Blog

Are You Preparing Your Business To Adopt Security Standards?

With ever-increasing cyber-attacks and constant changes to data privacy integration, IT security has become a major concern for companies these days. If you are also preparing your Organization for adopting security standards compliance, here is what to think through.

Understanding why the Organization needs the Standard: The foremost thing to do even before you decide on adopting security standards is to understand why the Organization wants to use the standards. You must think about which aspect of the standards you are going to tackle and how it can help your Business. Is it for multi-factor authentication, email encryption or to better understand security and risk in the Business? For instance, if you are a banking contractor you may want to focus on encryption, while someone in the medical practices would want to focus on stronger authentication for patient portals.

Finalize the scope of the project: While adopting the standards, some companies try to take on too much. Therefore, it is advisable to define the scope early and determine which employees and departments these standards are targeted for. Finalizing the scope at initial steps helps save significant costs and time. You can also control the costs by just tightening the scope of the standards project.

Certification programs: When your security system clings to all the standards and regulations, it is known as compliance. But this is not enough. Your customers may require your system to be certified by a governing body. Certification provides physical proof of a compliance claim. Therefore, it is of utmost importance to know if your customers and company’s stakeholders are asking for certification. And if they are, certification programs require buy-in from top management. You should also take extra resources for maintaining documents and paying consultants.

Determine how the new Standard makes you stronger as a company: Another crucial thing that you need to ask yourself is how the standards will make you stronger as an Organization and help your Business thrive. For instance, security teams should communicate to top management about opportunities that will present themselves with the new certification. Regulatory frameworks also help Businesses improve the compliance process every time they prepare for a review or an audit. Over a period of time, your Organization can automate by using outside tools that are designed to streamline the manual process for a compliance audit. These tools are quite helpful, as they come loaded with internal auditing features that can help you ensure that your company maintains continuous compliance and can avoid the rush to make changes at the time of the audit.

Maintenance regimen: Security certification audits are an annual routine and therefore you must think about keeping the certificate valid. This is a continuous process that includes the improvement of security practices and learning from past experiences.

Neumetric, a cyber security services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

With years of in-depth experience in assisting Organizations irrespective of their sizes and or industry for their security requirements; it has helped us in quick assessment in regards to cost-cutting activities that do not bring value to you. Thus, your concentration is on the Business objectives of the Organization.

Wiper Malware & Its Variants Part 2 – All That You Need to Know

The wiper is typically used for extortion and many ransomware attacks include a wiper component. Recently, cybersecurity researchers have discovered a new malware strain called Ordinypt that includes both wiper and ransomware capabilities. This malware overwrites the data and renders it permanently irrecoverable. This destructive nature of malware clearly signifies that there’s no incentive for victims to pay the ransomware’s actors. This was used to infect German-speaking users, thereby leaving them with no options to retrieve their files.

Variants of Wiper Malware

But Ordinypt is not the only one that has caused havoc by masquerading as ransomware. In August 2019, another ransomware named GermanWiper caused headaches for German companies by permanently destroying user data, while demanding ransom payments.

According to the latest report from IBM X-Force, it has been highlighted that there has been a 200% increase in destructive malware cases during the 2nd half of 2018 and the 1st half of 2019. But what is the point behind disguising a wiper as ransomware? Let’s have a look.

Financial Gain

While most of the ransomware attacks include a wiper component, the wiper is mainly used for extortion. The hazard of permanent data destruction acts as a strong incentive for Businesses to cough up the ransom. By the time ransom is paid to the attackers, Businesses realize the truth of wiper-cum-ransomware and are left with little or no chance to recover their lost data.

Economic Disruption

Sometimes the purpose of hiding Wiper as ransomware is to achieve large-scale economic disruption. For instance, in 2017, after a series of high-profile ransomware attacks, NotPetya was released to the world.

