Most organisations will do anything within their budget to prevent cyber attacks, but senior staff are often given conflicting advice on where to spend their money. Should they invest in the latest technological defences? And which technologies? Should they overhaul their data protection policies? If so, how?
The list of potential solutions is nearly endless, but no single measure will significantly reduce the risk of a breach. The most effective solutions are those that address the entire organisation – from its technologies to its staff and the policies they follow. For that, organisations should turn to cyber security standards – particularly ISO 27001, which covers information security, and ISO 22301, which covers business continuity.
Compliance with these standards is especially important for those involved in critical infrastructure. Many such organisations are required to comply with the Directive on security of network and information systems (NIS Directive), which comes into effect in May 2018 and for which ISO 27001 and ISO 22301 provide ideal frameworks for compliance.
ISO 27001
Organisations that certify to ISO 27001:
- Improve their structure and focus. When a business grows rapidly, it doesn’t take long for confusion to spread about who is responsible for which information assets. ISO 27001 helps organisations become more productive by clearly setting out information risk responsibilities.
- Receive an independent opinion about their security posture. Organisations seeking certification will need to pass a review from an external auditor. The auditor will then carry out follow-up reviews at specific intervals to establish whether controls are working as intended.
- Demonstrate to clients that cyber security is a top priority. Clients will be more willing to trust an organisation that has accredited certification to international standards. This gives the organisation a competitive advantage.
- Improve company culture. Employees play a major role in ISO 27001 compliance, and if they are made aware of the good work they are doing, they will feel more valued and committed to the cause.
ISO 22301
Organisations that certify to ISO 22301 will experience many of the same benefits as with ISO 27001. They will also be able to:
- Maintain the continuity of business operations. Implementing a business continuity management system (BCMS) in line with the requirements of ISO 22301 allows organisations to minimise the disruption to business in the event of a disaster. The BCMS can be followed in the event of many incidents, from adverse weather to a cyber attack. It helps staff assess the potential impacts of an operational disruption and take appropriate steps without delay.
- Protect assets, turnover and profits. Effective business continuity management means that organisations are able to ensure continuity in the delivery of their products and services, and perform activities that are critical to successfully continuing their operations. These activities protect income streams and reduce the risk of further losses due to an incident or disaster.
- Reduce the cost of business interruption insurance. An ISO 22301-compliant BCMS gives organisations better insight into the real effects of a disaster, enabling them to accurately evaluate the type and value of insurance cover they need.
Read more about the benefits of complying with ISO 27001 and ISO 23301.
If you’re ready to implement either or both of these standards, you might find our ISO 27001 and ISO 22301 consultancy services useful. Delivered by experts, these services will save you hours of trial and error by guiding you through the necessary steps to compliance.
We offer a number of services to meet your needs, from introductory advice to hands-on implementation.
Alternatively, you might be interested in our cyber resilience consultancy services. Cyber resilience is a security strategy that combines ISO 27001 and ISO 22301, helping organisations mitigate the risk of cyber incidents and enabling them to respond to threats promptly. The strategy offers the same benefits as certifying to the Standards separately, and is ideal for those who want comprehensive protection against cyber attacks.