There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached.
It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago.
In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard.
You’ll learn
- Who are Mintago?
- Who is Tom Catnach?
- What was the main driver behind achieving ISO 27001?
- What was the biggest ‘gap’ identified in the Gap Analysis?
- What have they learned from the experience?
- What are the benefits of certification to ISO 27001?
- What does the threat horizon for information security look like?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification.
[02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including:
- Finding lost pension pots
- Help to save money through finding discounts
- Retirement planning
- Offering various salary sacrifice products
- Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings
- Helping people to be more financially literate
[05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer.
Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001.
Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights.
[06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security.
Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001.
ISO 27001 also offers the assessment of general business practice and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand.
[08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data.
ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year.
[10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service.
This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification.
That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready.
[11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago!
Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified.
Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.
[14:25] What was the biggest ‘gap’ identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers.
However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance.
There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place.
[16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to.
One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place.
When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software.
[18:45] Engagement is key – Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security.
Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’.
Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.
It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online.
[23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? – The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as:
- How do we recover from that scenario?
- Are we 100% confident in our back-ups?
- Will they work near instantaneously?
- What’s Mintago’s availability like in that scenario?
- How do we prevent disruption to our clients during that scenario?
So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system.
In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories.
[25:00] Internal Auditing – A beneficial tool – Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average.
Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified.
Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification.
[27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true!
If an Assessor is comfortable that you are in a good position for certification, they will recommend you.
ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits.
[29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include:
Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices.
Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security.
Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow.
[31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with.
Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident.
However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security.
[34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place.
If you would like to learn more about Mintago and their financial services, check out their website.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following.
With our heavy reliance on technology to keep both businesses and services running, it’s imperative that everyone take cyber risk seriously.
However, incidents will inevitably happen and it’s up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery!
We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident.
You’ll learn
- Who are Epiq?
- What does the current cyber incident landscape look like?
- What are the consequences if a business does not respond to a cyber incident effectively?
- How can a business detect if they’re being attacked?
- How should businesses respond in the event of a cyber incident?
- What role does a legal team play in incident response?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident.
[03:00] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.
[04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation’s IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data.
[05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023:
Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year.
Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox.
For me, there are 3 main challenges that organisations face when responding to a cyber incident:
- Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation.
- Expertise and support – navigating the complex legal, technical and operational aspects of an incident
- Data-focused impact – understanding and assessing the risk to data after resolving an incident.
[10:00] What are the solutions to these challenges? – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident.
[12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as;
- Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning.
- Additional Data Breaches: if an organization doesn’t respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation’s systems.
- Financial losses: cyber incidents affect a business’ bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents.
- Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization’s reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position.
- Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming.
[16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents.
[17:40] What are the key steps an organization must take in responding to a cyber incident? – It’s a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should:
- Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage)
- Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc.
- Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door
- Report: Notify relevant stakeholders, including legal obligations.
- Learn: analyse the incident to then take retrospective action to prevent further incidents.
[21:23] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub
[23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters.
- Response Funding: Insurers cover costs related to incident response, including professional services.
- Response Time: Insurers bring in experts promptly, improving incident resolution.
- Affordability: For small to medium businesses, insurance may be the only way to afford a response team.
[26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.
Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.
Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.
Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.
[27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals’ rights is unlikely. This quick turnaround is why it’s imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications.
[28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event.
Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business.
[30:35] What role does a legal team play in incident response? – Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required.
- Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements.
- Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance.
- Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues.
[32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.
Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.
Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.
Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.
[36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin’s famous quote is so true here – ‘by failing to prepare, you are preparing to fail’.
The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn’t ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It’s important to reduce your attack surface, and ensure you have cyber security themes running throughout the business.
[37:45] What are Jack’s top 3 tips to take away from this session to help them respond effectively to an incident? –
- Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response.
- Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key.
- Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business.
If you’d like to learn more about Epiq and how they can help you, visit their website.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List
Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023.
Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive.
As a result, the question of businesses being affected by a cyber incident has become ‘when’ rather than ‘if’. However, there are a number of steps you can take to mitigate risks ahead of any potential incidents.
We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks.
You’ll learn
- Who are Epiq?
- What is a cyber incident?
- The importance of being proactive in reducing the risk of an incident
- What can organisations do to be proactive in mitigating cyber incident risk?
- What are forensic tabletop exercises, and how do they enhance preparedness?
- Why might an organisation need to get an incident response retainer?
- What role do Information Governance consultants play in reducing cyber risk?
Resources
In this episode, we talk about:
[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.
[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk.
[02:40] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.
[04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them.
Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director.
Jack’s role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology.
[06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation’s information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats.
Organisations looking to combat information security risks should consider ISO 27001, as it’s key principles include the confidentiality, integrity or availability of your businesses information.
[08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business? – Let’s look at some startling statistics:
In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week.
48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business.
This is the most shocking of the statistics, and why it’s so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident.
70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don’t).
Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following!
[12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024:
January saw a rise in cyber incidents predominantly affecting retail, education and local government.
In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets.
All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident.
[13:35] ISO Standard trends – At Blackmores, we’ve seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries.
[15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation’s requirements and compliance issues arising from a cyber incident.
If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it’s imperative that your organisation has established, sound relationships with law firms and consultants.
[17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents.
Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business.
[18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs.
The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident.
[19:35] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub
[21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity.
In Blackmores’ experience, a lot of organisations don’t actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it’s a bit of an eye opener when they realise they’re not as resilient as initially thought.
It’s always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task.
[23:40] Why might an organisation need to get an incident response retainer? – We’re starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements. One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements.
[26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate.
[27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining:
- Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements.
- Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements.
- Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process.
- Privacy Compliance: Aligning with regulations such as GDPR, DP, DPA, CCPA.
[33:30] What are Jack’s top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn’t a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against:
Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks.
These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions.
So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security.
Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases.
Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees.
Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure.
Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I’m seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur.
If you’d like to learn more about Epiq and how they can help you, visit their website.
If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The use of AI within business is starting to become more common place. With major applications like Microsoft Teams and Word integrating many new features designed to make our lives easier.
However, we still need to exercise caution with this new technology and consider what we can put in place to mitigate any potential security risks while developing or utilizing it. Which is precisely what today’s guest, Monolith, has done.
Monolith provide a machine learning program that engineers can adopt to build highly accurate self-learning AI models that instantly predict the performance of systems in a wide variety of operating conditions.
In this weeks’ episode Mel is joined by Æsc George, Senior Software Engineer at Monolith, to discuss why they have adopted ISO 27001, explain their implementation journey and the benefits of having an Information Security Management System.
You’ll learn
- Who are Monolith?
- What was their main driver behind obtaining ISO 27001?
- What was the biggest Gap identified in the initial Gap Analysis?
- What benefits did Monolith gain from implementing ISO 27001?
Resources
In this episode, we talk about:
[00:25] An introduction to Monolith and Æsc George – Monolith is all about empowering engineers to develop self-learning models from their engineering test data. With this they can develop machine learning models to really accelerate new product introductions and get these new products to market much more quickly, primarily by using these models to accelerate and streamline their testing.
They are currently recommended for ISO 27001 certification, and are eagerly awaiting the arrival of their physical certificate.
Æsc George is a Senior Software Engineer of this web browser based software. He is also the interim security officer, which is why he was tasked with obtaining ISO 27001.
Fun fact about Æsc: He was a proud owner of a colony of 8 rats! He currently takes care of 4 cats, which have access to a plethora of enrichment in his home 😊
[03:35] What was the main driver for Monolith to obtain ISO 27001? – There were a few drivers, the most obvious being that they want to display their commitment and credibility when it comes to Information Security.
Acquiring ISO 27001 makes it easier to show their clients and prospects that their engineering data is in safe hands.
Monolith also know that there’s a lot of buzz about artificial intelligence and machine learning at the moment, and that buzz covers both sides of the coin. What good it can do for the world and the harms it can do, so aligning with ISO 27001 shows that they’re trying to use AI in a responsible way.
[05:10] The start-up is getting a head start! – Monolith is a start-up company, only a year in and already leading the way for AI development by ensuring security is a priority from the start.
