The creators of isology®

isology® is a world-leading proven step by step roadmap to achieve ISO certification.

Implemented for over 600 organisations with a 100% success rate, we take you from the planning and creation of your bespoke ISO System though to certification with our 7 step process.

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the Physical category, is something called physical security monitoring. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into physical security monitoring to explain what it is and give examples of different types of security and monitoring you can put in place.   

You’ll learn

  • What physical security monitoring is
  • The purpose of physical security monitoring  
  • What should be monitored?
  • Different types of security and monitoring you can consider

Resources

In this episode, we talk about:

[00:36] A quick recap of our ISO 27002 series and it’s purpose to date – Start from Episode 109

[01:58] ISO 27002 controls reduced from 114 controls to 93 – reduction due to some of them being combined or made redundant in the latest version

[04:02] The purpose of Physical Security Monitoring

[06:22] Example of where security monitoring solved an issue at a bank  

[07:29] Another example of a London business who lacked physical security monitoring

[08:45] The importance of reviewing your need for physical security monitoring – what level do you need? Will it include CCTV, Access cards ect

[10:10] An overview of the various access points to consider, including: Main building, secure offices, server rooms, visitor access rights, CCTV, security alarms and personnel

[10:53] Example of where failure to verify a visitor highlighted a companies lack of security.

[11:30] The importance of communication and inductions for key reception and security staff, to ensure they can do the proper checks on visitors / know who should and should not be allowed into certain areas of your workplace.

[13:50] Suggestion of a checklist for checks on visitors for temp reception staff  

[14:32] How do you define what needs 24 hour monitoring and what can be monitored for selected hours?

[15:46] The installation of security measures should be appropriate for your needs – don’t go overboard if it’s not needed. i.e. a Data Centre would need a high level of security but a small office may only need access control

[17:48] Take note of any security requirements in customer contracts

[18:10] How do you ensure the integrity of your security measures? i.e. CCTV – guidelines are available for installation, including placement, connection to your systems, keeping the timestamps accurate, logging any camera failures.

[20:00] Example of where a German company mapped out their CCTV so they could highlight blind spots, which were then pointed out to guards who did more checks in those areas

[21:15] Make sure you maintain any security equipment  

[22:10] What crossover is there with other ISO 27002 controls? i.e. data masking being used in visitor books   

[24:45] How can you apply this control to home workers? This can include training on being aware of potential security risks at home and locking the computer when not nearby ect

Download our ISO 27002 changes Quick Guide here:

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.

One of the new controls added under the technological category, is something called web filtering. But what does this mean exactly?

Steve Mason joins us again today to delve deeper into web filtering to explain what it is, break down the different types and gives examples of uses that you could implement to reduce risk.   

You’ll learn

  • What is web filtering?
  • The purpose of web filtering
  • The different types of web filtering  
  • Different measures of web filtering that can be implemented

Resources

In this episode, we talk about:

[01:05] How you can adopt the new controls of ISO 27002 ahead of the latest version of ISO 27001:2022 being published

[02:00] The purpose of web filtering

[02:26] An overview of what web filtering is: It’s a security technology that monitors web activity and prevents users from accessing websites with malicious content or sites that are deemed to be inappropriate for business use

[03:45] Outlook already has web filtering built in

[04:17] The Internet is still the dominant facilitator for cyber crime

[04:40] Types of web filtering, including: Browser based filters, search engine filters, client side filters and network based filters

[06:58] Examples of where web filtering comes into practice – to protect against threats from malicious sites with malware or fishing content, false anti-virus updates, sites with illegal content and sites with out of date SLL certificates.   

[08:15] Are you safe relying on Microsoft Windows?

[08:50] What to look out for on websites to ensure it’s secure: A padlock in the bottom right corner, use of reputable third party payment gateways.  

[09:27] Examples of what to be wary of when using the web i.e. deals that are too good to be true  

[11:40] Consider setting up a small internet café that is separate from the company network – to allow employees access for personal use and to help keep your systems safe.

Download our ISO 27002 changes Quick Guide here:

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Did you know there were 80 identified security incidents, resulting in 34,908,053 compromised records in June 2022 alone!