This Cyberattack seemed like conventional ransomware that was designed to generate as much money as possible. However, cybersecurity experts quickly realized that the ransomware was a destructive malware. NotPetya generated about $10,000 in ransom payments but caused havoc of more than $1 billion in the economic disruption.

Dealing With Malware

Neumetric, cybersecurity services, consulting & product Organizations, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization

We suggest Businesses adopt a comprehensive disaster recovery strategy to mitigate the effects of malware in the future because wipers-disguised-as-ransomware attacks pose a serious threat. Organizations should implement a robust antivirus solution and frequent staff training about the importance of basic cyber hygiene.

All That You Need To Know About Wiper Malware

We all are aware of Malware that is designed to maliciously disrupt the normal operation of a network or a user’s phone, computer, tablet, and other devices. There is a wide range of malware categories, including worms, spyware, trojans, and even keyloggers. And these terms are often used interchangeably. Many malware variants incorporate a blend of different techniques and wiper malware is one such variant that can prove to be very destructive for Businesses.

Wiper Malware

Wiper Malware intends to destroy data and systems it infects. The motive of this malware variant could be to send a message, erase any traces of activity or introduce fear, but it may destroy data without impacting systems, or vice versa. Wiper attacks can be fatal to Organizations because there is almost no chance of recovering the data.

How do Wiper Methodologies affect Systems?

Usually, wipers have three targets, the boot system of the machines’ operating system, data files, and backup of data and system. While some wipers rewrite a targeted list of files, some rewrite all files inside specific folders. Some wipers overwrite a particular amount of files of every other amount and some target only the first few bytes of all files to destroy headers.

These practices are implemented to be more efficient, as destroying the files takes a lot of time for this class of malware. For destroying the backup, the malware deletes the shadow copies of files. The original operating system is rendered unbootable by erasing the first ten sectors of the physical disks or by entirely rewriting these sectors.

Wipers in the wild

Wiper has been around for a while now, and only a few of them have caught attention because of their large-scale activities.

A few years back, a wiper named Flame was discovered to have infected many systems in the middle eastern countries.
In 2013, a wiper named Dark Seoul infected South Korea’s broadcasting agencies and banks in a coordinated attack.
Shamoon wiper has affected nearly 30,000 computers at Saudi Aramco, where the systems were completely wiped and unbootable.
Petya malware was discovered to be a wiper disguised as ransomware, where victims had to pay their ransom, but still their data couldn’t be recovered.
Sony Pictures Entertainment was attacked by Destover wiper that leaked confidential data and rendered many machines unusable.

Defensive mechanisms against Wipers

The defensive mechanisms against wipers are quite similar to that of malware. Cyber Security Experts recommend swift action as allowing the malware to stay on the system longer can enable it to cause more damage. A Cybersecurity Incident Response Plan [CSIRP] in place can help you and your team to respond appropriately to the attack. This plan should clearly define the roles and responsibilities of different teams in the Organization.

During a wiper attack, it is essential to isolate the affected network to prevent malware from spreading. Trusting the entire Organization’s security to a single technology makes the line of defense quite weak. Therefore, we suggest that the traffic of the internal network should be strictly monitored.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

What is Privacy Information Management and ISO/IEC 27701?

The European Union’s GDPR [General Data Protection Regulation] has guided us in a new era of privacy regulatory and compliance. More privacy regulations have been enacted in different jurisdictions. This requires organizations to implement policies and procedures in order to assure compliance with the growing list of privacy regulations.

Additionally, we are amidst a rapid digital transformation, where data collection and processing are dramatically increasing. The simultaneous growth in data volume and regulatory requirements pertaining to that data makes compliance increasingly complex for organizations.

The new international standard ISO/IEC 27701 Privacy Information Management System [PIMS] helps organizations reconcile privacy regulatory requirements. Formerly known as ISO/IEC 27552 [during drafting period], ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management. An international management system standard that outlines a comprehensive set of operational controls can be mapped to various regulations, including the GDPR.