[05:40] How long did it take to implement ISO 27001? Nine months from the point of contacting Blackmores to assist to being recommended for certification.
Æsc recounts his experience: “My perception is that the effort was quite front loaded, so the amount of effort involved in the process almost wound down towards the end – even with the external audit happening towards the end.
I think once the information security management had been established and we’d worked it into our day-to-day, the perceived effort was lower. So I felt pretty confident going through our audit processes because I’ve experienced the system working already.”
[08:15] What was the biggest gap identified at the Gap Analysis?: There wasn’t a formal approach to information security risk and risk treatment.
There were already a number of existing systems and ad-hoc arrangements to mitigate information security risks – but they had been framed in terms of risk.
They hadn’t gone through a process where risks were quantified and weighed against each other.
So following the gap analysis, one of the many actions Monolith took was to make sure they were consistently and regularly assessing information security risk in various dimensions.
They now have the right framework in place to allocate the appropriate time and resources towards information security, and to prioritise the biggest risks.
[10:10] What difference has Implementing ISO 27001 made? – It’s given Monolith more confidence in their understanding of Information Security risks, and assurance that there aren’t any massive, unidentified risks that may cause trouble later down the line.
It’s also made it easier to discuss information security risk and policy decisions. Monolith AI are a remote first company, allowing their staff the freedom to experiment with new technologies, and be in an environment where they feel comfortable. Having formal risk treatment in place means they can maintain this highly flexible, highly innovative and productive way of working – but with their eyes wide open.
[11:40] What has Æsc learned from the experience of Implementing ISO 27001? Æsc is not new to ISO Management Systems, having been involved with the maintenance and implementation of a few in the past.
However, he has gained an appreciation for the nuance in ISO 27001. For example, the knowledge that the standard uses words like ‘should’ and ‘shall’ that have particular intentions – ‘shall’ being mandatory and ‘should’ being recommended.
His previous experiences with Management systems had more available resource than at Monolith, so learning this nuance has been important in the prioritization of focus and resources in his current position.
[13:30] What have been the main benefits from Implementing ISO 27001? Having a holistic and formal approach to Information Security and risk management compared to the ad-hoc approach they had prior.
It’s brought the company together on a really important issue, and helped everyone to understand the role they play in Information Security.
Personally, Æsc has enjoyed reaching out to people he may not ordinarily get the chance to work with, as a result of this unifying issue that everyone at Monolith cares about.
[17:00] Once Monolith formally receive their ISO 27001 certificate, what benefits will that bring? – Currently Monolith AI are recommended for Certification, and are simply waiting on the delivery of their physical certificate.
Once received, they will be able to present it to prospects and clients if they are questioned on information security credentials – to show that they are serious about their commitment to security.
It will also open doors to new prospects that may bother considering them as a supplier due to the lack of ISO 27001 certification.
They are also a leading example in the relatively new industry of AI, those with ISO 27001 certification at this stage stand out from other competitors.
[19:15] What tips does Æsc have for those starting out on their ISO jorney? – Speaking from experience, Æsc recommends hiring a specialist in ISO to assist with your implementation.
In his case, Blackmores helped to organise the process, drive a lot of the early gap analysis and gave him confidence in going through internal and external audits.
Having someone with experience acting as a guiding hand makes the whole process go a lot more smoothly. This could be a consultant, or someone you train within your own business.
These projects are the sort of thing that turn passion into action. Whether that’s information security or environmental management ect, it’s better to have someone experienced or trained in the nuances of the Standard to ensure it’s implemented in a way that truly benefits your business.
[21:20] Æsc’s book recommendation – Nature’s Calendar: The British Year in 72 Seasons by Kiera Chapman, Rowan Jaines, Lulah Ellender and Rebecca Warren. It’s Inspired by a traditional Japanese calendar which divides the year into segments of four to five days, this book guides you through a year of 72 seasons as they manifest in the British Isles.
As Æsc describes: “Lots of the seasons will be very familiar to people who’ve lived in this country their whole life, but they may not have necessarily thought about the context of it.
So I think is really grounding. Time and the way we measure it can seem so arbitrary and abstract sometimes, and measuring minutes and hours is responsible for so much stress and anxiety, so taking a breath, thinking about how nature moves at a different, slower, more deliberate pace, and finding the time to synchronise with that move with nature can be a really rewarding experience”
[24:15] One of Æsc’s favorite quotes – “I went to the woods because I wished to live deliberately, to front only the essential facts of life, and see if I could not learn what it had to teach, and not, when I came to die, discover that I had not lived” – Henry David Thoreau (from his book ‘Walden’)
[26:10] Need help with your ISO 27001 transition? – We have an ISO 27001 Transition Gameplan available on the isologyhub. This Gameplan provides a step by step guide for you to transition to the latest 2022 Standard.
If you’d like to learn more about Monolith, check out their website.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episode’s:
Stitcher | Spotify | YouTube | iTunes | Soundcloud |
Anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.
Over the past few weeks, our mini-series has covered the fundamental changes to the Standard, along with tips on how to plan and Implement the required updates.
Join Mel this week as she explains the final few stages of an ISO 27001 transition, including the Internal Auditing and final preparation ahead of a Certification Body visit.
You’ll learn
- What needs to be audited?
- What do I need to do to prepare for the Certification Body visit?
- How can you get a free copy of ISO 27001:2022?
Resources
In this episode, we talk about:
[00:44] Catch up on the last two episodes before listening to this one: What you need to know to transition to ISO 27001:2022 / What changes need to be Implemented to transition to ISO 27001:2022
[01:00] The last stages are all about gathering evidence of compliance against new and updated clauses and controls
[01:28] Make sure you plan your transition visit well in advance – If you leave it too late you may incur additional fees for more days or possibly even for a full certification if you miss the deadline.
[02:15] This process for transition is fairly consistent among Certification Bodies. It typically includes a Readiness Review and a transition visit where they will review evidence of compliance against the new controls.
[02:45] You can get a free copy if you sign up to our Transition Programme by April 1st 2023)
[02:55] The last stage ahead of the transition visit is Internal Auditing. For those still planning their 2023 Internal Audits, you may wish to Implement the changes earlier in the year with a view to audit the changes in the later half of 2023. Ensure that you allow time to build evidence of compliance ahead of a transition visit.
[03:45] If you need a bit of extra help, we include Internal Auditing within our transition programme – this will typically take 1 day.
[04:30] We can also support you during your transition visit – this could be on-line or on-site, which would depend on your Certification Bodies preference.
[05:20] Currently many Certification Bodies are suggesting a half day for the Readiness Review and another day for the transition. Some may choose to include this transition as a part of their annual Surveillance visit to help save on costs. If you have a Surveillance coming up, it’s worth getting in contact with them to see what they would recommend regarding your transition.
[05:43] We advise that you also ask your Certification Body, when they will be UKAS accredited for ISO 27001:2022 – they may not be ready complete a transition visit until the later half of 2023.
[06:35] For our global listeners, your Certification Body will have an Accreditation Body that needs to verify their ability to conduct transition visits. For the UK this is UKAS, but it may differ for other countries.
[07:15] Don’t leave this until last minute! Based on previous experience with transitions, we’ve found companies that leave it until a few months before the deadline often can’t transition in time, and end up having to pay up for a full Stage 1 and 2 Assessment in order to keep their certification.
Grab a copy of our ISO 27001:2022 Guideline to the changes here:
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
ISO 27001 2022 is here, which means it’s time to start thinking about starting the transition process. While the deadline is set at December 2025, it’s never too early to start!
If this is all news to you, check out our previous three episodes, where we reviewed all the major changes to ISO 27001, including clause updates and the 11 completely new controls added.
Join Mel this week as she explains what you need to know before embarking on your ISO 27001 transition journey, in addition to a summary of our transition programme.
You’ll learn
- How to plan for your ISO 27001 transition
- How can Blackmores help you?
- How can you get a free copy of ISO 27001:2022?
Resources
In this episode, we talk about:
[00:44] Businesses have until October 2025 to transition to the updated version of ISO 27001:2022 – but don’t wait until the last minute! Certification Bodies get really booked up in the last year, and you could risk losing your certification and paying for another Stage 1 and 2 Assessment.