Standards such as ISO 27001 can help you put measures in place to reduce risk and help set up procedures for data recovery. However, not as many adopt the guidance document ISO 27002 which provides further best practice advice to strengthen your IT Security.

ISO 27002 has recently been updated with 11 new controls that tackle recent emerging technology not covered in ISO 27001:2013.

Today, Mel explains ISO 27002 (Information security, cybersecurity and privacy protection – Information security controls), why it’s been updated and gives a high-level overview of the changes.

You’ll learn

  • The purpose of ISO 27002
  • How ISO 27002 works with ISO 27001
  • Why ISO 27002 has been updated in 2022
  • A basic overview of the changes to controls within ISO 27002:2022

Resources

In this episode, we talk about:

[00:30] A reminder to keep an eye out for future episodes on the upcoming updated version of ISO 27001:2022

[00:52] An introduction to the guidance document ISO 27002    

[02:02] Controls from the updated version of ISO 27002 can be implemented right now – not a requirement of ISO 27001 but recommended.   

[02:25] Why ISO 27002 has been updated – To bring it up-to-date with the latest technologies and simplification of controls

[03:15] What this means for your Information Security Management System

[03:50] We expect to see the new controls in ISO 27002 to be reflected in the updated version of ISO 27001 coming out later this year.

[4:27] Reminder: ISO 27002 is not a certifiable standard but it is best practice.

[05:00] ISO 27002 had its last major update in 2013 – think how much technology has changed since then!

[06:00] A summary of the changes to controls in ISO 27002

[07:25] New controls added to ISO 27002 highlight that the standard is more then just IT Security – A trait shared with ISO 27001  

[09:13] A summary of what categories the 11 new controls fall under   

Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud

Download our ISO 27002 changes Quick Guide here:

Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO9001 & ISO27001 certifications on their first time.

With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.

Today, Steve is here to discuss ISO 27701 (Data Privacy), and why it’s so important to have so that you can prove you are GDPR compliant.

Since the new European Data Privacy Laws were introduced in May 2018 there have been over 150,000 personal data breaches within Europe, and the estimated total of GDPR fines total a little over 220 million euros.

Steve explains why GDPR is so important, how companies can avoid having data breaches, and what makes ISO 27701 different from previous standards.

You’ll learn

  • How ISO 27701 can help companies demonstrate compliance with the requirements of GDPR.
  • The ways ISO 27701 is different from ISO 27001 and why you need both standards.
  • Who you can share PII with while still maintaining GDPR compliance.
  • The correlations ISO 27701 has with ISO 27002.
  • The potential impact implementing ISO 27702 can have.

Resources

In this episode, we talk about:

[00:29] The big personal data breaches that have happened in the last 2 years, and the fines the companies received for not being compliant with the data protection laws.

[04:11] Why we have General Data Protection Regulations and what they are there to protect.

[06:36] What ISO 27701 is and how it helps companies be GDPR compliant.

[09:26] What PII (Personally Identifiable Information) is.

[11:41] An overview of ISO 27701 and what its main clauses are.

[14:04] What the two control sets of the standard are and what the difference between a data controller and a data processor is.

[17:20] How this standard helps companies know what needs to be put in place to be GDPR compliant.

[18:51] What makes ISO 27701 better than BS 10012 and why it will eventually completely replace it.

[22:14] What you already need in place to get ISO 27701 certified.

[24:10] The main benefits for companies implementing this standard has.

If you need assistance with implementing ISO 27701 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

There are many misconceptions around the well know ‘Clear Screen Clear Desk’ Policy used in IT Security. Join Mel and Steve Mason on this week’s episode as they discuss some top tips and share some of their own stories.

When Looking at Clear desk in an assessment it is important not to focus purely on individual desks but on the broader work areas to which employees have access.

