In the previous blogs, we talked about various mandatory requirements bringing corporate attention to compliance issues. In the light of evolving cyber security threats, business may want to take this opportunity to conduct a cyber security audit. The audit functions as:
- an integral role in assessing and identifying opportunities to strengthen enterprise security.
- a duty to inform the audit committee and board of directors that the controls for which they are responsible are in place and functioning correctly, a growing concern across boardrooms as directors face potential legal and financial liabilities.
ISO/IEC standards such as the ISO/IEC 27000-series for information security management system (ISMS) are useful benchmarks for the framework.
- The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) to provide a globally recognized framework for the best practice of security management.
- It is deliberately broad in scope, covering more than just privacy, confidentiality and cyber security issues.
- The most popular standard amongst the 27000 series is the ISO 27001, which outlines the requirements of an ISMS, also provides an independently audited certification for organizations that went through the audit.
Most important of all, the ISO/IEC 27001 benchmarks requirements for ISMS is a systematic approach to managing sensitive company information so that it remains secure.
- IT systems
- organisations manage, monitor and improve their information security in one place
- small, medium and large businesses in any sector keep information assets secure. (source: ISO www.iso.org )
If your organization is not ready to hire independent auditors to conduct a security audit yet, performing a risk assessment is a way to go.
A risk assessment based on ISO/IEC 27001 is not only assessing its technological aspects of an organization, but it also:
- involves assessing information security management covering physical access, firewall policies, staff security awareness education, incident response and data encryption.
- helps businesses produce a set of controls minimizing identified risks so that risk is mitigated.
- helps organization take existing resources and budget into consideration when figuring out what key metrics management needs and what return on investment is giving back to the business from the investment.
- helps employees follow a set of guidance of security best practice. As the risk assessment evaluates the security posture as a whole, after the assessment, the assessors might help the organization to design a customized security awareness program for all employees to follow.