ISO 27001:2013/17: The Best Defense Against Increased Cyberattacks
A few weeks ago, we discussed some COVID-19 related cybersecurity statistics that illustrate the extent of the increased concern regarding cybersecurity and cyberattacks associated with COVID-19 and remote work. Some of those stats were downright mind-blowing, like global ransomware reports increasing more than seven-fold from 2019 for the first half of 2020 and that the average time to identify and contain a breach is 280 days! We also discussed some recommendations for addressing those increased cyber challenges. One of those recommendations involved embracing the security of cloud-based solutions, with a particular focus on providers that are ISO 27001:2013/17 certified and audited.
ISO 27001:2013/17 Standard
So, what is the ISO 27001:2013/17 standard and why should you care about it?
ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission(IEC) in 2005 and then revised in 2013 (which is where the “:2013” comes from). It provides detailed requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) and the purpose of it is to help organizations make the information assets they hold more secure. A European update of the standard was published in 2017 (which is where the “/17” comes from).
ISO 27001 is designed to cover much more than an organization’s IT operations. It requires that the organization:
- Examine the organization’s information security risks methodically, identifying any potential threats, vulnerabilities, and impacts;
- Design and implement a clear and complete suite of information security controls and other forms to address risk (such as risk avoidance or risk transfer) that are deemed unacceptable; and
- Adopt an all-encompassing management process to ensure that the organization’s information security controls continue to meet its information security needs on a continuing basis.
To be an ISO 27001:2013/17 compliant provider, you must be certified which entails an audit by an accredited registrar to confirm compliance, usually involving a three-stage external audit process:
- Stage 1: Preliminary, informal review of the ISMS, checking for things like the comprehensiveness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP).
- Stage 2: More detailed and formal compliance audit, independently testing the ISMS against the requirements identified in ISO/IEC 27001. Auditors look to confirm that the management system has been properly designed and implemented and is currently in operation. Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors and passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
- Ongoing Reviews: Being certified isn’t the end of the process. Follow-up reviews or audits are conducted to confirm that the organization remains in compliance with the standard. Periodic re-assessment audits are required to confirm that the ISMS continues to operate as specified and intended and those audits should happen at least annually.
As important as it is, ISO 27001:2013/17 isn’t the only standard to which you should expect your cloud provider to adhere. Other standards include General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) to ensure protection of personally identifiable information (PII), including personal health information (PHI); compliance with Health Insurance Portability and Accountability Act (HIPAA) to protect the health information of individuals and System and Organization Controls Trust Services Criteria (SOC 2®) compliance, which is an auditing procedure that ensures your cloud service provider securely manages your data.
Is that enough acronyms for you? There’s more. For the defense industry, there’s also compliance with International Traffic in Arms Regulations (ITAR) and National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171/DFARS) to protect information that is sensitive and relevant to the interests of the US.
Cloud providers are not all the same, but those that adhere to standards like ISO 27001:2013/17 and the other standards above have demonstrated a commitment to securing your data that sets them apart from other cloud providers. These are the providers who have taken all of the many steps to ensure data security so that you don’t have to worry about trying to secure data managed by your remote employees with varying degrees of hardware, internet security and malware protection. They are your best defense against the increased cyberattacks we’re seeing in 2020.
For more information regarding Cimplifi’s Certifications & Compliance Initiatives, click here.