Applying Information Security Management to Your Business (ISO27001:2013)

You think it’s all about data, well you would be forgiven for thinking that but the truth is it’s about INFORMATION.

In todays digital age and with the introduction of GDPR we have developed thought processes that revolve around the electronic storage of data and how to control the access to it and the transmission of data without loss or impairment.

ISO27001:2013 has a significant proportion of its controls geared to data electronic storage and access yet the often forgotten aspect of this standard is that it is an information security management system.

Information the definition:

information: Things that are or can be known about a given topic; communicable knowledge of something.
information: The act of informing or imparting knowledge “notification”.
information: A statement of criminal activity brought before a judge or magistrate
information: The systematic imparting of knowledge; education, training.
information: The creation of form; the imparting of a given quality or characteristic; forming, animation.
information: Any unambiguous abstract data, the smallest possible unit being the bit.
information: A hand written note or collection of notes in a book.
information: A text.
information: An email.
information: Word of mouth.
information: A photograph

The list above is only a small representation of the subject information, the list could literally go on for ever so lets sum it up:

Information is anything that can be used to transmit knowledge to another party

OK so let’s make up a little story about the security of information.

Fran works for an electronics manufacturing firm, they produce high value components for the Avionics industry, they are ISO27001 certified.

Guy is the Sales director of the same firm.

One day Fran sees Guy writing in his red book, Guy explains he has had this book for years whilst working for multiple businesses and it contains all his industry contacts and he protects it with his life as it is so valuable he doesn’t keep information in his phone or laptop as he has to hand those back if he leaves. He tells her it has contact details, information on hobbies and interests, the name of significant others and relevant notes together with the order history of each firm. When leaving work at the usual time of 6pm Guy gives Fran a lift home, when he gets into the car he places his red book in the glove box, on the way home they call at the supermarket, Guy explains he always stops to buy a bottle of wine. He parks his car at the far end of the car park as he doesn’t like to get door dings and its quieter there.

Later that week Fran is talking to her friend who knows where she works (Information), Fran tells her the story about the red book and and the journey home as she is concerned about the implications of GDPR surrounding the book (Information), the friend tells her other half in conversation over dinner (Information). The other half who works for a similar business tells his boss the story as its such a stupid thing to do (Information). The boss engages the services of a criminal to watch Guy and report back with detail of his movements and photos of his car (Information). The criminal is then employed to break into the car and steal the red book which he passes to the boss (Information) for an agreed sum.

Clearly we have a story about industrial espionage, the question we have to raise is the security of information in a world where we are dealing with human beings. The loss of information in this case was due to an innocent chat between friends resulting in escalation to criminal action. The red book is obviously of great value, the ISO27001 management system of the firm is focused on electronic data and nobody was aware of the books existence, lets assume they didn’t ask and nothing was ventured. Guy sat in all the IS27001 planning meetings and it didn’t occur to him that his book was an information asset it was merely his red book that he’d had for years. Also we have the subject of the previous employers intellectual wrights that have been held by Guy and used for his own benefit. Maybe this exact scenario hasn’t played out in the real world, or has it?

When planning your information security management system you must consider all forms of information, these are termed as information assets and you must have a register of all information assets and have controls on how these are stored and whom they are accessed by.

ISO27001:2013 not only comprises of the 10 clause structure it has an Annex, “Annex A” this annex has 144 control requirements; which includes the control of information assets ZEBSOFT has the statement of applicability for these 144 controls built into its functionality to make the management of these 144 controls simple and effective.