In this series of posts I would like to explore how you might use ISO27001 as a solid foundation for your cyber security strategy. An ISO 27001 certification demonstrates the conformity of your company’s ISMS with the documented standards, so is an essential part of your cyber security.
My name is Arthur Donkers and my experience with ISO27001 goes back to BS17799 (the infamous best practices list) and I have helped a number of small and large organisations to implement and audit an ISMS. But enough about me, let us focus on cyber and how to leverage the skills and expertise we already have with ISO27001 to build and operate a practical and effective cyber security strategy.
In this series of posts I will consider and answer the following questions:
– Why do WE need a cyber security strategy?
– What assets/values do I need to protect?
– What do I need to protect those assets from?
– How do I protect them?
– How can I maintain my cyber security position?
Keener readers will already have spotted the steps of the PDCA cycle in these questions. For those that are new to ISO27001, the PDCA cycle is the basis for your Information Security Management System (ISMS), and defines 4 steps that you need to perform for your ISMS: Plan, Do, Check and Act (hence the name PDCA). These steps more or less align to the chapters in the ISO27001 standard. We will look at all of these in future posts.
I would like to close this post with a loose definition of Cyber Security. While researching the term, it turned out a lot of people and organisations use the term Cyber in different settings, but find it hard to give a clear definition. Based on my personal experience and preference, I define cyber security as:
“The protection of digital information processing assets against abuse, disclosure, manipulation and other negative impact on you, your organisation or your stakeholders.”
This is a broad definition, I know, but it ties in with ISO27001 in a very nice way.
This concludes this introductory post. I hope you will join me for the next articles in which I would like to answer, amongst other questions “Why an organisation should have a cyber security strategy?” and “How can we make our cyber security strategy support our organisational goals and drivers?”.
Please subscribe to our newsletter to be sure not to miss any future posts, and do please contact me if you have questions or suggestions for specific topics.
Stay safe!
Arthur Donkers
Cyberlink Security Ltd.