Top Tips:-

  • Clearing all white boards of information if it is no longer require (take a photograph to prevent loss)
  • Checking all flip charts and removed sheets that have already been used
  • Checking all photocopiers and printers (and the surrounding areas) for any forgotten or discarded documents
  • Checking all confidential waste bins for any that are overflowing; if items can be removed put them in a new bin
  • Checking for any confidential documents left on desks or in trays on desks
  • Checking empty and unoccupied rooms for confidential waste
  • Checking all cabinets to see that they are locked; if they are unlocked check to see that there is no confidential documentation in the cabinets
  • Checking to see that keys are securely locked away; if they are in pedestal drawers ensure that there is no confidential information stored in the drawers.
  • Checking Riser doors which are labelled ‘Keep Locked’ to ensure that they are locked
  • Checking that all ‘mail’ pigeon holes have been cleared from previous ‘out of hours’ work

Clear Screen is much more than just locking your screen when you walk away from your desk, it is about making sure that you do not store information on your laptop and PC desktop screen. Whilst it is there it is at risk of being lost if hard drive fail as it is not backed-up; also, there is the inconvenience that others who need access to the information cannot get to it, impacting Integrity and Availability of security.

We’d be happy to assist you with ISO 27001 (Information Security) or BS 10012 (Personal Information Security), or you can contact us for a Clear Desk Clear Screen prompt sheet.

To help out the ISO Show:

  • Share the ISO Show on twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and I read each one.

Is it okay to ever use a personal e-mail account address for business, or send business e-mails to my personal e-mail address?

The short answer is ‘No!’ This is because it opens your business up to security, legal and professional risks that may lose you customers and can damage your reputation.

All businesses have the capability to access their emails on all sorts of equipment, smartphones, tablets, PCs and laptops (the latter two through the use of a secure VPN back to the business itself. So, there is no reason to resort to personal e-mail accounts for business use.

However, there are far greater risks to the business in terms of Security, Legal Compliance and Business Reputation that should be enough to deter employees from using such risky methods in the corporate environment.

What are the security risks of using a personal account for business?

Personal email accounts exist outside of the IT department’s control, therefore, they are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. Furthermore, as they are beyond the bounds of the IT department’s control there is no guarantee that e-mails are secure or will remain free of any viruses.

If e-mails held in personal accounts are not back-up there is a loss of auditable trails and opens the business and employees up to losing important information that the business must, by law retain as business evidence of good business practices – this opens the company up to suspicions of fraud.

Employees sending e-mails to their personal e-mail addresses can not guarantee the security of their e-mails, particularly if they use systems such as Hotmail and Gmail, which are notoriously vulnerable e-mail systems and have been hacked on many occasions. How would it look if you lost company information because of a data breach in an employee’s personal e-mail account? It would damage you reputation and may result in lawsuits.

Whilst you may have appropriate antivirus protection in place, can the same be said of employees on home computers? Typically, the answer is no, either because the antivirus has not been kept up to date or the type being used is not as effective as those used within the business. If an employee sends an e-mail to a client from their home system it could be infected by a virus (that you have not been able to control) and the reputation of the company is impacted.

And since personal emails are not stored on company servers, discovery for DPA/GDPR and Freedom of Information requests are seriously compromised presenting legal risks to your organization.

If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).

If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.

We’d love to hear your views and comments about the ISO Show, here’s how:

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud



Banner image - Top Tips on implementing BS 10012 to meet GDPR requirements

BS 10012 is a British standard that outlines the specifications for a Personal Information Management System (PIMS). This was introduced in 2009 to help organisations manage personal information and comply with data protection laws. 

The standard was updated in 2017 to reflect the GDPR’s requirements, making it an ideal framework for regulatory compliance. For example, it includes specific guidance on each principal, helping organisations meet the requirements of BS10012 and GDPR. 

After implementing BS 10012 for a number of organisations, here are our Top tips on implementing BS 10012.

  • Establish a PIMS team – this is not a one-person job.  You will need to have input from all areas that are involved with personal data.
  • Carry out a Privacy Impact Assessment – It is important to understand where all the personal identifiable data is within the organisation, how it is collected and how it is disposed.  (remember this is all Data – soft and hard copies – get in to all the drawers and cupboards)
  • Data mapping – collate the information on a data matrix, this would show all the information in one place.
  • Carry out a risk assessment – the data matrix will flag up any risks that need addressing
  • Update documentation – Ensure all documents are updated i.e data protection policies, cookie policy and privacy policy.
  • Training, training and more training – people are the weakest link, ensure ALL staff have had BS 100012 training
  • Conduct Internal Audits – to verify compliance and check your systems are effective. 

