ISO 27001 standard as a tool

Our working world is more dependent than ever on functioning digital systems. Processes are being digitized and (partially) automated as workflows. A steadily increasing amount of sensitive data is being outsourced to the cloud. More and more companies are dependent on IT systems functioning smoothly. In addition to a clear and sensible structuring of a company's processes, the functioning and secure handling of and with IT solutions and infrastructures is one of the crucial conditions for efficient work.

New opportunities always entail new risks:

• Cybercrime is on the rise. Companies are lucrative targets for hackers. In 2017, 40% of all Swiss SMEs were victims of a cyber attack*.
• Employees pose a serious risk due to ignorance and lack of awareness:
• Phishing e-mails are being presented in an increasingly sophisticated manner and are hardly identifiable as such by laypersons.
• The number of passwords required is increasing and many employees still choose insecure passwords.
• Personal data is protected by law (Federal Act on Data Protection FADP, SR 235.1) and must be stored and archived in a particularly secure manner. In the event of damage, there is a risk of fines and reputational damage.
• The European General Data Protection Regulation (GDPR) requires additional data protection measures.
• Industry regulations such as FINMA rules, Basel III and EPD (electronic patient dossier), provide general or specific guidelines on data protection and data security.

In order to minimize the risks that arise in information security and especially in data protection, technical and organizational measures are required. Comprehensive assistance is provided by the standards of the ISO 2700x series, which cover all areas of information security in the company.

ISO 27001/02
The ISO 27001/02 standards have been developed to define requirements for the definition, implementation, maintenance and continual updat- ing of the standards.

"Absolute security is not guaranteed in either the physical or digital world."

The aim is to define the best way to improve an information security management system. They support companies in operating secure infrastructures, initiating the right measures in the event of incidents or consistently sensitising employees. In addition to meeting technical requirements, many organizational measures must also be taken. The ISO standard for information security covers an important and large part of the compliance with the new European Data Protection Regulation (in particular the rights of the persons of the DSGVO are e.g. not regulated in ISO 2700x). This is also indispensable for many Swiss companies with business relations to the EU. It is also to be expected that similar requirements will also come into force in Switzerland in the medium term. It is therefore worthwhile in any case to deal with the new requirements.

Companies that already operate management systems according to ISO 9001 (quality), 14001 (environment), ISO 45001 (occupational health and safety) or ISO 50001 (energy) already have a large part of the necessary management system structure for the implementation of an information security management system. Practically speaking, ISO 27001 is based on the same high-level structure as the ISO standards mentioned above.

Analogous to other management systems, the prerequisite or first step is to know and analyze your own processes and procedures. What data is stored and processed and how? Which (legal) regulations or expectations must be observed for which data? Once this initial situation has been clarified, the integration of the topic of information security into existing management systems and structures is possible with a relative amount of effort. In addition to management system knowledge, this also requires specialist expertise in IT systems. Once established in a management system, it is ensured that the topic, like other topics, receives the necessary attention, is continuously monitored and optimized.

Certification of the system can make sense as proof for customers and the public, but is not absolutely necessary. Even without certification, integration into existing management system structures is a simple approach to fulfilling the expected duty of care in the area of information security as well as the legal requirements.

Questions to the expert
Roland Brunner, Senior Information Security Consultant at WiB Solutions AG, on realistic procedures:

Does every company have to be certified according to ISO 27001 in order to be able to guarantee absolute information security?
Roland Brunner: No, of course not. Certification makes sense primarily for companies with their own data centers, IT service providers and large corporations. If one orients oneself to the ISO 2700x standard, this does not mean that certification must be sought. The existing framework of the standard provides a well thought-out structure and so-called control patterns, which can be examined, used and documented by every company, taking into account its own needs. Last but not least, absolute security is guaranteed neither in the physical nor in the digital world. Risks must be identified, classified, and appropriate measures taken or the effects minimized.

Are there tools to help companies assess their own information security?
The online quick check for information security and data protection by WiB Solutions AG offers companies the opportunity to assess their situation on the basis of 30 questions focused on information security; on the one hand, the maturity level of the relevant processes and topics is measured and, on the other hand, companies receive an assessment of which topics are to be weighted for the company in the implementation and how. Not all topics are equally relevant for every company.

Conclusion
The lack of information security management in the ICT environment is a constant "dance on the volcano" - it is certain that an eruption will occur, but it is not clear when, to what extent and which preventive measures will reduce risks. In this environment, those organizations that face up to the issue and whose employees are flexible enough to react promptly to changes are well positioned.