[01:30] We recommend that you start thinking about your transition in 2023 so you have everything in place to start the process in 2024.
[02:28] As a recap – the major changes to ISO 27001:2022 are: 56 controls have been merged into 24 newly titled controls, the addition of 11 completely new controls and controls are now categorised into just 4 groups instead of the 14 from the previous version.
[03:00] ISO 27001:2022 Guide to the changes available – Simply fill out the form available at the end of the show notes to grab a copy!
[04:25] Over the next few episodes, Mel will talk through the process of planning, implementing and preparation for the Certification Body transition visit.
[05:51] All steps of the transition process are laid out in our Transition Programme, which includes: an awareness video, a transition action plan, Implementation of changes, Internal auditing of the changes and some optional support during the Certification Body visit.
[08:45] The Planning Phase: We recommend trying to combine your transition visit with your next Surveillance visit – you can have a chat with your CB to see if that’s possible. This may not be possible if your Surveillance is coming up very soon, as you need time to implement the changes needed. Those that have it in say 6 or more months’ time would be in a good position to make the request.
[09:30] Certification Bodies are recommending an extra half day for transition – some may require a desktop review ahead of the actual visit. Combining this visit with your Surveillance is a good way to reduce costs.
[10:30] When planning out your timescales for transition, don’t forget to inform Leadership and key personnel involved in the running of the Management System about the expected changes to come – and plan in time for them to help with the implementation.
[11:10] Understanding the changes: We gave a high-level overview of the 11 new controls in our last episode. We will also have 11 Coffee Break Training courses covering the controls in more detail, available from March 31st 2023 on the isologyhub.
[12:11] Offer: We’re including a free copy of ISO 27001:2022 for those that sign up to our Transition Programme before April 1st 2023.
[12:34] You may get asked for a copy of the Standard at your transition visit – as having a copy can come under ‘other’ legal requirements.
[13:10] Discovery Phase: We have a transition checklist which can help you identify where the gaps are in terms of compliance with the new controls. You may already have some of it in place!
Grab a copy of our ISO 27001:2022 Guide to the changes here:
Keep an eye out for next weeks episode where we dive into how to Implement the changes…
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List
The long-awaited update of ISO 27001 arrived in October 2022, having gone 9 years since its previous 2013 iteration. Needless to say, it was much overdue.
The new 2022 version of the Standard includes 11 new controls and sees around 56 other controls combined into 24 newly titled controls.
In order to cover every aspect of the new Standard, we’ll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version.
Starting off the series strong, Mel is joined once again by Steve Mason, our very own Information Security guru, to broadly discuss the changes to ISO 27001:2022.
You’ll learn
- Who is ISO 27001:2022 applicable to?
- An overview of the changes to ISO 27001:2022
- What is Steve’s favorite change to ISO 27001:2022?
- What are the challenges involved with updating to the 2022 version?
Resources
- Isologyhub
- ISO 27031 (Guidelines for information and communication technology readiness for business continuity)
- ISO 27005 (Risk assessment)
- ISO 22301 (Business Continuity)
In this episode, we talk about:
[01:50] Steve Gives an overview of what’s new in ISO 27001:2022 – The updated version of ISO 27001 was released on the 26th Oct 2022. The new version included 24 changes and clarifications within the main clauses.
[02:50] The controls for the new standard are now categorised into 4 groups: Organisation, People, Physical and Technology
[05:50] We covered some of the new controls in more detail in previous episodes: #109, #110, #111, #112, #113 and #114
[06:17] The 24 changes and clarifications to Clauses include older existing clauses which have been tidied up to be more transparent. We recommend reviewing to ensure that you are complying in a way that aligns with the Standard.
[06:35] There are 11 new Controls. 56 controls from the 2013 version have been reduced to 24 with 58 remaining unchanged. So, in short, Annex A has been simplified with less duplication of controls.
[07:44] Steve highlights section A.9 for Access Control as one of the much-improved controls – due to the lack of repetition and simplified requirements for compliance.
[08:35] Steve’s favourite update to the Standard: The whole Standard now collectively encourages incorporation into your business. Your ISMS should not feel like a bolt on, it should be a part of your businesses DNA.
[10:36] Steve’s favourite update to the Standard #2: It’s not a static Standard, it encourages development and continual improvement.
[13:45] For those completely new to ISO 27001 – check out our 3-part Steps to Success series which explains the Implementation process from start to finish.
[14:38] Listen to some of our client interviews to hear the challenges others faced when Implementing ISO 27001 in addition to the benefits gained as a result of adopting the Standard:
[14:50] Why would the business continuity elements of ISO 27001:2022 pose a challenge? There used to be a clause in the 2005 version of the standard which documented the need for a business impact analysis – this was removed in the 2013 version. The new ‘ICT readiness for business continuity’ control will require at the very least, a risk assessment.
[16:48] Steve recommends checking out the Plan, Do, Act, Check diagram in ISO 27031 (Guidelines for information and communication technology readiness for business continuity). It also includes some great guidance on business impact analysis.
[18:40] The ICT readiness control is not designed to be an all encompassing business continuity strategy – it’s designed to work in tandem with as existing one (you may already be certified to ISO 22301 Business Continuity Management).
[19:50] It’s highly recommended that if you don’t have a Business Continuity Plan or strategy – at least have a framework in place. Disasters by their nature are unpredictable, as is the resulting damage to an extent. You will not know the full extent until you’ve lived it – so don’t write an exhaustive 80+ page manual that no-one will read, document the what, who and how of getting yourself back up and running again.
[21:11] There has also been an update to ISO 27005 (Risk assessment in relation to info sec). It includes a new set of threat categories: physical threats, natural threats, infrastructure failures, technical failures, human actions, compromised services or functions and organisational threats. These may help you when putting a business continuity framework in place.
[22:05] Above all else – ISO 27001:2022 has modernised and aligned itself more with the likes of cyber essentials and NIST.
Keep an eye out for next weeks episode where we dive into the clause updates…
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube | iTunes | Soundcloud
Data breaches have risen by 70% globally in Q3 of 2022, reinforcing the requirement for many to seek out Information Security solutions, especially those within the tech space.
Today we speak to Triaster, who have been in operation since 1994, providing businesses with process mapping and execution software to help drive business improvement.
Triaster’s Business Operations Manager, Jane Duncan, explains why they sought to implement ISO 27001, what challenges they faced and what they learned during their certification journey.
You’ll learn
- Who are Triaster?
- Why Triaster Implemented ISO 27001
- What did they learn from their experience?
- What benefits have they seen as a result of Implementing ISO 27001?
Resources
- Triaster
- What is ISO 27001?
- Internal Auditing in plain English: A simple guide to super effective ISO Audits by Craig Cochran
In this episode, we talk about:
[00:54] Get to know Jane Duncan – Triaster’s Business Operations Manager who has recently started fostering dogs for a local charity.
[01:41] Who are Triaster? In short, they build software solutions that drive business improvement. They are a thought leader in their field and strive to create new software to meet business needs.
[02:25] What was the main driver for achieving ISO 27001? In 2020, they had certified to the Quality Standard, ISO 9001, and saw the many benefits that come with ISO certification. They saw ISO 27001 as both an opportunity and a necessity due to their work within the IT industry. ISO 27001 is seen as a mark of trust and provides a central framework to improve data security.
[04:28] How long did It take to implement ISO 27001? They started looking at certification bodies and consultants to help with implementation in March 2021. The project overall lasted six months, with their assessments taking place in September and October of the same year. They also chose to recertify to ISO 9001 at the same time – this aligned both Standards under one Integrated Management System.
[06:35] If you are considering implementing multiple ISO’s, it’s recommended to integrate them into a single Management System. This reduces the costs of implementation and is overall easier to maintain.
[07:17] What was the biggest gap identified in Triaster’s initial Gap Analysis? They had a lack of security policies in place in addition to a lack of processes that would have mitigated potential data security risks.
[08:00] What was the biggest difference ISO 27001 made? They now do regular annual SWOT and PESTLE’s that are evaluated at Management Reviews. Risks identified during those reviews are added to a risk register and are used to develop the necessary objectives and controls needed to mitigate future risk.
