A blog about GRC (Governance, Risk Management, and Compliance)

How will NIS2 impact an information security manager?

[fa icon="calendar'] Wednesday, 05 July 2023 / by Neupart under ISO 27001, NIS2, CISO, ISO 27002

[fa icon="comment"] 0 comments

NIS2 will have practical significance for you as an information security manager, as the requirements of the directive are directly aimed at the administration of information security.

If you need further information about NIS2, click here to get a handle on the NIS2-basics.

More [fa icon="long-arrow-right"]

Do you need to explain what ISO 27001 is?

[fa icon="calendar'] Tuesday, 06 April 2021 / by Neupart under ISO 27001, Information Security Management, Information risk management, ISMS

[fa icon="comment"] 0 comments

We've produced this video to help you communicate the main components of an Information Security Management System (ISMS), as described in ISO 27001. You may need this information when talking to your company's management team, and getting onboard in securing your business.

Watch the video explaining what ISMS and ISO27001 are.

 

These four facts about ISO 27001 and an ISMS are vital in your work as someone who deals with information security, risks, or IT in general. Understanding the fundamentals and getting started the right way is the biggest step of them all.

 

The four facts about ISO27001 are:

  1. ISO27001 is an international standard about how to manage your information security
  2. You must know your risks!
  3. You need an Information Security Policy
  4. It is a process, not a project!

 

We are experts in information security (ISO 27001/-2) and GDPR, and our ISMS is an intuitive cloud-based platform where you can handle everything you need in regards to both ISO27001/-2 and GDPR.

 

Get deeper into information security, GDPR, and our ISMS either by browsing our knowledge base or visiting the main ISMS page here.

More [fa icon="long-arrow-right"]

ISMS: The value you can measure is the value you deliver

[fa icon="calendar'] Monday, 12 November 2018 / by Jakob Holm Hansen under ISO 27001, ISMS, annual information security plan

[fa icon="comment"] 0 comments

ISMS performance monitoring allows security officers to document specific business values while also enhancing the level of security within the organisation. A white paper provides inspiration on how to select, define, and monitor effects in an ISMS solution.

More [fa icon="long-arrow-right"]

Why You Should Be Carrying Out a Risk Assessment

[fa icon="calendar'] Saturday, 08 July 2017 / by Jakob Holm Hansen under ISO 27001, Risk management

[fa icon="comment"] 0 comments

Most organisations know that performing a risk assessment is good practice. However, not all organisation actually do risk assessments, and those who do, often approach them in the wrong way. All too often, risk assessments are treated as a project that can be finished and that will be that, whereas the reality is that risk assessment and risk treatment are an ongoing process.

Risk Assessment And Risk Treatment Are a Process

Risk assessment is a process, not a one-off project. The reasons for this can be boiled down to these three points:

More [fa icon="long-arrow-right"]

Why should managers be interested in information security?

[fa icon="calendar'] Wednesday, 25 February 2015 / by Jakob Holm Hansen under business continuity, compliance, it security audit, information security, ISO 27001, Best practice, Information Security Management, security requirements, ISMS, cyber attack, Risk management

[fa icon="comment"] 0 comments

You should be involved in security since security means something to your customers and because cyber attacks and security incidents are beginning to occur within all kinds of businesses. We have all seen the numerous examples of data breaches, attacks and other security incidents in the news. Often, one might expect or hope the involved organisations were better protected then they actually were. Information security is very much on the agenda, both in the business world and in the media.

Your customers, regardless of whether you sell directly to customers or to other businesses, are presently interested in the topic. That is why you as a manager and a senior executive should take an interest in whether your organisation is sufficiently prepared for a major cyber attack or a systems crash. That should be as good an argument as any! However, there are even more good reasons that I would like to share with you.

Brand image and profitability: Perhaps you have spent years slowly but surely building credibility for your brand name(s). You want your customer to have confidence in you. One security incident can quickly serve to reduce the trust and confidence you have gained to such a degree that even the best (or most expensive) image campaign will not be able to bring it back.

