Part 1 - Reasons why you need to meet this standard
Information security in any organisation is the topic de jour.
Every day we are inundated with media reports of cyberattacks, data breaches, hacking, malware viruses and the like. It's front page stuff in newspapers. It leads news bulletins on TV, radio and online.
Of course organisations are not immune.
The risks are high for any business. In the latest Risk Survey Report by the New Zealand Institute of Directors, cyber-attacks rank as the greatest threat to New Zealand businesses.
But it gets even more worrisome!
Your customers will be looking at you and assessing whether to do business with you based on how you manage information about them. Not only will they be looking at the price or the service or the delivery of your products or services. They will also look at your information security systems. They will be asking things like “how does your organisation prevent data breaches?”
Here at Mango, potential customers of ours ask for our information security, our Privacy Policy and our Security Statement every day. This is a big deal for us. Because we hold customer data in our Mango application we need to have robust systems to prevent unwanted incursions into the product.
So what can your organisation do about information security?
You need to seriously consider meeting the requirements of internationally recognised standard for information security. You can take it a step further and get certified to the standard. This will prove to your customers that you are serious about information security.
Here at Mango we considered our options for managing information security and decided that the best practice requirements of ISO 27001:2013 would be a great fit. We investigated other standards like NIST, COBIT, ISA and CIS. But because we already have ISO 9001, and due to the integrated nature of the ISO standards, we felt that ISO 27001 would just seamlessly tie in with what we are already doing with our management systems. Systems like Management Review, Internal Auditing, Non-conformances and Training are already in place so why do we need to reinvent them with a different standard?
In this series of blogs I will hopefully define what each clause in ISO 27001 means and how we at Mango will be addressing them.
So subscribe to the blog and other the coming weeks I will send you links to how we created our information security system here at Mango and how we will meet ISO 27001:2013.
If you have any questions about these clauses I would love to hear about them.