[08:38] Other differences include the ability to track non-conformities, security risks and opportunities for improvement. They also have the confidence to prove their data security credentials to clients and have the required documentation to back it up. Tendering processes are also made easier by having ISO 27001 as it is often a requirement that can now be ticked off.
[09:25] Triaster use Infrastructure partner (who are also ISO 27001 certified) and can now hold them accountable for the services they provide.
[09:50] Jane states that they are now a much better business following the Implementation of both ISO 9001 and ISO 27001 – continually improving their processes and scrutinising working practices.
[10:54] All of the same security practices can be done by those who are homeworking at Triaster
[11:05] What has been the main lesson learned? The process if certification is a journey – it’s about continually improving and truly adopting the ethos of Information Security into every aspect of the business.
[11:52] What are the main benefits? They hope their clients can see their efforts and have confidence in Triaster’s ability to keep their data secure. They also now have the processes in place that drive continual Improvement.
[12:33] Jane’s top tip: Document what you do as a business and look for gaps. Also, certification is a journey, and you shouldn’t stop striving to improve once you achieve certification.
[13:00] What book would you recommend and why? Internal Auditing in plain English: A simple guide to super effective ISO Audits by Craig Cochran
[14:15] Jane’s favorite quote: “No one is you, and that is your superpower”
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud |
Today we’re joined by Philip Bailey, Managed Services Director at PMC Retail, to talk about PMC’s experience with ISO 27001, from implementation to on-going maintenance.
PMC is a leading retail IT services and solutions provider, who recognised the growing need for formal Information Security certification. They succeeded in achieving certification to ISO 27001 in 2021, now almost a year down the line, we catch up with Phil to find out what they’ve learned, benefits of certification and some tips for those looking to implement ISO 27001.
You’ll learn
- Who are PMC retail?
- How do PMC currently manage their ISO 27001 certification?
- How has the ISO Support Plan helped?
- What have they learned from implementing the standard?
- What are the benefits of implementing ISO 27001?
- ISO 27001 Top tips from Phil
Resources
In this episode, we talk about:
[01:03] An interesting fact about Phil – He started in electronic engineering and was involved the build of a system designed to measure the mirrors used in a telescope that was carried on the Discovery shuttle!
[01:44] Who are PMC Retail?
[03:49] An example of one of PMC’s projects – Pulling together legacy systems, updating them to newer technologies while maintaining the legacy data.
[04:40] Learn about Phil’s role at PMC
[05:45] PMC now certified to ISO 27001 – One of the most popular ISO’s globally in recent years. It’s becoming something of a mandatory requirement in the tech space when bidding for contracts
[06:31] How do PMC manage their ISO 27001 certification – Created a small team dedicated to the task of achieving certification – along with some help from us 😊 Following certification they onboarded a Compliance Governance Manager to keep up with Internal Audits and other ISO maintenance.
[08:25] How has the ISO Support plan helped? – Blackmores helped to implement the standard, and were very familiar with their system and way of working. Great to have a wealth of knowledge to tap into.
[09:00] PMC managed to implement the standard in just 6 months!
[10:25] What did PMC learn from their experience? It wasn’t an easy task! Getting leadership commitment from the start made a huge difference.
[11:50] The benefits PMC have experienced by implementing and maintaining ISO 27001: Being able to identify risks and put actions in place to mitigate them. Certification demonstrates a robust security infrastructure to third parties. Establishes more credibility to customers and partners. They are able to see a pathway for business growth, utilising the certification.
[14:30] ISO 27001 has helped to collate and bolster their existing Information Security structure – Having a library of resources, unified policies and procedures, company wide Objectives, and better understanding of measuring & managing risks.
[16:15] PMC ensure that staff complete annual training – as required by the Standard.
[17:10] Phil stresses that you can’t just stay still with Information Security is concerned, you need to be aware of new risks and make sure those in your business are also aware and know how to react.
[18:00] Top tips from Phil: Get Leadership commitment early on. Build yourself a Management Team. Get help from an experienced external party. It’s not a walk in the park, and needs focus to achieve in a reasonable amount of time.
[19:42] Phil’s book recommendation: The magic of thinking big by David J. Schwartz.
[21:42] Phil’s favorite quote: “You’re never too old to set a new goal, or too old dream another dream”
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episode’s:
Stitcher | Spotify | YouTube | iTunes | Soundcloud
ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely news ones were added to keep up with new and emerging technology.
One of the new controls added under the organisational category, is something called threat intelligence. But what does this mean exactly?
Steve Mason joins us again today to delve deeper into threat intelligence to explain what it is, gives examples of the different types and shares some tools and activities that will help you develop threat intelligence
You’ll learn
- What is threat intelligence?
- What does threat intelligence actually do?
- The different types of threat intelligence
- What tools can you implement to help with threat intelligence?
- What activities can you do to help develop threat intelligence?
Resources
In this episode, we talk about:
[01:19] The definition and purpose of threat intelligence
[03:01] Threat intelligence doesn’t have to factor into your scope and context – you can integrate findings in later
[03:50] Threat intelligence is about being aware of not only internal threats, but global threats that could impact your business
[04:50] Threat intelligence is not only about IT (i.e. viruses)
[05:19] That being said – cyber threats are still a big factor. So ensure you have tools, training and measures in place to reduce cyber attacks and breaches.
[06:30] Types of Threat intelligence, including: Cyber, Strategic and Tactical
[07:58] What threat intelligence actually does – Firstly ensure that you are collecting relevant data. That data can be analysed and used to reduce risk, to help you be proactive instead of reactive to threats.
[09:51] Threat intelligence is very appliable to Business Continuity (ISO 22301)
[10:35] The different types of tools you could consider, including: Security information and event management (SIEM) and CSOC – Cyber Security Operation Centres
[12:30] Types of threat intelligence activities you can do. This includes: Establishing objectives, collection of information from selected sources, analysing information to understand how it relates and is meaningful to the business and communicating information to relevant individuals.
[15:10] Ensure your threat intelligence is dynamic – and use it to inform and update your Risk Assessments at regular intervals
[16:30] Threat intelligence works with the Plan-Do-Act-Check cycle that is commonly seen in most ISO’s
[17:10] Threat intelligence can be used by any business regardless of any ISO certification you may or may not have.
[18:05] Keep an eye out for our ISO 27001:2022 migration support offering!
Download our ISO 27002 changes Quick Guide here:
Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
ISO 27002 was recently updated this year – along with a reduction of overall controls, 11 completely new ones were added to keep up with new and emerging technology.
As a reminder, ISO 27002 (Information security, cybersecurity and privacy protection — Information security controls) is a guidance document which provides further best practice advice to strengthen your IT Security.
Today, Steve Mason explains the changes made to the 2022 version of ISO 27002, gives a summary of the 11 new controls and gives examples of some key considerations and actions you can take to implement them.
You’ll learn
- What changes have been made to ISO 27002:2022
- Why ISO 27002 has been updated in 2022
- An overview of the 11 new controls added to ISO 27002
- Examples of actions you can take to implement the new controls
Resources
In this episode, we talk about:
[01:28] A brief summary of the changes to ISO 27002:2022, including new controls, new structure and attribute types
[05:30] Controls in ISO 27002 now have a defined purpose to avoid misinterpretation
[06:29] A summary of the 11 new controls by name and category
[08:10] Threat intelligence – What tools do you have in place to identify threats? How do you monitor your threat intelligence effectiveness?
[11:20] Information Security use of Cloud Services – A reminder that ISO 27017 covers this in more detail! Do you have a cloud policy in place? Does it align with your clients security requirements?
[13:10] ICT readiness for Business Continuity – Focus on recovery of IT services following a disaster. Do you have Business Impact Assessments in place? If you’re certified to ISO 22301 – this area is most likely covered
[14:36] Physical Security monitoring – Are you monitoring physical security? i.e. keycard access, CCTV ect
[16:23] Configuration Management – Are you IT systems working well together? Do you have an established configuration for passwords? (i.e. how many characters, alpha numerical, symbols ect)
[18:13] Information Deletion – If data needs to be deleted, that it’s deleted in a secure manor and can’t be recovered.
