Chapter 1: An urgent issue
Information and cyber security has been a headline topic for several years, but it was once seen as a problem for the IT department to deal with along with the usual software bugs. The increasing number of high profile attacks and their financial and reputational consequences have seen the issue take on a new significance.
There are several types of threats with different motives. At the lowest level, an attack can best be described as digital vandalism with no more sinister motive than to disrupt purely for “fun”. Beyond that, attacks can be attempts at extorting cash from the business directly, stealing client details – particularly financial details that can be used for criminal purposes – commercial or industrial espionage, stealing patents and sensitive information or merely a malicious attack by a rival or disgruntled employee aimed at causing maximum disruption. In the worst cases, where the organization provides a vital service such as power production and distribution, health, financial, logistics or travel services, the threat is usually aimed less at the organization itself and more at the public or state.
Understanding how threats arise and developing systems to deal with the issue is a vital task for any organization.
Chapter 2: The information security threat
A cyber attack rarely comes out of the blue – although it may appear to do exactly that – and experts suggest there are seven stages before the ultimate objective of the attacker is achieved. First there is the reconnoitring of the organization, which may involve targeting an individual with so-called phishing e-mails. The more time hackers spend gaining information about the people and systems in the company, the more successful the hacking attempt will be.
After this, the hackers will attempt to infiltrate the target’s network using a variety of means. In the exploitation phase, the hackers start to reap the rewards of preparing and carrying out the attack. To do this, the attackers ensure continued access to the network for as long as is needed to achieve their objectives.
Once they have unrestrained access to the entire network and administrator accounts, all the required tools are in place for the command and control phase. This is when the hackers can lock a company’s IT users out of the organization’s entire network if they want to, perhaps demanding a ransom to restore access. The final action or objectives phase results in the hackers achieving whatever objective they have.
Chapter 3: Where are companies now?
In 2021 DNV conducted a survey aimed at discovering where organizations believe themselves to be along the road to a secure information system. A similar survey was conducted in 2015 and the difference in responses is intriguing.
In the intervening period, information security has become increasingly important and much more knowledge has found its way into corporate boardrooms. However, the number of organizations reporting a mature or leading information security system has increased by around 4 percentage points only. More than half (55%) still see themselves in the early stages of system maturity.
Two out of three organizations see having appropriate personnel to manage information security as the most important factor. Investments are changing from technical to personnel. Providing information security training to staff is rated higher among companies in 2021. In the next three years, two in three indicate that information security investment levels will be the same as or higher than today.
Companies with a certified information security management system are more sensitive and responsive to change. Close to 80% say they have either completely or partially completed the alignment process to fit the new digital environment. These organizations also seem to be more receptive to embracing the “zero trust” model, meaning they trust nobody and everybody needs to be verified.
Not surprisingly, mobile devices and innovative technologies are seen by many organizations as having a high impact on cyber security. However, AI is not yet seen as a game changer, with only 15% of respondents believing it has a big role to play.
Chapter 4: Certification to gain control
Organizations that apply a structured approach to information security management will most likely already be certified to a recognized international standard or well along the road to certification.
Certification demonstrates a commitment to proactively manage and protect information assets and ensure compliance with legal requirements. ISO/IEC 27001 is the most recognized international standard for information security management systems and designed to be compatible and harmonized with other ISO management system standards.
Just as the cyber threat is evolving, so is the ISO standard. A revised version of the standard (ISO/IEC 27001:2022) was published on October 25, 2022. The main change relates to the security controls and guidance to help companies build trust in how they are working to protect business critical assets.
The main benefits of the new version for certified companies are that it:
- Addresses new scenarios and risks;
- Helps understand other security perspectives;
- Includes cyber security and privacy aspects;
- Includes new controls to ensure new scenarios and risks are not missed.
Chapter 5: Continual improvement
One of the key features of an information security management system – whether certified or not – is an understanding of the most common risks and how pitfalls may vary across industries. This requires organizations to keep up to date with the constantly evolving threat landscape and to adapt and develop systems to meet and overcome new challenges. On a practical level, regular internal and external audits will highlight problems. However, third party certification provides an independent evaluation of the management system’s performance and builds trust internally and externally in the company’s ability to safeguard critical information assets.
Moreover, maintaining a management system and its certification is a continual journey. Going beyond the mandatory certification audit once a year, DNV customers get access to digital tools enabling self-assessment of individual knowledge and management system performance, benchmarking performance and preparing for internal and external third-party audits. With access to supporting knowledge and insight every day, companies are better geared to continually adjust its risk picture, improve the management system and measure performance.
Chapter 6: Summary and key takeaways
In today’s digital business environment, all companies are increasingly exposed to information security risks. The recognition that security threats could easily halt operations means it is no wonder that cyber security is now on every corporate agenda. Organizations must manage current threats and prevent future risks to build stakeholder trust and minimize risk of financial losses and disruption.
Those behind cyber attacks continually evolve their methods and purposes. Thus organizations need to recognize that the problem is dynamic and security management systems must evolve in parallel. Information security management is about mitigating short-term risk, but it is also necessary to building long-term resilience.
Putting in place a robust structured framework to identify, manage and mitigate risk, based on ISO/IEC 27001 requirements and guidance, will drive continual improvement and strengthen business continuity. To become certified, the management system must be implemented in compliance with the standard’s requirements.
As an accredited third-party certification, DNV can be your partner throughout the journey. From relevant training on the standard to self-assessment, benchmarking and audit preparation tools to gap-analysis and the actual certification audit, our technical experts are committed to support will support your entire journey.