Our Blog - for QHSE Compliance Professionals | Mango

ISO 27001 Information Security Management Standard - Principle 8

Written by Craig Thornton | 20/12/17 20:12

Part 9 - Active prevention and detection of information security incidents

Having an active system for preventing and detecting incidents, like breaches of security, is a super important in making sure you have an effective information security management system (ISMS).

If someone, or your system, fails to prevent or detect these breaches then you won’t have a true measure on whether your ISMS is effective.

Preventing and detecting breaches can be difficult.  The breaches could occur in your software, your hardware, your networks, your buildings and even your paper-based files. 

Just in networks alone, there are 5 different distinct types of security breaches:

  • Malware
  • Phishing
  • Password Attacks
  • Ransomware
  • Denial-of-Service

The word “active” is important too.  You need to be constantly on guard. You need to be constantly preventing incidents. You need to be constantly detecting if incidents occur. 

In addition you need to have transparency around doing this too. 

Beware of a trap though.  Don’t set up objectives that has something around reducing the number of security breaches.  In the past, I have seen companies set objectives or key performance indicators (KPIs) to have “zero incidents” or “zero breaches”.  One way to achieve that objective or KPI is for people to stop detecting or even reporting on incidents. I have also seen companies measuring their employee’s performance based on the number of security breaches.  The review will say “the higher the number of breaches the lower the employee performance”.  It gets even worse than that.  Companies will set salary bonuses on the number of incidents.  The fewer the incidents the bigger the bonus.  So if that is your KPI what do you do?  Of course you will stop reporting breaches.  If it hurts the KPIs then stop reporting the breach. Simple as that.  This is bad, very bad.

Therefore, you need to implement a No Blame Culture.  Easy to say but hard to get right though.

It’s human instinct to blame people for either failing to prevent security breaches or to detect the breach in the first place.  You must stop blaming and work on encouraging reporting. 

However, as soon as you go back to blaming, your system will fail.  You have to keep working on it 24/7.

The goal is to have a true measure of the number of security breaches that your networks and systems are experiencing.

Having this measure gives you the information you need to highlight weaknesses in your ISMS.  It’s not a weakness of your employees.  It’s a weakness of your ISMS.  With these weaknesses highlighted you can target your efforts to make improvements.  As the father of quality W Edward Deming says:

“The fact is that the system that people work in and the interaction with people may account for 90 or 95 percent of performance.”

But there are many resources and tools online you can use on how to prevent and detect security breaches.  The following are some good resource website that you may want to consider using.

In the UK a good resources is the UK Government website: https://www.gov.uk/government/policies/cyber-security

In New Zealand a good resources is the CERT NZ website: https://www.cert.govt.nz

In Australia a good resources is the Australian Cyber Security Centre:

https://www.acsc.gov.au/

In South Africa a good resources is the National Cybersecurity Hub:

https://www.cybersecurityhub.gov.za/                                               


 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems