information security controls you should implement, infosec, information security, ISO 27001, International Standards

The information security controls that all organisations need to implement are heavily dependent on the information being stored, processed or transmitted and the purpose of the processing.  For example, whilst regular penetration testing may be appropriate for some organisations, it may not be required for others.  

This is where risk management kicks in.  Best practice dictates that you need to identify the risks that your organisation faces before proceeding with the implementation of appropriate controls to reduce these risks to a level which is acceptable to your stakeholders.  Risk appetite will typically be defined by directorsshareholders or regulators along with compliance requirements that you must adhere to. 

Regardless of the environment that you operate within or the size of your organisation, we would strongly recommend you implement an information security management system (ISMS). The best practice for implementing an ISMS is specified in ISO 27001the International Standard for Information Security Management. 

A critical step when implementing an ISMS is to understand what information assets you have and then assess the risks associated with these assets.  Here, we would advise you to make use of ISO 27005 (Guidance standard) which includes a methodology for assessing information security risks that includes identifying assets, threats, vulnerabilities and existing controls. 

To illustrate this key step, let’s suppose you have a CRM system that stores and processes customer data and some of that data is uploaded to a SaaS marketing platform.  You need to identify the threats that could potentially impact on these supporting assets (e.g. personal data might be misused by your SaaS marketing platform) and why you might be vulnerable (e.g. have you got sufficient coverage to ensure processing of data outside of the EEA).  You must then look at what controls you have in place and ensure these result in an acceptable level of residual risk. 

Some of the information security control requirements may, however, be dictated to you by legislation or stakeholders.  For example, to process payment card data you must comply with the Payment Card Industry Data Security Standard (PCI DSS) or to be awarded UK government contracts that process data, you must acquire the Cyber Essentials certification.  Both PCI DSS and Cyber Essentials include requirements for patching critical systems, i.e.: 

  • PCI DSS requires ‘Critical’ updates to be applied within 30 days 
  • Cyber Essentials requires ‘Critical’ updates to be applied within 14 days 

However, both requirements only apply to the scope of that standard (e.g. payment card data for PCI DSS), therefore, it is critical that you have a management system to balance these compliance requirements against your own risk appetite. 

The other advantage of an ISMS is the continuous improvement focus, i.e. it’s not just about implementing controls but checking that those controls are working effectively and if not, modifying and improving them. 

If you would like to explore how URM’s consultancy and training services can benefit your organisation, we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001, PCI DSS), data protection (GDPR, DPA 2018) and risk management so that we can arrange a discussion.