Businesses across the region are continuing to grapple with the aftermath of last week’s widespread IT outage, triggered by a software update at cyber security firm CrowdStrike. With a significant number of devices heavily impacted globally, Mark Wilshaw, Cyber Security Services Manager and Information Security Manager at SYTECH, explores the importance of business continuity planning and the critical role of ISO 27001.
“Business Continuity Planning (BCP) is crucial for any business; it involves the implementation of systems that can help a company prevent and or recover from potential threats. These threats can range from loss of utilities to a large-scale cyber-attack. The recent CrowdStrike incident would be covered in continuity planning by assessing the reliance on specific services used by the business and, through a process of risk assessment and business impact analysis, identifying mitigations such as having backup services that can be used when the primary service is unavailable.
Having carefully considered plans for business continuity means that if the worst were to happen, there would be a defined process in place to follow. As a result, this reduces the time wasted in the panic of reacting to situations and ensures the best possible outcome.
BCP is a key element of both the international standard ISO27001 and the National Cyber Service Centre-based scheme IASME’s Cyber Assurance. Working towards these standards would naturally improve a business’ posture in reacting to situations such as those seen recently.
Information Security Standard
ISO 27001, officially recognised as ISO/IEC 27001, is the world’s leading standard for information security. It plays a critical role in creating security risk awareness, improving information security management systems and reducing risks of security breaches, cyber-attacks and unprecedented threats within organisations.
ISO 27001 contains three main principles: confidentiality, integrity and availability of data and information. The standard can be implemented by organisations of all sizes and sectors, and provides a structured framework for establishing, implementing, maintaining and modifying an information security management system.
To achieve ISO 27001 accreditation, organisations are required to establish a tailored information security management system (ISMS). This system contains a set of policies, procedures and controls that determine how an organisation manages their information security risks. Other requirements include risk assessment, risk treatment, evaluation, internal audits and continual improvement.
By establishing a robust ISMS and certifying for ISO 27001, you can give your organisation the best possible chance of achieving information security excellence and preventing cyber-attacks in years to come.
