Saturday, 06 July 2019

ISO27001 – Information Management is more than just IT systems

Font size: + –

4 minutes reading time (845 words)

ISO27001 Information Security Management Systems

3050 Hits

When organisations start thinking about information management and the security of that information they automatically look towards their IT and typically the CIO or IT Manager gets the call and told to 'secure it', because it's that simple right? Wrong! And wrong in a number of ways.

Information is all around

Firstly, it's important to not think about ISO27001 as an IT requirement, there are certainly elements in there but it's not exclusively that. As we mentioned in our initial post on ISO27001 the organisation needs to understand what information really is, especially within its own organisational context but within the world at large today. Consider your last operations meeting for example. Did your team bring a printed set of minutes? What about reports? Did they take notes in a notebook they carry around with them, you probably projected information onto a large screen, maybe you even wrote stuff on the white board. Now when you left that meeting, you will have switched off the projector and the PC used will either be switched off or hopefully gone into sleep mode and need a password to log back in, great all your information is secure right? Wrong. How many copies of the agenda were left on the table? Did you wipe off the whiteboard? Worse still, does your whiteboard face a window that isn't screened? Did everyone take their notes with them, when you return to your offices is it just left on your desk?

You see information is device agnostic, it'll be in the print outs you have, the reports you read, the whiteboards you write on, the charts you put up on the wall the notebooks you use. None of those things would be remotely covered by the IT department. When Bob accidentally leaves his phone or his laptop or tablet in the back of the taxi, IT can Geo-locate it with the software they have installed and most probably wipe it if needed, if Bob leaves his handwritten notebook or board papers however, well that's a whole other issue.

Also think about what's sitting on your desk, is it a clean desk or are there mountains of paperwork, charts, finance reports, proposals and notebooks there. It's on your desk, it's safe. It possibly is, except that you may have cleaners pop in to clean your office, should they see this, what if they take it with them? What if an employee sees something that they shouldn't and shares that with their friend at the pub and your next big thing is suddenly, well not so big?

Information is information, its on paper, its on smart devices, dumb devices, chalk boards white boards, charts and notice boards, it really is all around us, so your Information Security policy needs to consider all of it, not just the cleaver IT stuff.There are various ways to do this and we'll cover that in some of our upcoming posts.

Information is about more than things

Don't forget that when it comes to information, the information you hold on your people is also critical. Many countries have privacy laws which would prohibit the release of personal information, but what if it were stolen? Or just inadvertently made public? Things like personal addresses, emails, bank accounts and other HR related information like performance, pay levels, disciplinary information and so forth need to be thought of as well. There is information in peoples heads, those key scraps of institutional knowledge that only certain people know that keeps things ticking along, these and many more things must be considered as part of the process.

The Value of the Information

They also need to think about the varying levels of value of that information both from an intrinsic value to the organisation and a market value, they are not the same thing! The intrinsic value of is could be considered as the effect of current and future cashflow, what would the effect on your financial position be if this information were to become publicly available or worse available only to your competitor? What would happen if they obtained the information and used it to out maneuver you or worse to build your product faster than you and undercut you on the market?

From a Market value point of view what would happen to your organisations over all value, the share price if it were to be make public or acquired by someone who shouldn't have it. Would your ability to raise cash be impacted, the ability to pay your staff?

Summary

ISO27001 doesn't distinguish between information sorted electronically or physically, it's all information. Equally it doesn't care what that information is about, it could be people, it could be products or processes or systems, it doesn't care. The standard only cares that you have decided what your information is and what controls are in place to manage that information and its availability.

Next we are going to talk about some principals that underpin the ISO27001 standard that will help you on your way to thinking about things a little differently.