Once it is mapped, the PIMS operational controls are implemented by privacy professionals and audited by third-party auditors. This facilitates in a certification and comprehensive evidence of conformity. This standard provides guidance on the protection of privacy, including how organizations should manage personal information.

Compliance Challenges

Vendors need to certify against PIMS. This will be effective for establishing responsible privacy practices by suppliers and partners, irrespective of the size of your organization. ISO/IEC 27701 will help address three key compliance challenges:

Multiple Regulatory Requirements: Reconciling multiple regulatory requirements through the use of a universal set of operational controls will enable consistent and efficient implementation.
Auditing Regulation-by-Regulation: Auditors, both internal and third party, will be able to assess regulatory compliance using a universal operational control set within a single audit cycle.
Certificate of Compliance: Commercial agreements involving movement of personal information may warrant certification of compliance.

Building Blocks of The Standard

PIMS is built on top of the most widely adopted international standards for information security management, ISO/IEC 27001. If your business is already familiar with ISO/IEC 27001, it will be more efficient to integrate the new privacy controls of Privacy Information Management System [PIMS]. This means implementation and audit of both will be less expensive and easier to achieve.

PIMS has new Controller and Processor-specific controls, which help in bridging gaps between security and privacy. It also provides a point of integration between what may be two separate functions in organizations.

ISO/IEC 27701 helps organisations with:

Building trust in managing personal information
Maintaining transparency between stakeholders
Facilitating effective business agreements
Defining roles and responsibilities
Supporting compliance with privacy regulations
Reducing complexity

Does Your Organisation Need Privacy Information Management System?

ISO/IEC 27701 Certification can be implemented by all types and sizes of organizations, including government entities, public and private companies and not for profit organizations.

So, whether your organization is a Controller or a Processor, you should consider pursuing certification, either for your own organization, or as requested by Clients or vendors and suppliers based on your business requirements.

This applies especially to co-controllers, processors and sub-processors along with those who are processing sensitive or high volumes of personal data.

It provides guidance for organizations who are responsible for PII processing within an Information Security Management System [ISMS], specifically:

PII Controllers [including those who are joint PII controllers]
PII Processors

ISO/IEC 27701 Requirements

Privacy depends on security and similarly, Privacy Information Management System [PIMS] depends on ISO/IEC 27001 for security management. For obtaining Certification for PIMS, it should be done as an extension of an ISO/IEC 27001 certification, instead of obtaining it independently.

If you have an ISO/IEC 27001 Information Security Management System already in place, you are ready to get started with ISO/IEC 27701. The guidance and requirements for ISO/IEC 27701 PIMS go across 8 different clauses and 6 annexes, which include personally identifiable information [PII] controls and mappings to related standards and the GDPR.

It is crucial that you understand all the guidance, requirements & controls and ensure they are appropriately implemented across your organization.

Neumetric is a cyber security Advisory and Consulting organization that can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security in multiple industries make it easier for us to quickly execute security activities that add value to you, while you continue focusing on the business objectives of the Organization.

RBI Norms on Prepaid Payment Instruments for E-Wallets

In an effort to promote digital transactions, The Reserve Bank released guidelines to facilitate payments among different mobile wallets, in 2018. RBI Norms for PPI, consolidated guidelines to enable 3 different phases in order to prepare better for the implementation of interoperability.

Interoperability of PPI

Interoperability is the technical compatibility that allows a payment system to be used in conjunction with other payment systems. It allows Prepaid Payment Instrument (PPI) issuers, participants, and providers in different systems to undertake payment transactions, without having to participate in multiple systems.

Before the PPI standards were put in place, a mobile wallet user couldn’t make a payment from his wallet to one run by a rival firm. However, after the Prepaid payment instruments was implemented, users were able to transfer funds between wallets and also from their wallets to bank accounts.

The Three-Phase Implementation

Before The RBI released these guidelines in 2018, interoperability of all KYC-compliant Prepaid Payment Instruments was to be enabled in three phases. These phases included.