Implementing a PIMS can be challenging so if you would like assistance please contact us for further information on: enquiries@blackmoresuk.com

Step 1 – Conduct a Privacy Impact Assessment (PIA)

Why?

Enables you to identify all the processes/activities that involve personal data and demonstrates to the ICO that you have carefully considered personal data within your business.

 How?

Complete a PIA for each information stream in your business, we have a host of template documents to help you and your business comply, contact us for further information.

Step 2 – Data Protection Policy Statement

Why?

This policy is your commitment/statement of intent as an organization to Data protection

How?

If you don’t have a DPS you will need one, then you need to consider if it needs to be publicly available or internal only. You should send it to new and prospective clients and share with suppliers.

Step 3Data Retention Policy & Data Retention Schedule

Purpose:

Data Retention Policy – This is required to support the creation, retrieval, proper storage and preservation of essential personal data records, and to enable identification and destruction of information where there is no continuing business, legal or historical significance.

Schedule – This schedule defines the different types of records typically found in businesses.  It may not capture all the personal data/records that you may have in your company.  Where any are missing, you need to add these to the ‘Other’ tab within the document.   The schedule defines any legal retention requirements/ guidance on best practice from the ICO.

Action: Make the Policy and schedule available to staff.

Step 4 – Privacy Policy Template

Why?

In the interest of transparency (a GDPR principle requirement), you are required to provide privacy information to data subjects when you are collecting their personal data.  Typically you will find a Privacy policy is put onto the website (as generally this is where you may have data capture forms).

How?

Have a look at what you have got already in your Privacy Policy and if it needs updating within the section related to Legal Basis for processing (as per the PIA/Data Matrix outputs) as not all may apply.

  • Display it in an ‘easy to digest’ format on your website. i.e. section headers with an overview paragraph – they option to expand to see full details.
  • Add in a link to this page on your email signatures
  • Have a think where else in the business where you might be collecting personal data that you should be providing some level of privacy information i.e. Terms of engagement (use the same headings if possible).

Step 5 – Security Incident Procedure

Why?

This is the document that you need to describe the process for reporting data breaches or security weaknesses, events, and investigation of security incidents.  All staff must be made aware of document and understand the procedure as they have responsibilities to be able to know how to report breaches/ security incidents as they become aware of them.

How?

  • Write up your procedure and make it available to staff and ensure they’re aware of their data protection/ information security breach responsibilities as appropriate.

Step 6 – Information Security Breach Checklist

Why?

The checklist is to capture the key elements relating to a data breach to ensure actions are recorded and progressed as appropriate. The root cause can then be understood, and that is any new/changed controls are needed to be made and applied as part of the lessons learnt activities.

How?

  • Ensure it’s availability to staff and they understand and are aware of their data protection/ information security breach responsibilities as appropriate.

Step 7 – Subject Access Request (SAR) Procedure

Why?

As stipulated by GDPR any individual that you hold information on has a right to know what data you hold on them eg name, address, etc – this info can be requested by an individual using a  ‘Data Subject Access Request’.

How?

Write up your procedure outlining the steps to be followed by staff upon receiving this request, what information they need to record and how to go about it. This will ensure that your company receives and processes Data Subject Access Requests in accordance with the General Data Protection Regulations.

Step 8 – Subject Access Request (SAR) Log

Why?

There are rules relating to how long you have to respond (within 30 days) to these requests and this log enables you to keep track of any requests in progress, or any historical requests made.  This log is linked to/ referenced within the Subject Access Request procedure.

Step 9 – GDPR Staff Training

Why?

Most data breaches/ Information Security breaches/incidents can be traced back to an individual’s actions or decisions.  Providing awareness training to staff is a form of control that you may need to evidence to the ICO/Client in the event of a data breach.

How?

