, , ,

The increasing importance of ISO 27001 certification

Let’s do a little refresh about the ISO 27001 and 27002 standard. Back in the nineties the British Standard Institution (BSI) published the British Standard 7799, written by the UK Government’s Department of Trade and Industry. This standard consisted of 2 parts:
– Part 1 was a code of practice which could be seen as an ‘extensive buffet’ of security controls which could be implemented to manage information security
– Part 2 contained the specifications on how to implement an ISMS, including the introduction of the Plan-Do-Check-Act cycle in a future release.

Later on, both parts were adopted by ISO. After some revisions and name changes the BS 7799-1 standard is nowadays known as the ISO 27002 standard, while the BS 7799-2 standard is now known as the ISO 27001 standard.

As far as certification is concerned, it is quite obvious that an organisation can only become ISO 27001 certified. ISO 27002 certification is not possible as this standard only contains best practices and guidelines. About a decade ago Belgian companies were not very eager to obtain certification. And why should they? There was no real pressure from governments, clients or other organisations to clearly prove they securely manage information. And of course there were not that many threats as we face today. During the last few years we noticed a significant change. Why? On one hand, organisations need to protect themselves against the continuous introduction of new cyber threats, cyber attacks, vulnerabilities, technologies, social engineering techniques and even human errors. On the other hand, organisations are required to comply with new legislations as well as specific industry standards.

The GDPR requires organisations processing personal data to ‘adequately protect data’. But when is your data ‘adequately protected’ and even more: how can you easily prove you ‘adequately protect’ your data? ISO 27001 certification is one of the answers. Obtaining the certificate indicates that your organisation followed a risk based approach to identify and implement effective and efficient security controls to protect information on a continuous basis. As such, the certificate will be a great value when proving ‘adequate protection of data’ towards data protection authorities.

As far as the Belgian application of the European ‘Directive on security of network and information systems’ (NIS Directive) is concerned, we can determine that ISO certification will also be the preferred way to prove that an ISMS is maintained and that efficient security controls are in place to appropriately protect information. The transposition of the NIS Directive into a Belgian law is still in progress. As soon as the law is effective and the applicable organisations are notified, organisations have twelve months to adapt their information security policy and another twelve months to have all security controls implemented.

Both GDPR and the NIS directive indicate that obtaining or maintaining ISO 27001 certification will become more important than ever. At Toreon we already assist several organisations from different sectors getting ISO 27001 certified. Our direct and pragmatic approach is already appreciated by several customers. The Toreon GRC team will be more than happy to guide you through the complete certification process!

, ,

How not to google the NIS regulation

When looking for the EU Network and Information Security directives I found out that googling just ‘NIS’ does not reveal the hot potato I was looking for. The first page of the Google search results pointed me in the direction of Nis, a city in Serbia. Things to do, reviews from travellers, where to eat, buying flight tickets… Anything you want to know about the he second largest city of Serbia, but no sign of the directive.

Hold on … maybe there is … . but I admit it’s quite hidden. Let me explain.

On one hand, citizens of Nis are connected to the electricity network and the digital network, they use and drink water, they go to banks for their financial stuff and … they even have an airport: The Constantine the Great airport! On the other hand, NIS is applicable to a variety of sectors such as energy, transport, health, the financial sector, water supply and digital infrastructure. All these sectors are active in Nis!

So yes, there is a clear link between Nis and NIS. I hear you thinking: So what? Nice story, but what’s your point? Well … you ‘re absolutely right. There is no point and in fact there is even no link. Another Google search revealed that after all Serbia is not a member of the EU (yet) meaning that NIS is not yet really applicable to Nis.

What a pity… that’s where this story ends.

Providing details about the notification of security incidents, how to handle cross-border incidents, the role of Enisa and how ISO 27001 can play an important role towards NIS compliancy… They just don’t fit in this story anymore.

But don’t worry, I’ll consider writing another post to explain these interesting matters, but first … I will check some reviews from travellers to Nis.