Interoperability of PPIs issued in the form of wallets through UPI (Unified Payments Interface).
Interoperability between wallets and bank accounts through UPI.
Interoperability issued in the form of cards through card networks.

So now, if a merchant has signed up for one wallet with full KYC (Know Your Customer), he does not require signing up for others and he can receive payments from any wallet.

The new RBI Norms for PPI

Since PPIs have been playing an important role in promoting digital payments, a new type of PPI has been introduced, which can be used only for the purchase of goods and services up to a limit of Rs 10,000. The loading of such PPI will be from a bank account and used for making only digital payments like bills, merchant payments, etc. This new Prepaid payment instruments can be issued on the basis of essential minimum details sourced from the customer.

RBI Rules for such PPIs state that

Banks and non-banks can issue semi-closed PPIs for up to Rs 10,000 after obtaining minimum details of the PPI holder.
These details include mobile number verified with OTP (One Time Pin) and self-declaration of name and Unique Identification Number of any of the ‘officially valid documents’.
The amount loaded in such PPIs in any month cannot exceed Rs. 10,000 and the total amount loaded during the financial year cannot exceed Rs. 1,00,000.
The amount outstanding at any point in time cannot exceed Rs. 10,000.
The total amount debited from such PPIs during any given month cannot exceed Rs. 10,000.
These PPIs can be used only for the purchase of goods and services. Funds transfer from such PPIs to bank accounts and also to PPIs of the same/other issuers will not be permitted.
PPI issuers must ensure that this category of Prepaid payment instruments is not issued to the same user in the future using the same mobile number and the same minimum details.

How rules on interoperability impacted E-wallet Companies?

After the interoperability was rolled out completely in 2018, e-wallets were on a par with payment banks. It opened up a new window for wallet companies to explore new business opportunities. The Prepaid payment instruments industry waited quite long for these guidelines and the new rules made the industry more lucrative for new companies to join.

Impact on Users

Today, mobile wallet users can transfer funds from one wallet to the other, effortlessly, without having to download another wallet. They can pay across different networks of any other Prepaid payment instruments through UPI. Once the users have done their KYC with the wallet companies, they can avail of the benefits of interoperability.

Cyberattacks Are Likely From Criminals Than Foreign Nations

According to the former National Security Agency director Mike Rogers, the cyberattacks are likely to come from criminals that are funded by U.S. enemies than from foreign nations themselves. These are much bigger cybercriminals than the enemies themselves. Mike Rogers suspects that some states are creating relationships with cybercriminals, giving them money, targets, and tools and this is expected to grow in the coming years.

BlackBerry CEO John Chen described how his company shifted from producing one of the world’s most popular mobile devices to becoming a provider of security-focused software. They were providing the software to the world’s top mobile device manufacturers and internet-connected devices in Ford, General Motors, and other vehicles.

Pentagon needs to prepare

With the growing number of internet-connected devices like cell phones, fitness trackers, thermostats, and medical devices like pacemakers, cyberattacks will soon become a weapon. Mike has warned the Pentagon by stating that it needs to change how it buys weapon systems to build in cybersecurity from the beginning. It also needs to include funding for cyber updates, as many systems have outdated cybersecurity protections by the time they are delivered.

Rogers added that his concern is not a cyberattacks on the U.S. government or other corporate networks, because these attacks are not a surprise, and Businesses and governments have recovered more quickly from hackers than from natural disasters. He is more concerned about security breaches that affect health care data because such data is widely shared and the devices measuring health data are growing day by day.

A word from BlackBerry CEO

John Chen became BlackBerry’s CEO in 2013. He explained that the company was headed for financial disaster in 2013, with deteriorating sales and dwindling cash. There were Chinese competitors who were selling similar devices for less than the cost of the parts for BlackBerry smartphones. He had to slash the costs so that the company could generate instead of burning through cash.