  • Ensure all staff receive this training.
  • Retain evidence that this training has been delivered i.e. staff training records

Step 10 – Supplier Data Compliance Questionnaire

Purpose:

This questionnaire is to check that the suppliers that your business shares personal data with are GDPR compliant. It is a requirement for your company to check the security and data protection compliance of any processors/ sub-processors used by the business

How?

  • Identify those suppliers/ partners to whom you may supply personal data (Use the Data Matrix/ PIA results as a reference point)
  • Send the questionnaire to the companies likely to respond.
  • Conduct the required due diligence for larger organisations and retain evidence of findings
  • Take action depending on the outcome of the questionnaires/ proactive due diligence.

Next steps………

  1. Use your common sense when it comes to protecting your client dataJ
  2. Review your client terms of engagement – are you being transparent about the handling and protection of your client data?
  3. Complete the Privacy Impact Assessment (PIA)
  4. Identify your risks and implement the organisational controls (Policies, procedures and training)
  5. Identify the risks and implement the technological controls i.e. data back-up, anti-virus software, restricted access, password management.

May 25th 2018 – GDPR becomes law

This is the date the ICO has set for all organisations to align with GDPR.
Are there any legal implications for my business?

GDPR becomes law on May 25th 2018.  Therefore compliance to the requirements becomes a legal implication for your business on this date.

Steve wood, the Information Commissioner’s Office Head of International Strategy & Intelligence has quashed any suggestions of a soft start to GDPR. He stated “You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.”  He explained the ICO intend to focus on risk and will be happy to work with organisations if there are any areas that seem unclear but there will be no grace period.
What happens if my company does not comply?

Under the GDPR there are tiers of fines that can be imposed depending on the severity of breach.  The worst case scenario for fines are 4% of global turnover or £20M – whichever is greatest.

Not only are fines imposed, but the ICO  ‘name and shame’ businesses that are in breach.  This is not a new development – this is also the case under the DPA. More information can be found HERE.

Will ISO 27001 make me GDPR compliant?

ISO27001 v BS 10012

On its own No – this is a myth.

Information security is just one of Six principles of BS10012 and GDPR

 “f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).

Who needs to be involved in BS 10012?

Do all my staff need to be involved in BS 10012

Successful implementation is a team effort.

It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice.  If this is secured, then everything else will flow from there.

In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.

All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!

Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.

With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.

Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data.  Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches.  Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017

This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.

ISOlogist logo

Consultancy service

Let us do it for you

ISOlogy hub logo

Online membership

DIY with our isologyhub

About Blackmores

Our 7 Steps to Success

The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.

Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!

What our clients have to say

We engaged Blackmores to develop our ISO 9001, 14001, and 45001 management system from scratch. Throughout the creation and development stages of our ISO journey, Anju Punetha demonstrated remarkable patience, knowledge, and understanding as our dedicated consultant.

During our internal audit preparations, Ian Battersby’s meticulous attention to detail and thorough approach ensured we were well-prepared for our external audit, which we passed with flying colours. His guidance during the external audit was invaluable.

Based on our engagement and experience, I highly recommend the entire Blackmores team. If you’re considering pursuing ISO accreditations, Blackmores should be your first choice.

Graeme Adam

The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.

Kalil Vandi

“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”

David Gibson

Photon Lines Ltd

“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year.  We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”

Mandy Welsby

Jaama Ltd

“We have been extremely impressed with the service and support provided by Blackmores.  There knowledge and assistance through out our ISO journey has been amazing!”

Philip Hannabuss

Dome Consulting

“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”

Phil Geens

Kingsley Napley

“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”

dotdigital

Trusted by leading organisations across all sectors, we support companies of all sizes in any location.

Are you ready to start your ISO journey?

     
ISO Show

Listen to our Podcast

Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.

Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.

     

Carbonology logo

Ready to go carbon neutral... And achieve ISO Standards?

Welcome to Carbonology®

The proven method for achieving your carbon goals, aligned with ISO 14064 (carbon verification) and PAS 2060 (carbon neutrality)

Blackmores Carbon Neutral       Blackmores Carbon Footprint