This is the second article in a series exploring, together with the members of the ISO27001 group on LinkedIn, how you can use ISO27001 ISMS to build your Cybersecurity strategy. Although Cybersecurity has become a bit of a ‘catch all’ phrase, I interpret it as anything related to protecting your digital assets (see my previous article )
The first question is obviously “Why?”. Why would your organisation need a Cybersecurity strategy. For most organisations this is a given, but if you think about answering this question a bit more, it will help you focus and scope your strategy. This immediately relates to chapter 4 of the ISO27001 standard, and especially paragraphs 4.1 and 4.2.
Whenever I start an ISMS implementation, the first question I ask is: “Why are you willing to spend all this time and money to obtain a certification?” And the answers vary wildly across organisations. Some of them are ‘urged’ by a regulator to manage their information security (an example of this is NEN7510 in The Netherlands, although not mandatory (yet), the health authority really appreciates it).
The second reason is more commercial in nature. More and more Request For Proposals require your organisation to be compliant with ISO27001. In most cases this question is just a tick in the box, and not really SMART, but that is a subject for another blog post.
The third reason is an internal one. An organisation wants to provide safe and reliable services and sees ISO27001 as a seal of approval. An additional benefit is that you will, by doing this, already have implemented a number of the controls required for GDPR.
For me, reasons 2 and 3 combined should really be driving your Cybersecurity strategy. 99% of all organisations are part of a larger supply chain and need to protect their interests, those of the other partners in the chain and of the customers. The stakeholder analysis step of paragraph 4.2 helps you identify all of these ‘interested parties’ that depend on your contributions to the chain.
A counter-argument I sometimes hear is: “But we are a small company and of no real interest to hackers”. I am convinced this no longer holds any ground. First of all, most malware and other automated mayhem does not care about the size of your organisation. It will hack and encrypt your data and hold you for ransom.
Secondly, as you are part of a larger chain, if you don’t protect your digital assets, your organisation may be the perfect target to use to get access to that bigger fish somewhere up or down the chain.
Therefore, knowing all of your interested parties provides you with a proper scope and focus on why you should properly protect your digital assets.
A parting thought related to this; More and more insurers are offering insurance against cybersecurity incidents. You can imagine that, if you have an effective cybersecurity strategy and operation, your premium will be significantly lower than if you do not have a plan related to your Cybersecurity. I expect this trend to develop further and maybe in a few years time you will be able to fund your ISMS from the premium savings alone.
Next time I would like to explore the stakeholder analysis in more detail so we can really get the focus and scope we need for our Cybersecurity strategy.
In the meantime, stay safe!