This is the third article in a blog series I started to find out, together with the members of the ISO27001 group on LinkedIn, how you can use ISO27001 ISMS to build your Cybersecurity strategy. In this post I would like to explore with you how we can identify our stakeholders and their interests and how they relate to our scope.
When you are implementing an ISMS, one of the first items on your todo list is defining a scope. What process, systems or location will the ISMS manage? You should choose the right scope. Too small and the certification will be useless, but too big and the implementation will be too complicated.
For your cybersecurity strategy, you do not have the luxury of choosing an appropriate scope. This is because your whole digital landscape is your scope. All systems, all storage and all interfaces are in the scope because they are all potential targets of a cyber attack.
Why is that? The reasons for this have to do with both the threat agents and the tools they use. A cyber attacker (threat agent) does not care about your scope; he/she goes for the systems that are available, and preferably the ones that are easy to break into. Most hackers are not superhumans that can bend time and space, they are lazy like the rest of us and use automated tools to hack into your systems. And because they use automated tools, they will potentially hit each and every system in your organisation. (Mind you: I am not talking about the so-called stately actors here. They often have very specific goals and targets, and almost unlimited resources and time).
Setting such a wide scope for your cyber security strategy will help you to find your stakeholders as well. As with a lot of things, there are many levels to this stakeholder identification. At the top level you have ‘mandatory’ stakeholders like governments, customer bodies, laws and regulations and perhaps regulators that manage licenses you need to operate. This is no different from the mandatory stakeholders you have for your ISMS. When looking at your Cyber Security strategy, your national Data Protection Agency deserves special care. In my experience, 99% of all organisations process Personal Identifiable Information and are therefore bound by laws and regulations like the GDPR. In the case of a successful Cyber Attack, this PII is almost always hit (it may even be the target of the attack) and you need to respond accordingly. This makes proper incident response a key part of your strategy (- more on this in one of the next posts).
As your organisation is often part of a larger value chain, your chain partners are obviously also stakeholders, as are the parties you process their data for. These chain partners will be concerned that you protect their interests, but you will also need to protect yourself from any impacts arising if they suffer from a cyber attack.
So far we have identified external stakeholders, and as you probably guessed, there are internal stakeholders as well. You can use the same method to identify them that you used for an ISMS. You will need to identify the owner of your systems, the owners of the information that is being processed and the management team that aligns the business goals and daily operations. You may also need to identify any development department that builds and maintains your applications, finance, maybe HR and your internal customers. All of these parties have a stake in the digital processing and need to be taken into account when planning your Cyber Security Strategy.
Next time I would like to explore this stakeholder/responsibility a bit further in relation to cloud based services. A lot of organisations are out-sourcing parts of their IT processing and this must be a part of your Cyber Security strategy.
Until next time, stay safe!