[21:48] Data Masking – Make sure that any data that shouldn’t be shared is masked in some way i.e. obfuscated or anonymized.
[23:31] Data Leakage – Put measures in place to stop data being leaked through i.e. USB’s, people sending business information to personal email addresses ect
[26:55] Monitoring Activities – You could monitor network traffic, software access ect. Be selective in your monitoring, only do so if it will be of benefit to the business.
[28:04] Web Filtering – Ensure that employees can’t access any nefarious / high risk websites that could cause a security breach
[30:15] Secure Coding – Make sure that coding is done securely – making sure that any software developed is secure and free of as many vulnerabilities as possible.
Download our ISO 27002 changes Quick Guide here:
Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Did you know there were 80 identified security incidents, resulting in 34,908,053 compromised records in June 2022 alone!
Standards such as ISO 27001 can help you put measures in place to reduce risk and help set up procedures for data recovery. However, not as many adopt the guidance document ISO 27002 which provides further best practice advice to strengthen your IT Security.
ISO 27002 has recently been updated with 11 new controls that tackle recent emerging technology not covered in ISO 27001:2013.
Today, Mel explains ISO 27002 (Information security, cybersecurity and privacy protection – Information security controls), why it’s been updated and gives a high-level overview of the changes.
You’ll learn
- The purpose of ISO 27002
- How ISO 27002 works with ISO 27001
- Why ISO 27002 has been updated in 2022
- A basic overview of the changes to controls within ISO 27002:2022
Resources
In this episode, we talk about:
[00:30] A reminder to keep an eye out for future episodes on the upcoming updated version of ISO 27001:2022
[00:52] An introduction to the guidance document ISO 27002
[02:02] Controls from the updated version of ISO 27002 can be implemented right now – not a requirement of ISO 27001 but recommended.
[02:25] Why ISO 27002 has been updated – To bring it up-to-date with the latest technologies and simplification of controls
[03:15] What this means for your Information Security Management System
[03:50] We expect to see the new controls in ISO 27002 to be reflected in the updated version of ISO 27001 coming out later this year.
[4:27] Reminder: ISO 27002 is not a certifiable standard but it is best practice.
[05:00] ISO 27002 had its last major update in 2013 – think how much technology has changed since then!
[06:00] A summary of the changes to controls in ISO 27002
[07:25] New controls added to ISO 27002 highlight that the standard is more then just IT Security – A trait shared with ISO 27001
[09:13] A summary of what categories the 11 new controls fall under
Just a reminder, we’re offering 6 months free access to the isologyhub for anyone who signs up to an ISO Support Plan!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube | iTunes | Soundcloud
Download our ISO 27002 changes Quick Guide here:
Today, we’re joined by Morgan Sindall’s Head of Information Security and Compliance Neil Binnie, to discuss the Information Security Standard ISO 27001.
Morgan Sindall has been ahead of the curb when it comes to information security having been certified to ISO 27001 for almost 3 years, but with information breaches becoming more common it’s even more vital to get ISO 27001 certified to prove you have a robust information security framework.
Neil explains the importance of information security, the new cloud security standards that are coming out, and the benefits of using ISO 27001.
You’ll learn
- The importance of information security in the construction industry.
- The benefits of using ISO 27001 as your information security framework.
- How to implement ISO 27001 within your business.
- The recent shift in mindset around data usage.
- How hackers are using supply chains to attack businesses.
- The new standards that are coming out to tackle cloud security.
Resources
In this episode, we talk about:
[02:27] Why information security is so important in the construction industry.
[03:34] The benefits of having the ISO 27001 framework in place.
[05:28] Why supply chain security is so important.
[06:20] How a construction company can help to secure their supply chain.
[08:34] Neil’s experience implementing ISO 27001 in Morgan Sindall.
[12:43] The cloud security standards that are coming out.
[14:52] The benefits of having ISO 27001 in place prior to the Covid lockdowns.
[17:21] The incorrect assumptions people have about ISO 27001.
[18:37] The importance of having a collaborative approach when implementing ISO 27001.
If you need assistance with implementing ISO 27001 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Today we’re joined by Senior Information Security Consultant, Steve Mason to discuss how working from home has affected our online security.
Remote working has become the norm during the pandemic and it’s proven that it can be an effective way for people to have a good work-life balance.
But with working from home comes many security risks, we need secure Wi-Fi connections, virus-free laptops, and to be working in environments where we can’t be listened in to.
Steve is an information security expert and as data security risks for homeworkers have shot up, he’s here to explain what we can do to negate this risk.
We talk about the general security risks of working remotely, and the importance of businesses taking this seriously and creating effective processes to mitigate that risk across their business…
You’ll learn
- How our approach to technology is changing.
- The increased security risks involved with working from home.
- The necessity of training your staff in home security.
- How to access our policy around virtual meeting room security.
- How to improve your home security and safety.
- How to reduce the chances of getting a virus or trojan.
Resources
- Isology Hub
- The Virtual Meeting Room Policy – Email us for a copy!
In this episode, we talk about:
[02:30] The added difficulties involved with improving remote client’s security.
[04:06] The benefits of using company devices and the security risks of using your own device and working from home.
[05:47] How to know you’re using a good VPN and adequate virus protection.
[06:36] Using a working from home policy and the benefits that can have.
[09:30] How to monitor employee’s software usage if they are working remotely.
[10:50] Issues some remote workers have with backing up their documents securely.
[12:17] The ways working from home affects your home insurance.
[14:09] The importance of fixing all security weaknesses you become aware of.
[16:56] The necessity of proper security training being given to staff working from home.
[18:38] Security in virtual meeting rooms and the policy we created around that.
[21:10] The main risks involved with working in public places like a coffee shop.
If you need assistance with implementing ISO 27001 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Dinesh Sharma, Director of Information Security Governance at Epiq, joins us on the ISO Show today. He discusses ISO 27001, his in-depth experience of this standard, how it’s working for Epiq, lessons learned, and how he manages this globally for Epiq Global.
We are so excited to interview Dinesh! He has a wealth of experience in terms of implementing frameworks like ISO 27001 and PCI DSS. He’s got plenty of experience ranging from developing information security policies, procedures, managing risk assessments, to delivering security training and awareness, and overseeing internal audits. He also has expert experience in security management and governance as his last 15 years focused on information security.
You’ll learn about:
- What Epiq does
- What it means to be Director of Information Security Governance
- Setting up a security team and managing it in terms of global responsibilities
- Continual improvement at Epiq
- Dispelling ISO 27001 myths
- What has worked well for Epiq in relation to ISO 27001
First and foremost, let’s dive into what Epiq is and does…
What does Epiq do?
Epiq, primarily based in the U.S, is a global professional services company, operating in approximately 25 countries including Germany, Belgium, India, London and so many more.
Epiq primarily provides support to the legal industry (so to law firms and the legal departments within large organisations). Their key service is around E-discovery. This is where there is potentially an investigation, or if two parties are about to enter a litigation. Some processes need to happen around data collection, data review, forensics, processing and document review. Epiq can make all of this so much more efficient and cost-effective for clients! Another core service Epiq provides is court reporting and transcription services. Other services include business transformation services, class-action and a range of other services.
Now, let’s find out more about Dinesh’s role…
Role at Epiq
Dinesh is part of the Global information security function at Epiq. They have a dedicated Global information security team to support the business.
Dinesh’s specific role is to lead the security governance side of things. This means that he manages and helps to define the information security policy set and Information Security Management System (ISMS) within Epiq. He also leads and coordinates the internal security assessments (part of which is internal ISMS audits as well as internal security audits across Epiq). He even reviews and provides input on contracts of clients and vendors around security clauses to ensure they align with the policies of Epiq. His team also delivers staff security awareness and training. Finally, his team manages security certifications including ISO 27001 (very relevant for today!).
So, let’s explore how a mature ISMS is managed…
How to go about setting up a security team and manage it in terms of global responsibilities?
At Epiq they have a dedicated team within their information security function for security operations. This team oversees the security toolset, they monitor the alerts from this toolset, such as their end-point detection and the logging and alerting around network security. This security operations team also takes the lead on defining their processes and handling any security incidents. So, they have a separate team for this specifically.
