, , , ,

The increasing importance of ISO 27001 certification

Let’s do a little refresh about the ISO 27001 and 27002 standard. Back in the nineties the British Standard Institution (BSI) published the British Standard 7799, written by the UK Government’s Department of Trade and Industry. This standard consisted of 2 parts:
– Part 1 was a code of practice which could be seen as an ‘extensive buffet’ of security controls which could be implemented to manage information security
– Part 2 contained the specifications on how to implement an ISMS, including the introduction of the Plan-Do-Check-Act cycle in a future release.

Later on, both parts were adopted by ISO. After some revisions and name changes the BS 7799-1 standard is nowadays known as the ISO 27002 standard, while the BS 7799-2 standard is now known as the ISO 27001 standard.

As far as certification is concerned, it is quite obvious that an organisation can only become ISO 27001 certified. ISO 27002 certification is not possible as this standard only contains best practices and guidelines. About a decade ago Belgian companies were not very eager to obtain certification. And why should they? There was no real pressure from governments, clients or other organisations to clearly prove they securely manage information. And of course there were not that many threats as we face today. During the last few years we noticed a significant change. Why? On one hand, organisations need to protect themselves against the continuous introduction of new cyber threats, cyber attacks, vulnerabilities, technologies, social engineering techniques and even human errors. On the other hand, organisations are required to comply with new legislations as well as specific industry standards.

The GDPR requires organisations processing personal data to ‘adequately protect data’. But when is your data ‘adequately protected’ and even more: how can you easily prove you ‘adequately protect’ your data? ISO 27001 certification is one of the answers. Obtaining the certificate indicates that your organisation followed a risk based approach to identify and implement effective and efficient security controls to protect information on a continuous basis. As such, the certificate will be a great value when proving ‘adequate protection of data’ towards data protection authorities.

As far as the Belgian application of the European ‘Directive on security of network and information systems’ (NIS Directive) is concerned, we can determine that ISO certification will also be the preferred way to prove that an ISMS is maintained and that efficient security controls are in place to appropriately protect information. The transposition of the NIS Directive into a Belgian law is still in progress. As soon as the law is effective and the applicable organisations are notified, organisations have twelve months to adapt their information security policy and another twelve months to have all security controls implemented.

Both GDPR and the NIS directive indicate that obtaining or maintaining ISO 27001 certification will become more important than ever. At Toreon we already assist several organisations from different sectors getting ISO 27001 certified. Our direct and pragmatic approach is already appreciated by several customers. The Toreon GRC team will be more than happy to guide you through the complete certification process!

, ,

6 takeaways of the NIS regulation

So, we already learned from Youri’s blog that we are not just looking for good recommendations to stay in Serbia.

Once we researched the right NIS (The Security of Network & Information Systems Regulations), I found that these were the 6 main takeaways for me:

  1. It’s a directive, not a regulation.
    • Just reading the directive itself is not enough. Since it’s a directive, all member states’ governments have to implement their own laws regarding the NIS.
    • Belgium approved a preliminary draft law, but there is no final version yet.
  2. The main goal is to set minimum standards for cybersecurity preparedness
  3. It’s not applicable to all companies. The NIS is only applicable to Digital Service Providers and Operators of Essential Services (aka critical infrastructure providers):
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Health sector
    • Drinking water supply and distribution
  4. A good way to become NIS-compliant is to implement an Information Security Management System, for instance using ISO27001.
  5. The NIS directive aims for better communication regarding cybersecurity across EU member states. Therefore, each member state needs to have CSIRTs: Computer Security Incident Response Teams. These teams will be responsible for monitoring incidents, providing early threat warnings, and responding to any incident in that country. This is not all they do: they communicate cross border as well. This way, all member states can learn from each other.
  6. Fines are not defined by the European Union. All member states are obligated to develop a system of sanctions. We don’t know what these sanctions are going to be in Belgium yet.

I hope my 6 takeaways are useful and we will be sure to keep you updated as we learn more about the NIS in the months to come.

If you ended up on this blog meaning to plan your trip to Nis, Serbia: I really preferred the Ćevapi for dinner or some Rakia for drinks during my stay there.