Since BlackBerry was known for privacy and reliability, he refocused the company on privacy and security through software. This gave the company higher profit margins than selling consumer phones. Late last year, the company acquired antivirus software provider Cylance to add artificial intelligence capabilities to BlackBerry’s security products for internet-connected devices. The company is now generating more than $1 billion in revenue from security products and made its first profit since 2012.

Best-in-Class security for your Business

True data protection has extended beyond the core and so is the cybersecurity demand from end-users. There is a constant need to extend the data protection ecosystem, where cryptographic keys and data is secured and managed, and also the access & distribution are controlled, to mobile and tactical environments.

A Reliable Solution to enhance your Managed Services Solutions

Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

How Attackers Use Single Sign-On in Phishing Pages & Steal Credentials?

With the ever-increasing use of technology, cybercrime has become a common issue. Recently, malicious pages have been reported in order to influence Single Sign-On (SSO) to steal credentials of users. With the popularity and ease of SSO among widely used websites, this type of phishing attack has grown significantly.

But are you familiar with Single Sign-On? Well, if not, here is a tutorial to guide you through SSO.

SSO - Single Sign-On

Single sign-on, abbreviated as SSO, is a user authentication service. It allows users to use one set of login credentials (name and password) to access multiple applications. It does not require the user to remember multiple sets of credentials for different accounts. The process to eliminate the password prompts for each application during a session improves the user experience. This is usually practiced by enterprises, smaller organizations, and individuals to mitigate the management of various usernames and passwords.

Single sign-on is usually accomplished by authenticating the user against a repository like Lightweight Directory Access Protocol (LDAP). Among many popular applications available on the web, that offer SSO to users includes Google, Facebook, and Twitter.

SSO can also be extended to third-party services. For instance, some applications allow users to access their account using Facebook or Google’s authentication. But how is it abused? Let’s have a look.

SSO Abuse

The availability of Single sign-on is steadily increasing across various applications and this has led many hackers to misuse it. Malicious web pages have been reported to bluff users to be the sign-in pages of applications like Dropbox. When people enter their user credentials, the data is harvested, despite logging them into the intended application.

Before the popularity of Single sign-on, hackers used to create a separate page for each service to steal the user credentials. But with the advent of new techniques, they are able to create a single phishing page.

How Can You Protect Your Data From This Cyber Attack?

The best way to protect yourself from SSO phishing attacks is to enable two-factor authentication. A secondary authentication makes it difficult for hackers to access your account. In addition to this, it is not advisable to use SMS as the secondary authentication, as it is not as secure as other methods.

Next Generation CyberSecurity Map

Our world has experienced an explosion in the number of solutions, providers, and recommended steps so as to secure a company’s environment and protect it against recent cyberattacks. This is the reason that many enterprises are struggling to get their arms around cybersecurity.

With so many alternatives and no proper solution, it is a little tricky to know where to start. But, one place to begin is to establish the core elements for a foolproof cybersecurity risk mitigation plan. This plan should incorporate proven elements that have been used by public and private sector players alike for some time. Let us have a look at the roadmap that will facilitate businesses to prepare for a strong cybersecurity foundation.

Inventory

The first step in the Next Generation Cybersecurity Roadmap is to take a thorough inventory.

Check for the data assets you have, their accessibility or vulnerability from external and internal threats, the information you have that would attract hackers, personally identifiable information, financial data, client information, transaction-related data. This is not it. All those assets that your company considers as “crown jewels” and the outsiders find it very attractive should be taken into consideration. You must check for all the data that is segmented or separate so as to know a single attack or penetration will allow for the level of loss of critical information.

All this detail will be critical to help your company determine what is most important, where the highest level of protection is required and where & how to focus your efforts as you move into the evaluation of existing protections.

Evaluate Existing Protections

The next step in the Next Generation Cybersecurity Roadmap to cybersecurity is establishing what tools, processes, and resources your company already has in place to protect the data assets. For instance, does your organization have “CISO in a box” or any other third-party provided solutions?