They also have a separate team for security architecture and security engineering. These teams work very closely with the business to make sure that security is considered and embedded within the projects and new offerings Epiq has as a business, as well as developing their tools. So, if Epiq is looking to implement a new security tool, this team will be very involved in looking at the different vendors that provide that offering, how that would be embedded and work within the infrastructure of Epiq, and the environments with which they serve their clients. So, Epiq has got the structure of sub-teams within the security function well defined!
Of course, sitting on top of this, Epiq is very fortunate to have some very experienced and very qualified leadership come into that team. The governance and operations side is managed by a gentleman called Jason. He has lots of experience and brings experience from other industries he’s worked with. He has a peer called Andrew, who looks after the engineering and architecture side. Epiq also has a new Chief Security Officer (CSO) who is very knowledgeable and savvy. He is doing a really good job of lifting the profile of not only security within the organisation, but also Epiq’s security functions. So, they are fortunate to have that leadership as well.
This is fantastic…when organisations are starting with implementing an ISMS, we always find that leadership commitment is so key! It’s great to hear that Epiq has got a mature management system yet are still continuing to focus on leadership commitment and bringing that in from various angles across the organisation as well.
In terms of the ISMS then…
Epiq has got many other security standards, so what we want to know is how their ISMS helps them to manage all their activities.
Well, looking at the requirements of ISO 27001 and setting up an ISMS that works, Dinesh thinks the most important thing it gives an organisation, regardless of what level of maturity it is at, is what the basic components and principles are in terms of a framework that you should be having in place or that you should consider having. This is because if you want to go for certification to ISO 27001, then you must have some of these things in place.
Dinesh very much sees this as a baseline!
Once, you establish that baseline and you’ve got the documentation, the processes which support the documents and the staff in place who can deliver on those processes. You then think…‘what can you do to increase the maturity’?
A big part of ISO 27001 is continual improvement. This is something Dinesh thinks is very important and puts a lot of focus on in his role. So, that’s all tied with the kind of internal security reviews that they do with the internal assessments that happen. But any feedback they get from the business, or any input or discussions they have with the business which can raise or flag something, e.g., as a potential block, are put onto their continual improvement register to work with the team or the business area. It might be something they have to work on themselves. The important thing is to always look out for these kinds of things. That’s why this is a key area of focus for Dinesh, in his role, as he thinks about what can improve each step of the ISMS in Epiq.
However, a lot of companies, once they’ve completed the assessment, think that’s the job done. But you can’t put your feet up just yet! This is only the beginning of the journey, which is why Dinesh identifies this as the baseline and the foundation to be used for continual improvement.
So, let’s look at what Epiq has implemented in relation to continual improvement, which has been above and beyond this baseline.
Epiq and continual improvement
Epis has implemented a Critical Asset Reviews. They identified their 15 most critical assets and instead of doing a full security review, they pick the 10 most important controls and other controls they think would deliver the highest level of security if they had it in place. So, they have done a very focused security review, based on risk and what they think their most important assets are. They dig deep into what are the risks and issues and by acting on these, it moves Epiq to another level.
Now, let’s move onto the part where we dispel myths around ISO standards!
Dispelling ISO 27001 myths
Dinesh believes that a good understanding of ISO 27001 is needed to know what the standard actually means. There is a difference between being aligned and being certified to ISO 27001. So, an independent review of your ISMS is really important as it shows you haven’t just picked and chosen which parts of the core standard you’re going to implement. It shows that you’ve had to do them all and have had that verified and tested. This would provide a level of assurance to your organisation and stakeholders. That’s why there is such a big difference between being aligned to the standard and being compliant with it.
Finally, I’m sure our audience would love to know…
What has worked well from an information security perspective in relation to ISO 27001?
Dinesh identifies the top-level management commitment within a business as the most crucial thing in any implementation of a standard. The business needs to understand the importance of information security. So, everyone needs to be aware of what the benefits are, what’s going on and what is important…having this conversation in your business really makes everything easier according to Dinesh. Epiq does this during their management reviews, where all four of their CEOs attend. They take the management review section of ISO 27001 and cover most of it in their quarterly meetings, and because this is visibly supported by their CEO, the business leaders reporting to the CEO and all their directors attend the management reviews as well. So, they all understand what’s going on, what’s important and what the key risks are from the security team’s perspective. Having this conversation just makes everything a lot easier according to Dinesh.
That’s it from Dinesh! We hope you enjoyed learning about Epiq’s journey…it’s inspirational to hear how Epiq is still developing, evolving, improving and still getting such fantastic commitment from the very top as well. It clearly demonstrates Epiq Global’s commitment to information security without a shadow of a doubt!
Contact details for Dinesh, if you have any enquires or would simply like to connect with him, you can get in contact using one of the ways below:
Email: dsharma@epiqglobal.co.uk
Website URL : Epiqglobal.com
LinkedIn handle: uk.linkedin.com/in/dineshcsharma
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Today, we’re joined by the Director of Corporate Assurance at Totally PLC, Falu Bharmal.
Falu plays a key role in working with NHS England and has in-depth knowledge and understanding of ISO implementation, Legal Policy relating to corporate governance, health and safety, and integrated Risk Management. He has extensive experience in establishing new corporate governance structures, systems, and processes to ensure organizations are fit for purpose.
Today, Falu is here to discuss ISO 27001 (Information Security Management), and why it’s so important to have consistent practices throughout a company.
Falu explains how he’s able to implement new ISO’s so effectively and some of the biggest improvements ISO 27001 has allowed him to make.
We talk about how best you can prepare before implementing a new standard, and how ISO’s can help systemise your way of working across a company.
Visit the Totally PLC website to learn more about their services.
You’ll learn
- The benefits of working as a group with consistent practices throughout a company.
- How to effectively prepare for and implement new standards.
- How ISO 27001 is used as a best practice mechanism.
- How implementing standards can help to systemise the ways of working across a company.
- How many people you need to be involved with the implementation of new standards.
Resources
In this episode, we talk about:
[00:29] The services Totally PLC supplies and how they support the NHS and reduce A&E waiting times.
[03:30] The different divisions that makeup Totally PLC.
[05:36] The ways Falu as Director of Corporate Assurance is involved with ISO implementations.
[06:34] How Falu implements ISO standards effectively.
[07:21] How ISO 27001 is used as a best practice mechanism for Totally PLC.
[08:20] Some of the biggest improvements Falu’s made through using ISO 27001.
[09:25] How ISO standards help to systemise ways of working across a company.
[10:14] The different roles Totally PLC has dedicated to ISO implementation.
[12:18] The best things you can do before implementing a new standard.
[13:46] The extra pressures Totally PLC has faced due to the pandemic, and the new opportunities this has brought.
If you need assistance with implementing ISO 27001 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO 9001 & ISO 27001 certifications on their first time.
With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.
Today, Steve is back to discuss the new ISO 27017 (Information Security Controls for Cloud Services Standard), and why it is needed in addition to ISO 27001.
The current publication of ISO 27001 was released back in 2013 before cloud security was as big of a concern. Due to this, it does not adequately cover cloud security and hence the new standard ISO 27017 was released.
It is wise not to assume that the cloud is secure on its own, you need a provider that can demonstrate protection from hacking and guarantee you security.
There are 7 new controls that the standard brings –
- 6.3.1 Shared roles and responsibilities within a cloud computing environment
- 8.1.5 Removal of cloud service customer assets
- 9.5.1 Segregation in virtual computing environments
- 9.5.2 Virtual machine hardening
- 12.1.5 Administrator’s operational security
- 12.4.5 Monitoring of cloud services
- 13.1.4 Alignment of security management for virtual and physical networks
In this episode, Steve talks through some of these new controls, explains why they’re so important, and describes who can benefit from implementing this new standard.
You’ll learn
- How the standard works for both customers and providers.
- How ISO 27017 works as a unique selling point for businesses.
- The new controls and how it demonstrates security within the cloud.
- The benefits of adopting ISO 27017.
- How doing a gap analysis can help you to understand what cloud controls you already have in place.
