Search Results

Well, the simple answer is that it really doesn’t have to be. If you’ve looked at implementing it internally, or more likely, you’ve been given the extra responsibility to complete an implementation on top of your day job, it can look a little daunting to begin with. Of course, I could bleat on about hiring someone to do it (like me) but, that might not be practical. So, I thought I’d pop down a starter for ten for you to give you how I would go about tackling it. Buy the standard. I know it’s wordy, and it might not make much sense right now. But, once you have it, it will become a checklist for you a little bit further down the line. It’s not expensive, and if nothing else, it provides excellent bedtime reading if you’re a bit of an insomniac. Get the boss on board. Now, you’ve probably been handed this dandy little project by your senior in the company. That person may or may not be the person signing the cheques, so let’s make sure everyone is on board this train before we start rolling. It doesn’t hurt to reach out to some certification bodies now, even before you’ve started doing any real work. They can give you an indication of cost, which you can take back to the people holding the purse strings. Pricing is relatively consistent between the different certification bodies, but (with my best Martin Lewis voice), get a few quotes, and you can then decide which one to choose. Some may be cheaper than others, but just make sure you are getting like-for-like quotes. There are certified and non-certified assessment bodies. I’m not going into the difference between each here, as it’s a whole other blog. If we’re happy with the costs, now is the time to start doing some work. Scope is a word you will hear, and it simply means, ‘What areas are we including in this certificate.’ A misconception is that you have to certify your entire company. This is incorrect; you might want to have a much smaller scope. A specific product you offer, a specific service you sell, a specific team. The options are endless, but it is up to you to decide what this might be. Typically, the smaller the scope, the easier the project. Start small and look to increase your scope a little down the line once you get the hang of things. Scope is essential, and it will drive things later. It’s always good to ask yourself what you are trying to achieve at this point. What do we want our ISMS to provide? What objectives should we set and measure so we know this project is going to head in the right direction? Once you have your scope defined, go do some hunting about and start pulling together some simple lists of what information you have. Break it down into a couple of areas to make your life a little easier. Think about the hardware first. End user equipment, printers, network devices, app servers, web servers, database servers, blob storage, filing cabinets even. Once you have this list, then write down the type of information you’re storing in these devices. Employee data, Customer Data, Company Data, Source Code, absolutely everything. Decide how important that data is, and how much of a pain it would be if was lost, stolen, or changed in error. Now we have a good list to work from. Now the fun starts. We’re going to look over that list and try and understand how each of those components could be damaged. That could be malicious intent by someone inside or outside of your company, or it could be simply by someone overwriting it. Once we know what those risks are, we are going to try and decide how we can stop those things from happening. This is where we apply controls. Some risks may have one control applied; some may have many (some might have none if you are happy with the risk just the way it is.) It’s up to you and your team to decide which controls you should apply to help you reduce the risk of something terrible happening to a level you are comfortable with. Most people will cast their eye over Annex A at the back of the standard and choose controls from here. Remember, you don’t have to use Annex A if you don’t want to. If this is your first rodeo, though, I probably would. It will make your life easier, and it’ll make life easier for the auditor too. Continue working through each risk until you’ve decided which list of controls you are going to apply once you’re done. You are going to capture all those controls together in a separate list. Congratulations on creating the outline of your first ‘Statement of Applicability’. The most important step now is to give yourself a pat on the back. There’s more to do, but we’ve made a good start. Come back next time to find out where we go next. Conclusion: Implementing ISO 27001:2022 might sound like a big task, but it’s worth it in the long run. It’s your ticket to showing your clients and partners that you take their data security seriously. Remember, it’s not about being perfect from day one. It’s about making steady progress and always looking for ways to do better. So, roll up your sleeves and get started on making your business more secure than ever before.

