The thing we are hearing more often from our clients is concern over the threat of data breaches, and confusion over their legal obligations when it comes to client information. But how can you protect your business’ data from this threat? There are tools and frameworks available that you can put in place to do so. A very efficient one is the Information Security Management System (ISMS) standard, ISO 27001.
Whether you run a business offering technology-based solutions to clients, or a business whose products and services are technology-light or non-existent, many businesses receive personal information about customers to which the Notifiable Data Breach Scheme applies. Under this scheme, a data breach takes place when personal information is accessed or disclosed without authorisation, or is lost. If the Privacy Act 1988 covers your organisation or agency, you must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving personal information is likely to result in serious harm.
The Privacy Act also applies to employees data. Because personal information can be any information about an individual including a person’s name, birthday, bank account details, health records, and superannuation details, all businesses need to take steps to protect, control access and control use of information relating to the people who work for them.
In addition, all businesses to some extent worry about protecting the business information which, if disclosed to a competitor, has the potential to cause real or significant harm.
If not safely captured and backed up, there is also the potential for the wealth of knowledge, skill and experience that key employees build up over time, walking out the door when an employee leaves the organisation.
How real is the threat?
The threat is not just theoretical but very real, even for organisations with the most sophisticated systems. The Australian Defence Force (ADF) found this out as reported in early March this year when a highly sensitive military database containing the personal details of tens of thousands of ADF members, was shut down for 10 days due to fears it had been hacked.
In addition, key findings for the July to December 2019 reporting period by the OAIC include:
How does implementing an Information Security Management System (ISMS) protect your business information?
Many of our clients who we have already assisted in implementing and becoming certified to one of the other ISO Management Standards, come back to us asking advice on whether to implement an Information Security Management System (ISMS).
The great news is that there is an ISMS Standard that is part of the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) family of standards: ISO 27001:2013, and it’s completely aligned with the high level clause structure of:
Information comes in many forms including:
This data needs to be protected utilising tailored controls to ensure that there is no compromise to:
- Confidentiality, ensuring information is only accessible to authorised individuals, for example employee data must only be accessible to authorised HR personnel.
- Integrity, ensuring data is intact and complete, avoiding unauthorised changes, both malicious, such as by a disgruntled employee, or accidentally, by inexperienced employees.
- Availability, ensuring information is available to the people who need it, when they need it. This means your systems need to be reliable and always accessible to authorised people when required.
The five main Benefits of an ISMS:
- Increases resilience to attacks and breaches.
- Protects the confidentiality, availability and integrity of your data.
- Reduces costs by utilising a business-wide framework enabling proactive and fast response to new and emerging threats.
- Enhances company culture ensuring all employees take a risk based approach to their work activities, by being involved with an independent regular review of your ISMS.
- Provides a strong marketing tool to use when providing reassurance to existing and new customers that their data is safe with you.
How can we help?
Whether you are already certified to one of the other ISO Management Standards, or are considering implementing your first Management System, ISO Certification Experts has the expertise and experience to assess whether your business would benefit from implementing an ISMS to meet the certification-readiness requirements of ISO 27001.
If our recommendation is to go ahead, we can find out the current state of your work practices via a Gap Analysis report detailing the actions required to fulfill the requirements of the ISO 27001 Standard. Following that we can further assist if required with closing these action items to get you certification-ready!
Where to from here…