Resources
In this episode, we talk about:
[01:30] Why it’s important to have a standard for cloud security when we already have ISO 27001.
[02:46] The type of new controls and how they make the standard ‘cloud effective’.
[05:37] Some examples of the new controls.
[07:20] The prerequisites you need before implementing ISO 27017.
[08:37] The type of certificate you get with ISO 27017.
[10:22] How ISO 27017 can set companies apart from their competitors.
[11:03] What the future for ISO 27001 and ISO 27017 looks like.
[13:03] Advice for anyone thinking of implementing the standard.
[14:20] The main benefits there are from implementing ISO 27017.
If you need assistance with implementing ISO 27017 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Steve Mason is a Senior Consultant at Blackmores (UK) Ltd, and has a 100% success rate of supporting clients in achieving their ISO9001 & ISO27001 certifications on their first time.
With over 38 years of experience working with standards, Steve is incredibly knowledgeable about how to ensure companies get the best benefits when implementing new standards. Steve has never stopped advancing himself and continues to broaden his knowledge of new standards as they come into existence.
Today, Steve is here to discuss ISO 27701 (Data Privacy), and why it’s so important to have so that you can prove you are GDPR compliant.
Since the new European Data Privacy Laws were introduced in May 2018 there have been over 150,000 personal data breaches within Europe, and the estimated total of GDPR fines total a little over 220 million euros.
Steve explains why GDPR is so important, how companies can avoid having data breaches, and what makes ISO 27701 different from previous standards.
You’ll learn
- How ISO 27701 can help companies demonstrate compliance with the requirements of GDPR.
- The ways ISO 27701 is different from ISO 27001 and why you need both standards.
- Who you can share PII with while still maintaining GDPR compliance.
- The correlations ISO 27701 has with ISO 27002.
- The potential impact implementing ISO 27702 can have.
Resources
In this episode, we talk about:
[00:29] The big personal data breaches that have happened in the last 2 years, and the fines the companies received for not being compliant with the data protection laws.
[04:11] Why we have General Data Protection Regulations and what they are there to protect.
[06:36] What ISO 27701 is and how it helps companies be GDPR compliant.
[09:26] What PII (Personally Identifiable Information) is.
[11:41] An overview of ISO 27701 and what its main clauses are.
[14:04] What the two control sets of the standard are and what the difference between a data controller and a data processor is.
[17:20] How this standard helps companies know what needs to be put in place to be GDPR compliant.
[18:51] What makes ISO 27701 better than BS 10012 and why it will eventually completely replace it.
[22:14] What you already need in place to get ISO 27701 certified.
[24:10] The main benefits for companies implementing this standard has.
If you need assistance with implementing ISO 27701 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on Twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
This episode we are joined by Mark Frudd, Managing Director and Founder of Security and Software Development at company TriplePs.
Mark’s here to tell us about the information security Standard ISO 27001. It’s brought his business countless benefits, allowed them to expand, and win government contracts. But it hasn’t been all easy sailing, the ISO has brought up some unique challenges for Mark to overcome. He explains what these are, how he tackled them, and what he wishes he knew before embarking on this journey…
Mark Frudd is the Managing Director and Founder of Security expert at software development company TriplePs. His work history revolves around the cybersecurity industry and delivering high profile public sector projects.
With a personal motto that IT and security doesn’t need to be expensive to be effective, Mark now focuses on providing affordable security, and software solutions, that meet the needs of both his clients and their end-users.
This episode, Mark is here to talk about his experience implementing and managing the information security standard ISO 27001. After putting the ISO into place his company quickly expanded in size and Mark soon realized that the standard wasn’t being effectively implemented across his business.
He explains why this was, what he did to rectify it, and how he could have avoided that happening in the first place.
In his own words ‘An ISO isn’t just for Christmas, it’s there every single day. You don’t just manage it, you adopt it.’
Mark explains how having ISO 27001 helped expand his business and why it’s so important when trying to gain government contracts.
Finally, he explains how following this standard has shaped TriplePs business strategy and the different benefits that it has brought to his business…
Website: https://www.triplepsltd.com/
Twitter: https://twitter.com/TriplePsLtd
Linkedin: https://www.linkedin.com/company/triplepsltd
You’ll learn
- How Mark ended up implementing ISO 27001.
- Why ISO 27001 is important for maintaining a high information and security standard.
- The challenges involved in implementing ISO 27001.
- The benefits of following ISO 27001 and how it can help with expansion.
- How Mark manages ISO 27001 across his business.
- The importance ISO 27001 has when gaining government contracts.
- Why Mark decided to bring in a specialist to help implement the standard properly.
Resources
In this episode, we talk about:
[00:33] Who Mark Frudd is and how he ended up implementing ISO 27001.
[01:04] Who TriplePs are.
[01:51] Mark’s history working in Butlins, and what he learnt there.
[02:51] The type of security work TriplePs does.
[05:35] Why TriplePs decided to work with Blackmores when implementing the ISO 27001 procedure.
[07:22] What Mark’s role in TriplePs is and what his daily work life looks like.
[09:00] What the process for implementing ISO 27001 looked like.
[11:16] The importance of maintaining the right ISO standards when your company goes through rapid growth.
[13:18] The importance of adopting ISO’s into the heart of your businesses culture.
[15:52] How ISO 27001 has shaped TriplePs business strategy.
[18:57] The best way to implement a new ISO standard.
[20:51] The benefits involved with following the ISO 27001 standard.
[23:34] Mark’s favorite book.
[24:36] How ISO’s are a constant and not ‘Just for Christmas’.
[25:27] How to find out more about TriplePs.
If you need assistance with implementing ISO 27001 – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:Share the ISO Show on twitter or Linkedin
Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Yousif Rajah is the Head of Info Sec at dotdigital, a UK-based tech company that builds software service solutions to help customers engage with their clients. He coordinated most of the work involved with creating the ISO 27001 system, and recently has contributed to DotDigital becoming ISO 27001 certified.
« It sounds dauting and it feels daunting, but if you have a program in place already, chances are you’re quite a long way down the road already. » – Yousif Rajah
Picture this: Your digital marketing company is expanding, and you know you need to comply with data protection requirements, protect your reputation and demonstrate to customers that you have taken the steps to protect your business and their personal information. You’ve heard of the importance of becoming ISO 27001 certified but are unsure where to start. Join us today as our guest, Yousif Rajah, explains his company’s journey in becoming ISO 27001 certified, the changes he has noticed since implementing this ISO standard, and how you can get started on becoming certified today.
Website: https://dotdigital.com/contact-us/
You’ll learn
- What dotdigital is, what it provides, and what Yousif’s role is
- The company’s main driver behind implementing ISO 27001
- How long it to become ISO 27001 certified
- The scope of the ISO 27001 certification
- Gap analysis after becoming ISO 27001 certified, and reaching the standard
- The benefits and risks associated with expanding globally, while maintaining the ISO 27001 standard
- The benefits, in general, of implementing ISO 27001
- Tips of implementing ISO 27001
In this episode, we talk about:
[01:13] What does dotdigital do?
[02:14] Something not many people know about Yousif
[03:34] Main driver behind implementing ISO 27001
[04:57] The journey of becoming certified and going through the assessment
[05:52] What is the scope of the certification?
[7:56] What was the biggest gap in the gap analysis?
[9:16] Reaching the gaps and the difference it made within dotdigital
[11:04] The benefits of certification on a global scope
[12:35] What Yousif has learned since implementing ISO 27001
[13:28] Main benefits to dotdigital in achieving certification
[15:30] If you could give any tips to someone implementing ISO 27001, what would they be?
[16:11] If you could gift a book to somebody what would it be and why?
[16:49] Favorite quote to leave listeners with
Need assistance with ISO 27001? – Contact us!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
There are many misconceptions around the well know ‘Clear Screen Clear Desk’ Policy used in IT Security. Join Mel and Steve Mason on this week’s episode as they discuss some top tips and share some of their own stories.
When Looking at Clear desk in an assessment it is important not to focus purely on individual desks but on the broader work areas to which employees have access.