Risk management is the fundamental process of thinking about what bad things may happen; one way to look at it, is the corporate world’s way of documenting fear, something that could happen but may never happen. In the cyber security world, there is a term called FUD (Fear, Uncertainty, and Doubt), which I hate. It is used by vendors to sell products, and I guess the uncertainty and doubt come from a lack of understanding of the fears that are relevant to your business. This is why risk management is essential; understanding your risks helps you define controls (or not) to protect and/or minimise the impact of the damage these risks may cause. Risk Management Standards There are several well-known risk management standards out there, including ISO 27005, ISO 31000, NIST SP 800-30, COSO, and COBIT, and modelling or risk identification processes like STRIDE, DREAD, and PASTA. Find one that works for you and adopt it, or define your own process. As long as it is repeatable and the output is consistent, it really doesn’t matter. So, let’s define some of the key aspects of risk management. Understanding Risk: Definitions and Concepts Threats and vulnerabilities are the fundamental reason you are doing risk management. A threat is a constant; they take advantage of vulnerabilities to cause harm; a simple example would be a thief. A vulnerability, on the other hand, can be lessened or removed, and the level of control you implement would be appropriate to what you are protecting; for instance, an open window is a vulnerability or weakness in your home security, you could simply close the window or improve security by applying greater controls such as bars or an alarm system. The thief (threat) takes advantage of the open window (vulnerability) to break in and steal your assets. That is the risk. Threat and vulnerability are just a way of representing it. How you document this will be determined by your process. You will need some kind of risk register to document your risk (we will explore this more next week in: What is a Risk Register?) Risk is a basic calculation of impact multiplied by likelihood. Now, there are extensions that can be added to that, but you are adding complexity to an already complex system. Essentially, most of the extensions add little value, and routine review will ensure any additional factors effecting risk can be calculated. Risk scoring. Once you have your threat and associated vulnerability defined, you need to score the risk. This will help you decide whether to do anything. There are many ways to score, but 3x3, 5x5, and HML (High, Medium, and Low) are the most common. Consistency is key when scoring, so you need a method to ensure this. A dedicated risk analyst/officer can assist with this, as a consistent person is helping drive scoring. 3x3 and 5x5 are easier mathematically and if you use HML assign scores to them, I tend to use 1,3 and 5 as values for calculating risk. But it still provides understandable terms for everyone to use without having to quantify a value. All risks should have an owner, and that person should have enough authority to make decisions on that risk. Importance of Risk Management in Business Risk management is a critical aspect of business operations. It helps to understand what is needed to protect the organisation from potential threats and vulnerabilities. By identifying these risks, they can be mitigated proactively to protect the business’s assets. I firmly believe that risk management should form the basis of all your decisions, this goes beyond cyber security, if you have no risk or opportunities (yes risk can bring opportunities) what are spending time and money on trying to fix/prevent? Benefits of Implementing a Risk Management Strategy A risk management strategy allows for consistent, successful, and routine identification and management of risks and opportunities. To be effective, risks need to be scored consistently. This ensures that each risk is managed appropriately, reducing bias, which can result in resource overspending.

Implementing ISO 27001: The Cost of Achieving Information Security Let's start by defining what ISO 27001 is in simple terms, but if you want a detailed explanation check out our, What Is ISO 27001 article - here; What is ISO 27001? ISO 27001 is an international standard for information security management. The standard outlines a systematic approach to managing sensitive information, such as financial data, intellectual property, and personal information, to ensure its confidentiality, integrity, and availability. Implementing ISO 27001 requires significant time, effort, and resources. The cost of implementation can vary greatly, depending on the size and complexity of the organisation and the type of services used to achieve certification. What does it cost? It is hard to say precisely how much you can expect to pay for ISO 27001 implementation as multiple factors drive the cost. It can vary from as little as £100 (buying a policy pack) to as much as £20,000+, but for most SMBs, an assisted implementation should range from £3,000 to £20,000. So let's delve deeper into some things that can drive costs up and how to keep costs down. What drives the cost up? The biggest cost differentiator is the size and complexity of the business. For example, a 10-man, fully outsourced and cloud-first business will be much more straightforward compared to a 1000+ user, multi-site, international with on-premise technology business: essentially, more moving parts, more responsibility on data security. Using a consulting company over in-house skills may be more expensive. On the other hand, completing the implementation in-house may reduce initial costs. But, the long-term operational costs could be higher, and by choosing a consultancy, the results may be a faster and smoother process. The cost can also be affected by the timeframe for the implementation; for example, if a quick turnaround is needed, more resources may be required to deliver the project at an accelerated pace. What drives costs down? Having good security practices and policies already in place can significantly reduce costs. In addition, the effort to achieve compliance is significantly reduced if you have a security culture as part of your everyday business. Using in-house knowledge to deliver the bulk of the implementation and an external resource for reviewing key aspects like auditing can also keep the expenditure down. If you're not in a hurry, implementing the Information Security Management System (ISMS) can help keep costs down and better integrate the system into the organisation. While