Organizations adjusting to remote working are facing unprecedented information security challenges. ISO 27001 certification could be a solution to help effectively manage these emerging risks, supporting the safe adaptation to a much-changed working environment.
ISO 27001 is the international standard that defines the requirements for an information security management system (ISMS). These requirements are broad and feature controls that relate to operational security. This is an area where we typically see a large number of nonconformities – suggesting that it is particularly challenging for organizations to define related policies, procedures, roles and responsibilities.
Within ISO 27001, operational security is a key, multi-faceted requirement that exemplifies how ISMS controls do not operate in isolation and how one size does not fit all. It includes requirements around seven areas of focus ranging from documented operating procedures and change management, through to protection from malware. To achieve certification, your organization needs a series of interlinked processes that address these areas to ensure adequate risk mitigation.
Defining Your Context
Your operational context is important when defining your processes around operational security. You must identify interested parties so their needs can be adequately addressed. For example, organizations with supply chain partners could find that their operational security strategy is impacted by their partners’ risk appetite.
Although interested parties and requirements vary, together they have a strong influence on decision-makers and ultimately an organization’s wider information security strategy. This is an important consideration when designing an ISMS.
The LR audit process looks at how you’ve established repeatable processes that prioritize risk management. This helps us understand how your controls are meant to work so we can assess their effectiveness and see if they’re working as designed to mitigate the likelihood of a breach.
Achieving Effective Operational Security
ISO 27001 requirements for operational security form a package of measures which must all be addressed. Organizations typically respond to these using documented procedures or workflow tools which help define resource needs and provide management with crucial insight. No single requirement is more important than another. Every organization is different and focus areas are dependent on individual operations.
In our experience, change management and technical vulnerability management both usually require more attention.
Change Management
To minimize disruption and avoid undesired events, organizations are required to ensure that any changes are necessary, effective and authorized before deployment.
The design of change management procedures depends on the nature of your organization – they need to be appropriate but shouldn’t be over complicated. For some, a basic audit trail along with version control will suffice, whereas more advanced change management processes with more input, scrutiny and investment may be required for others.
Our collective response to COVID-19 has tested change management processes. How organizations have established home working environments at pace has been impressive, however, implementation at this scale and speed can expose inherent weaknesses in processes. So, in many ways, now may be the perfect time to conduct an internal audit to make sure that rapid deployments were completed consistently.
Technical Vulnerability Management
Information security breaches and cyber-attacks are now more frequent and damaging than ever. In many of the larger, publicly recorded cases, exploited technical vulnerabilities have been the cause.
As organizations become more and more data rich, adopting new technology at a rapid pace, vulnerability management processes (that are proportionate to the level of risk) must be in place. This is central to an ISO 27001 compliant ISMS.
Complex IT infrastructures can make the processes around identifying vulnerabilities and rolling out patches and updates difficult to define within your ISMS. At LR, we try to understand the scope of your asset estate before sampling to check that the latest updates are in place.
There must be a balance between quick deployment and sufficient testing, even for development assets. It’s important that your process addresses key questions like:
- Is the asset in the desired state?
- Has this state been defined to ensure the control is implemented as planned?
- Is the roll-out on track or taking longer than intended?
Adjusting to a Changing World of Work
The shift to home-based working has truly tested operational security processes. This is because a distributed workforce has pushed the boundary of organizational security into people’s homes, increasing risks like unauthorized asset access and accidental malware infection.
ISO 27001 provides organizations with a robust method of managing these new risks from an information security perspective. Operational security is an important part of that mix. However, other standards such as ISO 22301 (business continuity) or ISO 22316 (organizational resilience) may also be of interest to organizations that want to take their management systems to a new level of integration.