The Quality Hub Podcast

Listen Below. Learn More.

Spotify-The Quality Hub Podcast

Episode 25 The ISO 27001 Standard

ISO 27001 consultant

The ISO 27001 Standard

In this episode of “The Quality Hub” podcast, host Xavier Francis interviews Patrick Gagner, a Cyber Consultant at Core Business Solutions, about the ISO 27001 and Information Security Management System. Pat explains ISO27001 as an Information Security Management System (ISMS), emphasizing its risk-based approach to safeguarding information confidentiality, integrity, and availability. Pat highlights common challenges organizations face and emphasizes the importance of leadership’s commitment to long-term security benefits.

Core Business Solutions publishes ISO Certification podcast episodes weekly. You can find more episodes here.

 

Episode 25 Key Content

Hello, everyone, and thanks for listening to the Quality Hub chatting with ISO experts. I’m your host, Xavier Francis. Today we’re here with Pat Gagner, a cyber consultant for Business Solutions. Thanks for being here today.

Thank you for inviting me.

Well, it’s a pleasure having you here. Now, as many of our listeners know, we’re in the middle of exploring a range of different ISO standards on our podcast Core Business Solutions our ability to work with companies extends well beyond 9001. We support our customers with consulting, training, software, and a comprehensive array of ISO standards.

In addition, we support cyber security, NIST, and CMMC compliance and certification. But today we’re going to be talking about ISO 27,001 and the Information Security management system. But before we begin, let’s learn a little bit about his journey. Can you tell us a little bit about yourself there?

My background has been in supercomputing for a couple of decades, so a lot of our customers are government entities and agencies. So I’ve lived in the information security world for a long time. I came to the Core. I have a good ISO background in quality and information security. I’ve been doing information security for probably the last three years with the 27,001 standard.

Okay. Well, we certainly do appreciate you being here and sharing your expertise and your experiences. So to start us off, what is ISO 27,001 and how does ISO 27,001 help organizations manage information security risks effectively?

Well, ISO 27,001 is an internationally recognized ISO standard that outlines the requirements of an organization to establish an information security management system. We offer a systematic approach to identifying, assessing, and managing information security risks, aiming to safeguard the confidentiality, integrity, and availability of information.

So that’s why we call that a CIA pyramid, correct?

That’s correct. You hear that quite a bit in information security. We then emphasize the risk-based approach, and we help organizations tailor their security efforts to their unique circumstances, fostering a culture of continuous improvement through documentation of policies and procedures, and implementations of controls we guide organizations in establishing effective security measures, thereby reducing the likelihood of data breaches and enhancing stakeholder confidence. And that’s that’s the end goal.

Are there some specific controls involved with the standard?

Yeah, there are many controls, I’ll put it that way.

So are we talking about thousands? Hundreds?

Yeah, I would say ballpark we will just say 100 controls.

Wow. So that’s still a whole lot of stuff you have to look at.

Right? And you know, what you want to do is integrate principles into your operations. The organization can strengthen its data protection measures, aligning with legal and regulatory items. And quite honestly, some companies don’t realize they have legal and regulatory items. What you want to do is build your reputation and your trustworthiness of information handling practices.

Well, that certainly does sound good to me. I mean, minus the. Oh, you mean we have legal requirements for this? I guess that would be like, oh, you mean we have to look at this from that perspective, too? And I think a lot of people don’t realize that.

And, you know, the certification process, I’ll just kind of touch that a little bit involves independent audits, serves as an external validation of the organization’s commitment to information security, as well as fostering a high level of trust amongst customers, partners, and stakeholders. Of course, we’re trying to avoid the data breaches. They can have severe consequences. The 27,001 offers a comprehensive solution to proactively manage information security risks and ensure the long-term resilience of an organization’s sensitive information.

Well, those are good outcomes that we would like to have from something like this and implementing the standard. Could you provide some examples of the types of security controls that 27,001 recommends for safeguarding sensitive information?

Yeah, ISO 27,001 defines many excellent security controls to safeguard information within the organization. These controls span various domains to address different aspects of information security.

Now, I noticed you keep saying and mentioning information. So this standard isn’t strictly for cyber security, correct?

Correct. Absolutely.

Okay. So it goes beyond and looks at companies’ information as a whole. Probably both physical and digital. We do with a lot of small companies, but bigger companies, have to deal with security, getting in and out of the building as well.

Yep, absolutely. And these controls that we’re talking about, I’ll just touch on some of them.

Okay, that would be great.

So access, control and it’s kind of like that’s a big general term, but the standard advocates for stringent user authentication methods access rights, management, and proper user provisioning and deep provisioning procedures.

So that’s that’s like who would have access? Is this where we implement the least privilege?

Right. Absolutely.

So you want to give only the permissions to somebody that they need to do their job?

Yep. Yep. Parole based. You’ll hear that terminology used. Yep. You don’t want any individual contributor accessing everyone’s H.R. Record that can, yeah.