Cataloging your resource skills and determining if more training will be required to address the current threat landscape is the right point to start. You can check the retention steps that your company takes to ensure that your staff is happy and engaged. According to research, particularly the labor market for tech, cyber is red-hot and people are leaving their current employers for 2, 3, 4, or more job offers at a time.

You must take some time to evaluate the internal and third-party services and tools that are in use. You must keep a check on how these tools align with the cyber landscape and how third-party service providers have differentiated themselves in demonstrating consistent value and thought leadership to your company.

You must also confirm that your data is backed-up comprehensively and regularly and you should also determine what relationships are already in place with law enforcement resources. You must know who to call and how they will respond before a breach happens.

Create Your Cybersecurity Forecast & Test It

The third step is to create a forecasted view of the future. For this, you can utilize sources of cyber threat intelligence, combine it with expertise so as to analyze the intelligence and identify the threats relative to your company’s operations. There are multiple threat intelligence sources, coming from a variety of providers, like some are paid, some are free, some are from private sector sources, and some are more public and broadly available.

Obtaining threat intelligence is one step, but being able to analyze and understand what is actually important and meaningful for your company can be a little challenging.

You must develop and manage test runs for cyber breaches to provide practice opportunities and determine what happens and how parties should act, in case a cyber breach occurs. These test runs can include performing red team exercises annually, including every key player in the company, from CEO to down.

This tabletop exercise is often where the real story is told because you may not want to learn that you have a way to contact these key resources as all the contact lists would be there on the network and the network is effectively shut-down due to a hack or cyber-attack. This exercise breathes life into the concepts and concerns and makes it real for the businesses.

Given that an attack of some kind is more than likely to occur at some point, focusing on both prevention and recovery can ensure that a business minimizes the opportunities for an attack and is prepared to recover from it as quickly as possible.

Neumetric excels in cybersecurity, consulting & product organization, security cost reduction without compromising your security posture. We have come a long way with years of in-depth experience in handling security for organizations despite their size, industry, or demographics. This has made it easier for us to quickly execute cost-cutting activities, while you focus on the business objective of the organization.

What Makes Network Security So Important?

With our ever-increasing dependence on technology, it has become essential to secure every aspect of online data and information. The internet is growing and computer networks are becoming bigger and with this, Data Integrity has become one of the most crucial aspects for businesses to consider. But do you know why Network Security is so important today? Let’s have a look.

Importance of Network Security

When working over the internet, LAN, or other methods, Network Security is one of the most important aspects to consider, no matter how small or big your business is. The fact that there is no network immune to any cyber-attack, an efficient and stable Network Security Management can help you protect your client data.

A good Network Security System can reduce the risk of falling victim to data theft. It not only helps protect your workstations from harmful spyware but also ensures that your shared data is secure. Network Security infrastructure provides several levels of protection to prevent MitM [Man in the Middle] attacks. It breaks down the data into numerous parts, encrypts them, and transmits them through independent paths thus counteracting cases like eavesdropping.

While working over the internet, we tend to receive a lot of traffic and huge traffic can cause stability problems and vulnerabilities in the system. But Network Security promotes the reliability of the network. It prevents lagging and downtimes by constantly monitoring any suspicious transactions that can sabotage the system.

How do Things Go Wrong in Networks?

If your network is hacked, it can even put you out of business. This can lead to vandalism, where misleading information is planted into the system. This is one of the many tactics used by hackers. If the wrong information is planted in the system, your customers may feel misled and your company’s integrity will be called into question.

Faulty Network Security Systems can also lead damage to intellectual property, as hacking gives unauthorized access to the company’s or individual’s information.

For instance, Citibank Security Breach roughly affected 1% of its customers in the United States. If a hacker gets in and steals the blueprints, plans, and ideas, the business can actually miss out on being able to implement new designs & products and this may destroy the business or keep it stagnating.