Top Tips:-
- Clearing all white boards of information if it is no longer require (take a photograph to prevent loss)
- Checking all flip charts and removed sheets that have already been used
- Checking all photocopiers and printers (and the surrounding areas) for any forgotten or discarded documents
- Checking all confidential waste bins for any that are overflowing; if items can be removed put them in a new bin
- Checking for any confidential documents left on desks or in trays on desks
- Checking empty and unoccupied rooms for confidential waste
- Checking all cabinets to see that they are locked; if they are unlocked check to see that there is no confidential documentation in the cabinets
- Checking to see that keys are securely locked away; if they are in pedestal drawers ensure that there is no confidential information stored in the drawers.
- Checking Riser doors which are labelled ‘Keep Locked’ to ensure that they are locked
- Checking that all ‘mail’ pigeon holes have been cleared from previous ‘out of hours’ work
Clear Screen is much more than just locking your screen when you walk away from your desk, it is about making sure that you do not store information on your laptop and PC desktop screen. Whilst it is there it is at risk of being lost if hard drive fail as it is not backed-up; also, there is the inconvenience that others who need access to the information cannot get to it, impacting Integrity and Availability of security.
We’d be happy to assist you with ISO 27001 (Information Security) or BS 10012 (Personal Information Security), or you can contact us for a Clear Desk Clear Screen prompt sheet.
To help out the ISO Show:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and I read each one.
Is it okay to ever use a personal e-mail account address for business, or send business e-mails to my personal e-mail address?
The short answer is ‘No!’ This is because it opens your business up to security, legal and professional risks that may lose you customers and can damage your reputation.
All businesses have the capability to access their emails on all sorts of equipment, smartphones, tablets, PCs and laptops (the latter two through the use of a secure VPN back to the business itself. So, there is no reason to resort to personal e-mail accounts for business use.
However, there are far greater risks to the business in terms of Security, Legal Compliance and Business Reputation that should be enough to deter employees from using such risky methods in the corporate environment.
What are the security risks of using a personal account for business?
Personal email accounts exist outside of the IT department’s control, therefore, they are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. Furthermore, as they are beyond the bounds of the IT department’s control there is no guarantee that e-mails are secure or will remain free of any viruses.
If e-mails held in personal accounts are not back-up there is a loss of auditable trails and opens the business and employees up to losing important information that the business must, by law retain as business evidence of good business practices – this opens the company up to suspicions of fraud.
Employees sending e-mails to their personal e-mail addresses can not guarantee the security of their e-mails, particularly if they use systems such as Hotmail and Gmail, which are notoriously vulnerable e-mail systems and have been hacked on many occasions. How would it look if you lost company information because of a data breach in an employee’s personal e-mail account? It would damage you reputation and may result in lawsuits.
Whilst you may have appropriate antivirus protection in place, can the same be said of employees on home computers? Typically, the answer is no, either because the antivirus has not been kept up to date or the type being used is not as effective as those used within the business. If an employee sends an e-mail to a client from their home system it could be infected by a virus (that you have not been able to control) and the reputation of the company is impacted.
And since personal emails are not stored on company servers, discovery for DPA/GDPR and Freedom of Information requests are seriously compromised presenting legal risks to your organization.
If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).
If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.
Discover more of what Blackmores has to offer by contacting us today!
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
A question we often get asked at internal audits is ‘Have I passed?’ The question is irrelevant, as we are auditing a sample of the business processes, not the individual, and in the real world, no business is perfect. It is not about pass or fail. Is just a ‘pass’ even good enough? It’s about making sure you’ve got robust systems in place to meet your clients’ requirements and reduce risk, so you don’t fail your clients’ or your business’ own high standards.
Embedding an information security system doesn’t happen overnight. It takes time to establish a system, so it becomes part of an organisation’s DNA.
In our final Podcast episode on how to implement ISO 27001, Steve Mason, Senior Consultant at Blackmores takes us through the last few months of an ISO 27001 project. This stage generally takes three months because it is a UKAS requirement that the system is ‘established’ prior to the assessment.
It is helpful to audit all aspects of the ISMS before your assessment; however, you need to take a risk-based approach and align the audits with the organisation’s needs.
Steve Mason talks us through a typical internal audit and what to expect. Although each auditor may have different styles, and each business is unique, so it can never be a tick box or one size fits all exercise. Each company will interpret the standard differently and assumptions cannot be made.
A typical audit of Human Resources in relation to information security could take 45 minutes. Questions could cover new employee screening, information security training records, and responsibilities, i.e. job descriptions. In some cases, even looking at an example of your employees’ terms and conditions to see if the disciplinary section covers the scenario of a security breach made by an employee (which is one of the most common breaches, either accidental or intentional).
Avoiding ‘death by audit’
Although it is essential for internal audits to be completed prior to an assessment, Steve also recommends planning the audits over a three-year cycle to avoid ‘death by audit’ and align this with the period that the certificate is valid for (3 years from assessment)
Information Security Health Check
The final step is to ensure that top management are available for the Information Security Management Review Meeting. The purpose of this meeting is to bring together expertise within the business on information security, ready for senior leaders to be informed on the ‘health’ of the business and make decisions, so improvements can be made.
ISO 27001 provides an agenda which needs to be covered at the meeting. Some companies take the approach where all parties need to be involved for the duration, however, a more time efficient approach is to have the key players present, but then bring in the specific expertise as and when needed for a short period i.e. 10 – 15 minutes. The Management Review Meeting shouldn’t be seen as an arduous task, but a useful exercise to review the effectives of the system i.e. security incident trends, What are IT monitoring? Is the monitoring analysed and effective? i.e. anti-virus, penetration tests. Have actions/non-conformances been addressed? and has this action been effective? By bringing together your organisation’s technical skills and data, you will have a thorough ‘Security Health Check’ so management can understand what needs to be done in order to try and prevent any damaging incidents and continue to empower a positive culture of security.
Join us on the Podcast to hear more about the final stages of an ISO 27001 project including the last, but not least clause – ‘Continual Improvement’ and how Steve uses the ‘5 Ys’ on root cause, to get to the root of a business’ problems.
Click HERE for further information on our ISO 27001 Steps to Success programme.
To help out the ISO Show:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and I read each one.
Creating an Information Security Policy – begin with the three principles in mind.
Where do you begin with creating your Information Security Management System?
A key document to begin with is the Information Security Policy. This provides a focus and commitment to Information Security, in particular Confidentiality, Integrity and Availability (CIA).
Many people think of Information Security from the point of view of keeping information confidential. However, ISO 27001 is based on three principles – Confidentiality, Integrity, Availability (CIA). Many often overlook integrity and availability.
Integrity is quite simply about the accuracy of information. What happens when an email containing sensitive data is accidently sent to the wrong person? What happens when shared data on a server gets overridden accidently? What happens when someone uses the wrong form or document from a shared server? These are all key considerations when considering how data is handled in your organisation.
Availabilty is the principle that is most overlooked, yet one may argue is the most critical. If your systems and data are not available, how could this impact your business? It may be due to IT systems/Servers being down, access rights denied or simply that company/client information is stored in someone’s head/personal phone or on the desktop on their laptop – so in effect it is useless to the business because it’s not accessible.
How to create your Information Security Policy…
An Information Security Policy does not need to be a huge document. Typically, it is a one-page (A4) document – it needs to be succinct, and to the point, after all, a Policy is a statement of intent from the leadership team, so it should not include lots of procedures.
There is guidance within the standard which stipulates that the Policy should be:-
- Aligned with your Information Security objectives
- Compatible with the purpose and strategic direction of the organisation;
- Includes a commitment to satisfy applicable requirements related to information security i.e. legal requirements, ISO 27001 requirements and your stakeholder requirements.
- Includes a commitment to continual improvement of the information security management system.
The Information Security Policy then needs to be communicated to employees – this can be done via email (with a link to the document and location) and possibly having it displayed in a common area i.e. in Reception so that it is visible to employees and other stakeholders. The Policy also needs to be made available to other interested parties i.e. IT Managed Service Provider, clients.
Listen to our previous 13 episodes by subscribing to us on iTunes or Soundcloud
And click HERE for further information on how we can help you with ISO 27001.
To help out the ISO Show:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and I read each one.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our ISO Consultants, our isologists, or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
What our clients have to say
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.