Right? Yeah. Or something that might be not pertinent to their job. What other controls? Examples might you have for those?

So, like you previously mentioned, physical security. These are the physical measures encompassing securing a facility with access controls, and surveillance systems, and, even securing the disposal of media containing sensitive information.

So we’re talking about like a thumb drive even.

Absolutely. Yep. Yep. Thumb drives, even your laptop. You want to securely dispose of it.

Oh, yeah. Yes. You know, if the CEO getting a new laptop, how do we deal with the old one? The information’s on there.

Right. Network security is another area. Deployment of firewalls, intrusion detection, prevention systems, and encryption program protocols to ensure confidentiality and integrity of data transmitted over networks is safe.

Okay.

Another control would be incident management. The organization needs robust incident management response reporting mechanisms, and timely investigations to minimize exposure of further potential damage.

So what happens when not if, but when you have a security incident?

Right. You need to respond to it and respond to it properly. Have a have a plan in place.

Let’s say somebody finds out they have a virus on their computer, what do they do? That’s an incident management as well.

Absolutely. You know that it could affect confidentiality. Depends on what that virus is doing. This could affect accessibility and integrity. Most of the time it’s integrity because you hit the blue screen of death.

Yeah. Yeah, We all love that. When we happen to have that happen. Is there anything else?

Yeah. One last thing that businesses get to realign to information security, and that’s business continuity and disaster recovery. Just prepare to have an established plan, maybe vendor management strategies, and recover well with ongoing employee awareness and training initiatives to foster a culture of security, and build vigilance. I guess I would say.

I mean, I know here Core, we’ve implemented this probably what, four or five years ago now. We’ve had initiatives both in training, but it does help you to determine not just what to look for, but in some of those trainings, it goes through some of our policies of, okay, you know, hey, the antivirus pops up and says, hey, you got something on your computer, What do I do about that? Who do we contact? That kind of thing?

You know, just just like you want quality, you want a quality culture. Everyone is trained in and aware of that. Same thing with information security. You want an information security culture where their eyes are open. They question everything you know.

I think, you know, as we go through some of these controls and even from ISO as a whole, I think businesses can benefit from using the structure and the framework the 27,001 gives you. I mean, we talk about all of these controls, but you can put things within a framework now of understanding them better, you know, and also how many different ways your information can be put at risk. With this in mind, what are some common challenges faced by organizations? During that 27001 implementation, how can they overcome them?

Yeah, organizations often encounter common challenges when implementing an information security system that complained to 27,001. One of the big ones is resource allocation. That’s a significant hurdle.

The process demands time, funding, and skilled personnel to accomplish it. To overcome this, I recommend to organization leadership that they convey the long-term benefits of the improved security posture and the risk reduction. Staffing the project with the right allocated resources to foster a widespread understanding of the value of a successful implementation.

Yeah, I mean, you know, when you’re talking about resources, I mean, there’s a lot that can go into it, whether it’s equipment, whether it’s staffing. You know, you’re talking about all of your information that could be within a business. It’s not like you can just assign one person more and likely that resource allocation could be a challenge.

It certainly can. The 27,001 requirements can be daunting to address. Of course, organizations can seek out guidance from experts and consultants experienced in 27,001 like us, you know.

Or for Core Business Solutions.

As I said before, we can provide tailored strategies and interpret and translate the standard for customers, making it suitable for the context of their organization.

Yeah, having some of these controls can certainly be difficult to interpret. I’ve read some of these things and it’s almost like legal ease for information security. Having someone to guide you really can be helpful.

I 100% agree. Even some auditors have different perspectives. So, you know, the organization must tackle the resistance to change involving employees from the start. That helps in emphasizing the rationale behind the changes and offering comprehensive training to ease the transition by addressing the challenges with a strategic approach. Organizations can pave the way, you know, to successful ISO implementation, by having fortified information security practices in place.

Absolutely. I can see where that’s helpful. And I know that when we here at Core like I said, I think it has been about four or five years ago when we became certified, you know, some of the security items that we needed to change and implement were a little bit annoying, quote-unquote, if you will. And sometimes frustrating. You know, you’re used to doing things a certain way, but our leadership provided the framework to know why we were doing it.

It’s like we’re doing this, you know, they show us the potential harm and it’s like, okay, this is important. So they showed us why we’re doing it and they led by example. Wasn’t one of those things like, I’m throwing all these rules on you, but I’m the CEO. Or, you know, Scott was as much involved in this and he made mistakes and some of the training he got caught in, you know, you go into remedial training, you know, but he was honest about that.

So that made us feel like this is a change, but it’s a change for the better. And it helped us develop that culture of security that you talked about. So moving on, what do you see some of the benefits being if a company obtains ISO 27,001 certification and what does it do to enhance an organization’s credibility in the eyes of their stakeholders?

