Key Takeaways:
- As organisations go through digital transformation, the amount of data they rely on increases. This means more places where you could have a data breach.
- With the number and cost of cyber-incidents rising around the world, Information Security (InfoSec ) has become a founding principle for companies of all sizes.
- ISO 27001 certification proves that your company follows best practices when it comes to InfoSec. It increases trust and opens up business opportunities.
The headlines are daunting. We read about new data breaches and ransomware attacks every day. Cybersecurity becomes the main concern – it doesn’t matter whether you’re a startup, scaleup, or mature enterprise.
So, you may ask yourself: How can we actually get started on cybersecurity? Should we strive for ISO 27001 certification, and what are the first steps?
Our experts, DataGuard’s Privacy Consultant Vipul Asher and DataGuard’s Product Specialist AJ Alao are going to answer this and more for you.
Keep scrolling for a recap of the webinar.
The current cybersecurity landscape
Let’s kick things off with a brief look at the current cybersecurity landscape.
“What we’re seeing here at DataGuard and what the data outside suggests,” said AJ, “is an uptick in the number of breaches companies are facing.”
Why is that? Vipul had an explanation for us:
“The amount of data each industry produces is increasing on a day-by-day, month-by-month, year-by-year basis. And the more data we produce, the more places there are where we could have a potential breach.”
Statistics from the IBM Data Breach Report 2022 underline the worrying situation:
- The average cost of a data breach worldwide is 4.35M USD
- The average time to identify and contain a breach was 277 days
- 83% of organisations have more than one breach
As AJ put it: “Just three things in life are assured. Death, Taxes and Cyber-breaches.”
The consequences of data breaches and other forms of Cyber-incidents are dire. On top of the fines and financial loss, your reputation is damaged. You lose current and future business opportunities.
“A really powerful statistic from Accenture said that 83% of mid-market companies aren't fiscally in a position to recover from a cyber-breach”, AJ added.
Understanding information security (InfoSec)
It’s clear you need a strategy to protect your company against those risks. You need to secure your information – by following the 3 principles of information security:
- Integrity: Ensuring the data we hold is not tampered with and not compromised during and after submission.
- Confidentiality: Making sure that sensitive data can only be accessed by those who are authorised.
- Availability: Guaranteeing that authorised users have access to that data when needed.
How can we achieve that?
Short answer: By establishing company-wide policies and procedures to prevent unauthorised parties from accessing company information.
It’s important to have a proactive approach about this, instead of only reacting in case of catastrophe.
“From an organisational culture point of view”, Vipul said, “you need to make sure that InfoSec is everybody’s responsibility.”
“That can only be achieved through proper training and discussions. Training is such a key element.”
As you can see, information security covers a wide field of responsibilities. Tasked with such a complex undertaking, it is best to follow established best practices.
“ISO 27001 is the world’s best-known standard for your Information Security Management System (ISMS)”, Vipul said.
Why you should get ISO 27001-certified
AJ and Vipul then explained the key advantages you gain from achieving ISO 27001 certification.
Demonstrable high level of information security maturity
You want to grow as a company. You want to create new business opportunities and close bigger contracts. With ISO 27001, you can show your excellent cybersecurity posture to potential partners.
Vipul summed it up:
“Any time you want to work with an enterprise-level organisation, one of the key questions is: Is your company 27001-certified? Yes. No. That simple yes or no pivots your ability to win or lose businesses.”
Increased confidence with existing customers
Vipul noted:
“Once you build that ISO certification, you can happily go back to an existing customer, which then becomes a massive source of recurring revenue.”
“Building trust and confidence with your existing customers also helps you with your reputation”.
And again, an excellent reputation attracts new customers and partners.
Reduced risk of fines
“Should you have a data breach”, Vipul explained, “and you can demonstrate that you took all the necessary care, that puts you in the good books with regulators. The amount of fines potentially is far less as compared to not having certification.”
Transparency and awareness within the organisation
“Transparency and awareness for me are the most important parts in this”, Vipul said.
“If our goal is to go upstream, to win those larger contracts with bigger vendors, we’re seeing that information security is just a prerequisite.”
“Make sure that you make that a part of your DNA from within, which then reflects on the outside world for your customer base. By saying this is a company I can trust, this is a company I would want to do business with purely because of the ownership that they take.”
Steps to take towards ISO 27001 certification
So how can you get started on your journey towards ISO 27001 certification?
First step: Gap Analysis
“Before you can have a medication, you first must be diagnosed”, AJ noted.
This is where the Gap Analysis comes in: “We at DataGuard or a third party will sit down and take a stock intake of your company. The assets you manage, the processes you have in place and processes you may not have in place.”
Moving forward, you get a clear set of recommendations on what you need to implement to build out the ISMS.
Managing Assets and Risks
Vipul said: “I don’t know of a single organisation I’ve worked with that could put their hand on heart and say: we know exactly what our assets are.”
This is why identifying all your company assets and the data that resides in them is so important.
Only then can you identify the risks associated with those assets and develop strategies to mitigate and manage those risks.
It’s important to note that those are ongoing processes. As your business evolves, it becomes necessary to register every change to your assets and to continually monitor and review the risks your business faces.
Building out your ISMS and getting certified
Then it’s time to develop and implement the actual policies that make up your ISMS.
Remember: InfoSec is a team effort. The whole company should have access to those policies, and they should be documented well. Ideally, you manage all your information security efforts on one platform.
As a last step before the external audit gets you certified, it’s important to prepare with an internal audit that can uncover any oversights.
AJ adds: “What’s really powerful here is the management review. Get top management to simply be aware of the procedures, policies and controls in place. This is a company-wide initiative.”
So, you go through the steps, implement your ISMS, achieve that certification and then you are finished, right? No!
ISO 27001 is a continuous journey
One element to be aware of is continuous audits. You have surveillance audits every year and a re-audit every 3 years you need to pass to keep your certification.
“But what’s really important to understand is”, AJ added, “as your company grows in scale, so do your risk factors. Your ISMS will need to be updated and edited.”
“It really is a continuous journey.”
Watch the webinar
If you’d like to go into a bit more detail about the Why’s and How’s of ISO 27001 for your business, watch here the full recording of our webinar with AJ and Vipul.