Our Blog - for QHSE Compliance Professionals | Mango

ISO 27001 Information Security Management Standard - Principle 7

Written by Craig Thornton | 17/12/17 20:00

Part 8 - Security incorporated as an essential element of information networks and systems

When creating, designing, developing, testing, implementing and maintaining your information networks and your systems - including your information security management system (ISMS) - then security must be incorporated from day 1 and be central part forever.

To start, let’s take a look at what are the key elements of information security.  These are:

  • Vulnerability
  • Threat
  • Threat agent
  • Risk
  • Exposure
  • Treatment or controls

So what is a vulnerability?  This is where a weakness may provide an attacker the “open door” they are looking for to enter a building, access a computer or infiltrate your network and then have unauthorized access to your information assets.

Next is threat. A threat is the possibility that a person or software would identify and exploit that vulnerability.

Then that entity that takes advantage of the vulnerability is the threat agent.

This leads onto risk. Risk is a combination of the likelihood and the severity a threat agent takes advantage of the threat and attacks your vulnerability.  This will have a corresponding business impact and there could potentially be losses.

An exposure is the instance you and your systems are open to losses from a threat agent.

The treatments or controls are actions that reduce risk, close down the exposure and reduce the vulnerabilities.

It’s important to know that these elements are all related.

Let’s use a software company as an example to describe these elements:

  • Vulnerability: The company uses server software that has a security flaw.
  • Threat: Some employees receive malware in an email.
  • Threat Agent: These are the hackers that created the malware.
  • Exposure: This is the instant the software company employees click on the malware and expose the flaw in server software.
  • Risk: What is the likelihood and severity that the exposure will allow the hackers to exploit the vulnerability and impact the company’s reputation?
  • Treatments or controls: The software company installs server patches regularly and maintain anti-virus protections to reduce the risks to an acceptable level.

Terminology is important when communicating information security to your company and its employees

It’s important to remember that your information networks and your systems are always open to threats.  People are constantly waiting for you to slip up and you become exposed.

You need to decide on the risk (or likelihood and severity) of that happening and then reduce the risk with treatments or controls.  Those treatments and controls need to be strong enough to reduce the risks down to an acceptable level.  If you can’t reduce the risk to an acceptable level then you will be more vulnerable to more and more threats.

Security of your information assets is fundamental to achieving ISO 27001. Discuss security regularly.  Make it a priority for your business.  Make people accountable.  Keep security top of mind at all time.  Remember security is not just the job of the IT department.


 

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Security incorporated as an essential element of information networks and systems