Concerned about data breaches?… See how implementing ISO 27001:2013 can help your business to be safe.

Reading Time: 5 minutes
Published on: April 15, 2020
On 25 October 2022, a new version of ISO 27001 was published – ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. The significant changes to the standard were to the controls in Annex A, which need to be assessed for relevance to the organisation’s operations and, where applicable, applied to the organisation’s identified information security risks. This update is aligned with the changes also made to ISO 27002:2022 Information security, cybersecurity and privacy protection – Information security controls, which acts as a reference and guidance document for ISO 27001:2022. You can find out more about the standard update in this blog article.

The thing we are hearing more often from our clients is concern over the threat of data breaches, and confusion over their legal obligations when it comes to client information. But how can you protect your business’ data from this threat? There are tools and frameworks available that you can put in place to do so. A very efficient one is the Information Security Management System (ISMS) standard, ISO 27001.

Whether you run a business offering technology-based solutions to clients, or a business whose products and services are technology-light or non-existent, many businesses receive personal information about customers to which the Notifiable Data Breach Scheme applies. Under this scheme, a data breach takes place when personal information is accessed or disclosed without authorisation, or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving personal information is likely to result in serious harm.

The Privacy Act also applies to employees data. Because personal information can be any information about an individual including a person’s name, birthday, bank account details, health records, and superannuation details, all businesses need to take steps to protect, control access and control use of information relating to the people who work for them.

In addition, all businesses to some extent worry about protecting the business information which, if disclosed to a competitor, has the potential to cause real or significant harm.

If not safely captured and backed up, there is also the potential for the wealth of knowledge, skill and experience that key employees build up over time, walking out the door when an employee leaves the organisation.

How real is the threat?

Cybersecurity threat - real or myth?

The threat is not just theoretical but very real, even for organisations with the most sophisticated systems. The Australian Defence Force (ADF) found this out as reported in early March this year when a highly sensitive military database containing the personal details of tens of thousands of ADF members, was shut down for 10 days due to fears it had been hacked.

In addition, key findings for the July to December 2019 reporting period by the OAIC include:

  • Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 64 per cent of all notifications.
  • Contact information remains the most common type of personal information involved in a data breach.
  • The health sector is again the highest reporting sector, notifying 22 per cent of all breaches.
  • Finance is the second highest reporting sector, notifying 14 per cent of all breaches.

How does implementing an Information Security Management System (ISMS) protect your business information?

Many of our clients who we have already assisted in implementing and becoming certified to one of the other ISO Management Standards, come back to us asking advice on whether to implement an Information Security Management System (ISMS).

The great news is that there is an ISMS Standard that is part of the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) family of standards: ISO 27001:2013, and it’s completely aligned with the high level clause structure of:

An ISMS is a framework of processes, technology, and people that utilises technical, administrative, managerial, and legal controls for effective risk management, designed to protect a business’s information assets.

Information comes in many forms including:

  • Recorded and digitally stored information in Information Communication Technology (ICT) systems
  • Typed/printed, and handwritten physical information
  • Website and intranet data
  • The spoken word
  • Email and other communication systems
  • Corporate training and internal reporting media.

This data needs to be protected utilising tailored controls to ensure that there is no compromise to:

  1. Confidentiality, ensuring information is only accessible to authorised individuals, for example employee data must only be accessible to authorised HR personnel.
  2. Integrity, ensuring data is intact and complete, avoiding unauthorised changes, both malicious, such as by a disgruntled employee, or accidentally, by inexperienced employees.
  3. Availability, ensuring information is available to the people who need it, when they need it. This means your systems need to be reliable and always accessible to authorised people when required.

The five main Benefits of an ISMS:

  1. Increases resilience to attacks and breaches.
  2. Protects the confidentiality, availability and integrity of your data.
  3. Reduces costs by utilising a business-wide framework enabling proactive and fast response to new and emerging threats.
  4. Enhances company culture ensuring all employees take a risk based approach to their work activities, by being involved with an independent regular review of your ISMS.
  5. Provides a strong marketing tool to use when providing reassurance to existing and new customers that their data is safe with you.

How can we help?

ISO Certification Experts for ISO 27001 Information Security certification

Whether you are already certified to one of the other ISO Management Standards, or are considering implementing your first Management System, ISO Certification Experts has the expertise and experience to assess whether your business would benefit from implementing an ISMS to meet the certification-readiness requirements of ISO 27001.

If our recommendation is to go ahead, we can find out the current state of your work practices via a Gap Analysis report detailing the actions required to fulfill the requirements of the ISO 27001 Standard. Following that we can further assist if required with closing these action items to get you certification-ready!

If you’d like to improve your business cyber security via certification readiness to the ISO 27001:2013 Standard, call us now on 1300 614 897, email us, or book your online FREE strategy session to solve any further questions about the Certification Process, or to discuss a tailored solution for your business.

About the author

Consulting Manager at ISO Certification Experts

Anthony is the Consulting Manager at ISO Certification Experts. He is a Certified Implementer and Auditor for ISO 27001, ISO 9001, ISO 14001 and ISO 45001.

All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.

We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.