You know, obtaining ISO 27,001 certification does bring on a host of advantages to organizations by strengthening, of course, their information security practices, enhancing credibility among the stakeholders by achieving certification organizations, and demonstrating their commitment to rigorous security measures. Leading to an improved security posture and reduced risks of breaches. This not only safeguards sensitive information but instills confidence in customers, partners, and investors, fostering stronger relationships and long-term trust. Trust is big.

Yeah, it is.

Another place where I have seen benefits is the home life of employees and their families everywhere. We are constantly bombarded with information security attacks.

You know, that is so true. I feel that this has helped my awareness outside of work too, and I’ve passed things along to my family and I’ve purchased some software that we use at work knowing that it can help at home and, you know, really communicating that to my wife and my child saying, hey, these are some things we need to be aware of.

Another thing I want to go back to is last week, Scott talked a lot about how we are custodians of our customers’ information. And I think that when you’re looking at your credibility as a business and you have other people’s information, realizing that that’s something that you can have control over. And if there is a breach and you lose control over that, well, that can be devastating to your customers, but also to your long-term life as a business. You don’t want to become one of those businesses that lost all of this information.

Absolutely. And like I said before, a lot of businesses may not realize that they have legal and regulatory requirements that they need to meet. And so if you have a breach, that’s an alignment of one of those regulatory items, such as personally identifiable information, HIPPA, or whatever it may be, that is very devastating to a company. It’s good insurance just to have an information security system in place. Not just the cost, but your reputation to recover from that. How devastating that would be for a small business.

You know, we’re talking about loss of information and some of the legality issues. I hear you saying that 27,000 really helps you stay legally compliant and also helps your reputation as a security-conscious business.

Absolutely. The certification signifies the organization has undergone meticulous evaluation by independent auditors and adheres to globally recognized information security standards. It’s a tangible validation that ensures, once again, stakeholders and interested parties that the sensitive data that is being handled is being handled with the utmost care, reflecting an organization’s commitment to maintaining confidentiality, integrity, and availability of information. Now, the ISO 27,001 certification stands as a badge of honor.

So how can an organization achieve this standard and then integrate it with 9001 to form an IMS?

27,001 has some unique characteristics that other standards don’t have. Of course, we will walk through that, and make sure that the compliance to 27,001 is in place with the controls and the unique system requirements, but there’s synergy integrating the management system into another like 9001. You can save time, and money and create an overall system to manage your organization. It just makes sense to me.

You know let’s say like with 9001 and 27001 you don’t need to go through the stress of two separate audits, the integrated system, it’s one audit and it’s a thorough audit. The clauses within 9001 and 27001 of them overlap. I will almost say that from clauses 4-10 that you are audited on. Out of those the two are unique to each standard. With that being said there are about 7 clauses there that wouldn’t need to go through twice in a row.

Oh, that’s great. Earlier this year, in one of our podcasts, we met with Suzanne Strausser and she talked about how you can integrate ISO 9001 into what you’re already doing and just do certain things, add them to what you probably have as regular meetings already. So all those same steps that you would take with the internal audits, management review, things like that, you just add a couple more points for your additional standard and it’s not that much of a jump to add it.

Absolutely. And then integrations are pretty seamless. The 9001 and 27,001 in the integrated system. That’s just one less meeting that people have to attend.

Well, that would be helpful. Absolutely. It’s been a pleasure having you on the podcast and your wealth of knowledge in this subject. It’s been fabulous. I think it helps people understand what they can gain from an ISO 27,001 certification. Now, within your experience, do you have any companies that you know you worked with that have had a good outcome from taking their 27,001 to another level and they’ve seen real benefits?

Yes, I do. I would say most of them that do become 27,001 certified. You know, it’s like anything if you take it seriously, it’s going to benefit you. Not only does certification benefit the organization, but it also benefits the employees with knowledge and understanding of a lot of our customers. 27,001 is a stepping stone to other standards, like 20000-1, which is an eight-service certification. Some even take a step towards GDPR or 27, seven, or one, which is managing personally identifiable information. So once you get 27,001 under your belt, it gives you some opportunities to pursue other certifications. And if you’re a government agency, open the door for more opportunities.

So we’re looking at your benefits beyond just securing the information, and getting you points on certain things or contracts. It can gain you a reputation, it can make you stand out, you know, against another company that may not be 27,000 and certified and that might be the pushover for you to get a contract with someone.

Absolutely. That’s what I’ve seen now.

Well, that’s great to see. That’s great to see. It’s cool to hear all that you’ve had to say today. I want to thank you for being here. Great information. I’m sure we’ll have you on again as well.

Thank you. I enjoyed this.

That’s great. And we want to thank everyone who’s listened to our podcast today. We hope it’s been informative for you and you’ve learned a little bit more about 27,001. If you’re looking for more information about core business solutions and how we can help you with ISO certification or cybersecurity and all the standards that we support, please email us at info@ thecoresolution.com you can also check out our Website at www.thecoresolution.com. And if you haven’t already followed us on your favorite podcast platform, be sure to do so. That way you won’t miss the next Quality Hub podcast when it’s released next week. Thanks for listening everyone and have a great time.