The Cyber-Attack launched on a network can lead to crashing and the company can even experience revenue loss. The longer the network will stay down, the more revenue will be lost, and the business will begin to look unreliable and will potentially lose its credibility. Therefore, Network Security Management is of utmost importance.

Cyber Security Program

To protect your network from hackers, you’re going to need the right training to do so. Proper education about Cyber and Network Security can expose you to many common methods that hackers use to gain access to networks. To get your hands-on training, you will need to think beyond simple security methods, so as to keep highly-technical and well-organized cyber criminals at bay.

Some of the skills and training that you can expect within a cybersecurity program are.

Administer, manage and troubleshoot hardware, software, or services for multi and mixed-user environments.
Evaluate problems and monitor networks to ensure its availability to the users;

Identify customer needs and use the information to interpret, design and assess the network requirements.

Plan and Implement Network Security measures, install Security Software, and monitor networks for security breaches.

These programs prepare you to learn how to use cybersecurity measures to protect data in relation to safeguarding the information. With this, you can gain sufficient knowledge on how to monitor and defend networks by creating basic security procedures and policies.

The International Standard ISO 27001 For Your Organization

When it comes to keeping information assets secure, ISO 27001 is an international standard, published by the International Standardization Organization [ISO], that many organizations look forward to. Initially, developed based on the British standard BS 7799-2, it describes how to manage Information Security in an organization. The first revision of the standard was published in 2005, the next revision was published in 2013 and the latest revision (which is specifically a European version) was done in 2017, making it ISO/IEC 27001:2017.

A common misconception is that ISO 27001 is only for “large” organizations is neither true nor good! This international standard can be implemented in any kind of organization, small or large, private or state-owned, profit or non-profit. World’s best experts in the field of information security have written this Standard. It provides a methodology for the implementation of an Information Security Management System [ISMS] in an organization and enables it to become certified. This means that an independent Certifying Body has validated & confirmed that the organization has implemented an ISMS that is compliant with ISO 27001. Today, ISO 27001 has become the most popular information security standard globally and many organizations are certified in it.

How does ISO 27001 Work?

ISO 27001 aims at protecting the Confidentiality, Integrity and Availability, commonly known as “CIA Triad”, of the information in a business. This is done by finding out what possible problems can impact the security of information, a process which is called “Risk Assessment”, and then describing what needs to be done to prevent it, which is called “Risk Treatment” or “Risk Mitigation”. This is why it is also commonly & rightly perceived that the main philosophy of ISO 27001 is based on the concept of “managing risks”. It facilitates to find out where the risks exist and how they should be treated systematically.

The controls that should be implemented are in the form of Policies, Procedures, Processes, Tracking, Monitoring and Technical Implementation such as modification to equipment and software. In many scenarios, organizations already have the software and hardware in place, but they use them in an insecure manner and hence, the majority of the ISO 27001 implementations are about setting the organizational rules that are necessary to prevent security breaches. Since such implementation needs multiple Policies, Procedures, Processes, People and Assets to be managed, ISO 27001 has defined how to fit all these elements together in the ISMS. So, managing information security is not only about Antivirus and Firewalls, but it is about managing processes, managing human resources, legal protection, physical protection and much more.

What makes ISO 27001 Good for Your Organization?

An organization can achieve the following four (4) essential business benefits with the implementation of ISO 27001 Standard:

Adherence to Legal Requirements: There are several regulations, laws and contractual requirements associated with information security, and most of them can be resolved by implementing ISO 27001. It provides the perfect model to comply with them all.
Lower Costs: The idea behind ISO 27001 standards is to prevent security incidents from occurring, since every incident, small or large, costs money to the organization. Hence, by preventing them, an organization can save a lot of money. The investment in ISO 27001 certification is comparatively smaller than the cost savings you will achieve.
Achieving Marketing Advantage: In case, your organization obtains the ISO 27001 certification while your competitors do not, then you will have an advantage over them in the eyes of your Clients & Customers, who are sensitive about keeping their information safe.
Better Organization: Usually, fast-growing organizations do not have time to stop and define their procedures and processes. As a result, very often Employees do not know what needs to be done, who will do it and when it should be done. ISO 27001 implementation facilitates resolving such situations since it encourages organizations to write down their main processes and enables them to reduce the lost time of their workforce.