Fees: Add to this the enormous costs to you when you need to deal with a major security breach. Such costs are incurred both due to the incident itself and the following investigation, cleanup and restoration. Theft of company secrets and/or intellectual property rights, as well as industrial espionage can obviously be expensive and even a threat to the very existence of some companies. Afterward, it will surely be shown that more investment in preventive security measures would have made good sense and would have saved money. Moreover, since the threat will continue to develop, it would be a good investment for the future as well.

Legal Statutes: You are subject to certain legal requirements demanding that you have a sufficient level of information security. Bear in mind present and future Personal Data Acts. The future EU personal data legislation (an ordinance) is expected to passed so that it will apply in all EU Member States. It provides for companies to pay fines of perhaps as much as 5% of their turnover for computer security breaches. There is a comprehensive requirement that the parties be notified (data breach notification), which is both expensive and difficult to perform. Add to this a number of industry-specific requirements: for example, that financial enterprises must comply with financial supervisory authorities' requirements concerning information security, requirements placed on the energy sector, the health sector and for state-run enterprises to comply with the ISO 27001 standard.

Governance Requirements: Corporate governance requirements determine 1) that management set out the procedures necessary for risk management and internal inspections, 2) that the administration take a position on strategic and commercial risks and 3) that managers who negligently has caused the company to suffer damages shall pay compensation for such damages. In other words, there is also an array of legislative reasons to be interested in information security.

Review: You likely also strive for your review to be consistent with most of everything that might be found in those long review guidelines. Your information security will also be reviewed. Keep in mind as well, that regardless of the fact that accounting firms play a dubious double role (at the same time offering a wide range of both executive and advisory consultancy services within the field of information security), it pays for you to prepare for the review proactively. It should be easy for you to document that you are in control of your information security.

However, what should you as an executive do, in addition to taking an interest in the topic? Easy: You should A) communicate to your organisation that security is important, that it is a basic condition for your business activities and b) you should investigate whether you have allocated sufficient financial and human capital in your organisation to deal with the everyday, practical management of your information security.

If you want to get a little bit deeper into the subject, I recommend you examine your maturity level in these areas:

  1. Policies, rules, procedures and documentation

  2. Risk management (risk assessment and continual risk treatment)

  3. Incident management and contingency plans

Proper governance and management of information security has become a common best practice simply because it has become a necessary condition for most commercial activities. That is why a manager should be interested in information security.

 

PS: Click here to follow us on LinkedIn

More [fa icon="long-arrow-right"]

How to measure ISO 27001 ISMS efficiency with KPIs

[fa icon="calendar'] Wednesday, 23 April 2014 / by Jakob Holm Hansen under ISO 27001, Information Security Standards, Information Security Management, KPI, metrics

[fa icon="comment"] 3 comments

Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you measure whether your information security is effective and whether it is developing in the right direction?

More [fa icon="long-arrow-right"]

Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

[fa icon="calendar'] Friday, 04 April 2014 / by Jakob Holm Hansen under ISO 27001:2013, ISO 27001, Information Security Management, Information risk management, overview information security management, Compliance and task management, plan-do-check-act, ISMS, ISO Standards

[fa icon="comment"] 0 comments

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System).

More [fa icon="long-arrow-right"]

IT Risk Management increases your IT outsourcing success

[fa icon="calendar'] Monday, 03 June 2013 / by Jakob Holm Hansen under ISO 27001, IT Outsourcing, Information risk management, Threat assessments, Risk assessments, Outsourcing, SecureAware, ISO 27005

[fa icon="comment"] 0 comments

IT outsourcing can be a highly positive experience.

More [fa icon="long-arrow-right"]

Six questions about the ISO 27001 revision (with answers)

[fa icon="calendar'] Tuesday, 30 April 2013 / by Jakob Holm Hansen under ISO 27001, NIST SP 800-53, Information risk management, BrightTalk, Risk management

[fa icon="comment"] 0 comments

How does the ISO 27001 revision impact your risk management?

More [fa icon="long-arrow-right"]

Three ways the ISO 27001 revision will affect your company

[fa icon="calendar'] Monday, 15 April 2013 / by Jakob Holm Hansen under ISO 27001, KPI, ISMS, ISO 27001 revision, ISO 27005, ISO 31000

[fa icon="comment"] 0 comments

It has been eight years since the ISO 27001 standard was last revised but now changes are coming.

More [fa icon="long-arrow-right"]

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts