevitably erode implementation e orts.
Define the information security policy
At this stage, the organisation identifies and
defines its information security policy based on
the specific goals and objectives that it hopes
to achieve. This policy will serve as a framework
for future development e orts by establishing
a direction and set of principles regarding
information security.
Define the scope of the ISMS
With its information security policy in place,
the organisation must then identify the specific
aspects of information systems security that can
be e ectively addressed within the scope of its
ISMS.
Complete a risk assessment of current
information security practices
Applying the most appropriate methodology, the
organisation should then conduct a thorough risk
assessment to identify the risks that are currently
being addressed, as well as system vulnerabilities
and threats that require attention.
Identify and implement risk measures and
controls
Here, the organisation implements measures
and practices to mitigate all of the risks
identified in the risk assessment. The results of
these measures and practices should then be
monitored and modified as required to improve
their e ectiveness.
ISMS audit
With a tested and proven ISMS in place, the
organisation should conduct a certification
assessment pre-audit to identify any potential
issues that could negatively impact the outcome
of the certification audit. Any nonconformities
with the requirements of ISO/lEC 27001 can then
be addressed and/or corrected.
Finally, an independent certification body
should be employed to conduct a formal audit
of the organisation’s ISMS for compliance with
ISO/lEC 27001. A successful audit results in a
recommendation for certification, which is then
issued by the certification body.
Organisations that achieve ISO/lEC 27001
certification are subject to yearly surveillance
audits to confirm continued compliance with the
requirements of the standard. A full recertification
audit is required every third year following
certification.
EFFECTIVE INFORMATION SECURITY
MANAGEMENT
An Information security management system
(ISMS) is a critical element in the e ort to control
or mitigate the risk associated with cyberattacks
against digitised data. ISO/IEC 27001 provides a
formal framework for the implementation and
maintenance of an e ective ISMS, proving that an
organisation has identified the risks, assessed the
consequences and put in place e ective controls
that will minimise any damage from cyberattack.
Not only does ISO/IEC 27001 give organisations
confidence that information is protected, it is
also compatible with other management systems
standards, which simplifies the auditing process
for organisations certified to multiple management
systems standards.