Dispelling myths around information security and GDPR was the order of the day at the ISO 27001 Nationwide Roadshow, which began this morning in Dublin. The title was ‘Infosec vs GDPR’, but the content of the presentations showed how protecting information in a systematic way is common to both.
This was the first in a series of breakfast seminars from Certification Europe, in partnership with BH Consulting. The roadshow is taking place around the country from 4 October to 16 November.
GDPR as a four-letter word
Information security expert Brian Honan of BH Consulting began with a brief overview of GDPR. Describing it as “a four-letter word in management and IT”, he said there are many misconceptions around the regulation. Coverage to date has focused on fines for non-compliance and a sense of “how bad GDPR is going to be”. In fact, its origins lie in protecting personal data about individuals. “We all have a right to privacy… it’s a right we shouldn’t take lightly or surrender easily,” he said.
GDPR comes into force on 25 May 2018, but many organisations aren’t ready for it. (No one in the audience raised their hands when the compere asked if they were fully compliant with the regulation.) Fortunately, Brian provided some reassurance. “If you are compliant with current data protection law, you’re probably 85% compliant with GDPR. Forget about the fines. If you have a good data protection regime, or if you are using the principles of an information security management system [ISMS], you are well on the way to being compliant.”
An ISMS is where ISO 27001 comes in. Brian described it as an information security standard covering all information, whether in electronic and physical format. The process of reaching the standard starts with identifying where key data resides, assessing the risk to that information, and establishing policies around it. “That is important as any security framework because that sets the tone for the organisation,” he said.
Jason Farina, Revenue Commissioners
The Revenue Commissioners and ISO 27001
The Revenue Commissioners was one of the first organisations in Ireland to become certified to the ISO 27001 standard. Jason Farina, team leader for IT Security and Forensics, described the standard as “a framework with best practice in a lot of areas. It covers nearly everything to do with IT.” In his presentation, he explained how Revenue used the standard and the resulting benefits.
The main reason for adopting ISO 27001 in 2009 was the move to 24/7 operations for its two public-facing websites, revenue.ie and ros.ie. This would ensure the sites could scale while maintaining security. On the journey to certification, one of most important steps was a gap analysis that looked at Revenue’s current state and where it wanted to be.
A critical part of becoming certified to ISO 27001 is gaining support from the top of the organisation – even if the IT team is ultimately driving the project. “You really need management buy-in from the start. A security operative trying to say ‘you must obey this rule’ really doesn’t have the authority,” said Farina.
Although “scope creep” is a phrase most project managers dread, Farina said this is positive in the context of ISO 27001. Having done the certification work when developing an asset register, for example, it became much easier to extend that mindset to other parts of the Revenue Commissioners. “As a result, we’ve increased our security throughout the organisation,” he said.
Informing staff about ISO 27001 was one of the biggest benefits for the Revenue Commissioners. “As staff move from section to section, they bring their knowledge of ISO 27001 with them. They raise the standard of security in every section by asking for security best practice. That has benefits for the internal culture and dealing with outside agencies,” he said.
Embedding a security-aware culture
Certification Europe CEO Michael Brophy took up this theme. Usually, organisations first want to become certified to ISO 27001 in order to bid for tenders or meet contractual requirements. As time goes on, the certification starts having a wider impact on the culture. “People are now aware of the risks around information security. Senior management give it their time. Budgets are made available. That begins to filter out with conversations with contractors and customers,” he said. “People learn the vocabulary of risk and methodology of risk, and take it to other parts of the organisation. A rising tide lifts all boats.”
Brophy dispelled the myth that pits information security and GDPR against each other. “It’s not one or the other. Actually, it’s one and the same thing: protecting information in a structured, manageable way,” he said.
A-la-carte security controls
He addressed the misconceptions that organisations need to apply all ISO 27001 controls everywhere. “Nobody does it all, and nobody does it across the whole organisation.” Instead, he likened the standard to an a la carte menu. Organisations identify their key risks and choose from the 134 controls that apply to their needs.
Brophy said it was wrong to assume the standard relates to IT only. Technology is a key element, but it covers areas outside the remit of an IT manager, such as staff awareness and training. He echoed Jason Farina’s point by saying: “an IT manager may volunteer to be the project manager for ISO 27001, but it needs buy-in from all parts of the organisation.” There is also no technical fix for ISO 27001. “This is a people, process and technology solution – in that order. You’ve got to have people who understand the risks. The technical solution is almost the last part,” he said.
The standard also becomes a framework that can apply to projects that don’t strictly fall under the information security umbrella. Consequently, that brings time savings and efficiency gains when dealing with legislative compliance, Brophy said. “You’re not starting with a blank sheet. You have a framework for recognising the risk and putting in place controls.”
Around 100 people attended this morning’s seminar, which shows how it’s gaining the attention of business and IT. The roadshow continues with events in Cork on Wednesday 18 October, Athlone on Thursday 9 November and Belfast on Thursday 16 November. More details and links to register are here.