Where you go and what you do, in an environment surrounded by systems managing other systems managed by people, security seems to be the word that keeps people awake at night. The main cause of this issue is the fundamental foundation of security awareness & training not being properly established and integrated into the organisations culture. So how can this be prevented? How can we build a sound resilience of security controls throughout the organisation? Yes that’s right, through ISO22301 & ISO27001 training and awareness.
I’ve recently undergone a Security Assessment for one of my clients against ISO27001 Information Security Management System and it seems to be the common trend amongst many organisations that dedicated security staff are not assigned to specific roles but instead a shared role in a staff’s position. Then I thought, due to our expanding nature of the organisation itself and shrinking staffing positions with staff handling multiple roles at the same time, it may be time to consider all staff to be trained properly as these reduced staff numbers also makes the organisation vulnerable e.g. when a staff leaves, made redundant or is sick, these roles are holes that ultimately opens the security doors to attackers.
Other considerations include controlling inbound and outbound of digital data and hard copy documents with external providers & contractors, these may include:
- Review of non-disclosure agreements
- How data is used, stored, disposed, transferred or maintained
- Review of Business Continuity Management Security processes
My final recommendation is that regular Security training and awareness should be conducted and followed by making use of a Security Review and Update calendar to ensure all staff are properly trained and the security controls outlined within your Information Security Policy is fully compliant to ISO22301 and ISO27001.
Author: Tony Shen