ISO 27001 Standard

ISO 27001 contains 11 Clauses and an Annex A. Clauses 0 to 3 are not mandatory for implementation since they are introductory in nature. Clauses 4 to 10 are mandatory, which means all their requirements must be implemented in an organization if it wishes to be compliant with the Standard. Controls from Annex A should be implemented only if confirmed as applicable in the Statement of Applicability.

Clause0: Introduction: Defines the purpose of ISO 27001 and its compatibility with other management standards.
Clause1: Scope: Defines that the standard is applicable to any organization.
Clause2: Normative References: Introduces ISO/IEC 27000 as a standard where terms and definitions are provided.
Clause3: Terms and Definitions: Introduces ISO/IEC 27000.
Clause4: Context of the Organization: It is a part of the Plan phase in the Plan-Do-Check-Act [PDCA] cycle that defines requirements for understanding internal and external issues, interested parties and their requirements, along with describing the ISMS scope.
Clause5: Leadership: This Clause describes top management responsibilities, setting the roles, and contents of the top level Information security policy.
Clause6: Planning: It describes the requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the objectives of information security.
Clause7: Support: It describes the requirements for availability of resources, awareness, competences, communication, and control of documents and records.
Clause8: Operation: It is a part of the Do phase in the PDCA cycle that determines the implementation of risk assessment and treatment, along with controls and other processes required to achieve information security objectives.
Clause9: Performance Evaluation: It is a part of the check phase in the plan–do–check–act cycle. It describes the requirements for measurement, monitoring, evaluation, analysis, internal audit and management review.
Clause10: Improvement: This is a part of the Act phase that defines requirements for corrections, nonconformities, corrective actions and continual improvement.
Annex A: It provides a catalogue of 114 Controls grouped into 14 Control Sets (A.5 to A.18) which are based on the reference standard ISO 27002.

According to Annex SL of the International Organization for Standardization ISO/IEC Directives, Clause titles in ISO 27001 are the same as in ISO 22301:2012, in the new ISO 9001:2015, and other management standards. This will enable easier integration of these standards.

Implementing ISO 27001 Standard

You need to follow these steps to implement the ISO 27001 standard in your organization

Obtain the support of your Top Management.
Use a Project Management methodology .
Define the scope of your ISMS.
Prepare the top-level Information Security Policy .
Describe the Statement of Applicability .
Define the Risk Assessment Methodology. 
Perform a Risk Assessment
Define the Risk Treatment Plan .
Treat the identified Risks.
Describe how you will measure the effectiveness of your controls and the ISMS .
Implement all applicable Controls and Procedures .
Execute training and awareness programs  for information security.
Perform daily operations as defined by the ISMS documentation .
Monitor and measure the ISMS .
Perform an Internal Audit .
Perform Management Review  to keep your Top Management updated about the ISMS.
Enforce corrective actions as necessary.

Obtaining ISO 27001 Certification

Organizations can obtain their certification by proving that they are compliant with all the mandatory Clauses of the ISO 27001 Standard.

Certification Audit is performed by an accredited “Certifying Body”. The certification audit, which is known as the “External Audit” is performed in three Stages.

Stage 1 Audit: This covers the Documentation review, where the Auditor reviews the ISMS documentation.
Stage 2 Audit: This is the stage where an Auditor will conduct an onsite audit to check if all the activities in an organization are compliant with ISO 27001 and ISMS documentation or not.
Stage 3: This stage refers to Surveillance visits. Once the ISO 27001 Certificate is issued, during its 3-year validity, the Auditor will check whether the organization is maintaining its ISMS or not.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Get the Latest News and Press Releases