a DIY approach may seem the cheapest option, some organisations can underestimate the effort required to achieve accreditation. As a result, they may make little progress over a period of two years. Ultimately, this could cost more than bringing in a specialist consulting company to help with the implementation. Why are some companies so expensive? The complexity of the ISMS they use and the day rate they charge will increase the cost of the implementation. The more complex the system, the more time is needed to implement it! Meaning long-term management costs rise. Some companies may over-engineer what is required meaning there is more to implement but with little benefit. Day rate has the most significant impact on cost. Larger consulting companies are generally more expensive due to increased overheads but provide more coverage capabilities for the consultant working on your project in case of availability issues. Larger organisations will also carry greater skills and service diversity which adds to their value, and their prices usually reflect this. Many companies will operate onsite regardless of need which can include expenses for hotels, travel and food, which on a 10-day engagement could easily add another £1,000+. Why are some companies so cheap? Smaller consulting firms will generally cost less due to their reduced operating costs. Companies with only one or two consultants are typically the most affordable, but they often face problems with limited resources and insufficient coverage if the primary consultant is unavailable. This can result in lower daily rates but may lead to other issues, including but not limited to reduced skills diversity, availability issues and lack of innovative processes. Other costs So far, we have explained the implementation costs. There will also be a cost for accreditation if that is your end goal. Over time, we have noticed a steady rise in the number of days required for UKAS bodies to complete their accreditation process. UKAS accreditation is strongly recommended, as the certification holds little value without it. However, it is possible to implement the framework without accreditation and still reap the security benefits while avoiding associated costs. UKAS audit costs for an SMB would be in the region of £4,500 to £8,000, depending on the factors we have already discussed. However, we have seen costs in excess of £25,000 for larger complex organisations. How we compare As an organisation focused on value and simplicity, we offer builds from as little as £4,875. On average, our clients pay around £6,000-£8,000. We also guarantee a Stage 1 pass, and as long as you take our advice, we guarantee you'll pass stage 2 and achieve certification. We have a 100% certification success rate. Where possible, we complete everything remotely as this reduces costs, as no travel, hotels or other expenses are needed. Our day rate is £975, but where required we can and are happy to operate on site, at no additional cost, expenses are built into the day rate, so no unexpected or hidden costs. Our service includes all the documents you require, policies, registers and records. In addition, we will hold numerous workshops to ensure you understand the implementation ready for your audits. We will run your stage 1 audit for you, representing your company as your compliance manager, and at no additional cost and if needed we can assist at stage 2 as well, but this will increase your costs. Still, many clients opt for it as having someone who has in-depth knowledge of the standard and the management system, as well as being able to guide key staff on how to respond to the auditors, makes the whole process more seamless.

Significant and media worthy data breaches seem to be increasing, along with the lesser breaches that only us InfoSec peeps see on security forums and newsletters, but does anyone really care? I would hazard a guess most people don’t, unless it directly affects them most people won’t even read a mainstream data breach article, I hate to say this, but security can be dull, obviously we (the InfoSec community) care, and we even use these breaches as mechanisms of fear (YOU COULD BE NEXT!!) or education (Be Aware). I like to think we lean towards the latter. Breaches seem to be the norm now and as such maybe people are becoming desensitised to them. If we look back at some of the mainstream breaches how many have resulted in a company going under, I am not aware of any. I remember tracking the eBay breach and let’s be honest it was probably a great example of how not to manage a data breach, the breach hit the media before eBay had notified anyone, I received the eBay notification of the breach about 2 weeks after I had already changed my password, but how did it effect the company? We hope internally a more dedicated approach to good data security practices were implemented, externally a dip in price share but within 2 weeks it was right back where it was before the breach. Can a company be “too big to fail”? eBay own the auction market; I use the term “I am going to eBay it” regardless of whether I use their platform or not. 145 million passwords were taken along with other PII that could be used in attacks against the individuals, but the biggest risk will be credential stuffing where people have used the same credentials across multiple systems, and you can be confident some of those will be company systems like VPNs. Even more recent data breaches like Facebook and Cambridge Analytica that affected 50 million users have had no real impact in userbase, anyone stopped using Facebook since that breach? I know I haven’t. I am sure the $5 billion fine sounds a lot but for a company with a $16-17 billion quarterly turnover it really isn’t! When a company owns a market like Facebook, Amazon and eBay do, a data breach is a small blot on its reputation maybe 1% of people will leave but the other 99% will just continue, hopefully improving their passwords and enabling MFA as part of the process. We have no idea how many breaches occur, because unless a breach contains PII then there is no requirement to notify, so companies affected by Spear Phishing CEO/CFO fraud aren’t going to announce they have been taken for £100,000 by cyber criminals, the only people who know are the Board, the cyber insurance company and security consultant they call for advice. Well, I am sure we will continue to post and try to educate some will use FUD but I really think teaching cyber and privacy for life will beat Security Awareness at work as employees that don’t respect their own data wont respect yours.