Principle 7 - Security Incorporated as an essential element of information networks and systems
When creating, designing, developing, testing, implementing and maintaining your information networks and your systems, security must be incorporated from day 1 and be central part forever. To start, let’s take a look at what are the key elements of information security. These are:
- Vulnerability
- Threat
- Threat agent
- Risk
- Exposure
- Treatment or controls
Vulnerability is where a weakness may provide an attacker the “open door” they are looking for to enter a building, access a computer or infiltrate your network and then have unauthorized access to your information assets.
A threat is the possibility that a person or software would identify and exploit that vulnerability.
Then that entity that takes advantage of the vulnerability is the threat agent.
This leads onto risk. Risk is a combination of the likelihood and the severity a threat agent takes advantage of the threat and attacks your vulnerability. This will have a corresponding business impact and there could potentially be losses.
An exposure is the instance you and your systems are open to losses from a threat agent.
The treatments or controls are actions that reduce risk, close down the exposure and reduce the vulnerabilities.
It’s important to know that these elements are all related.
Terminology is important when communicating information security to your company and its employees.
It’s important to remember that your information networks and your systems are always open to threats. People are constantly waiting for you to slip up and you become exposed.
You need to decide on the risk (or likelihood and severity) of that happening and then reduce the risk with treatments or controls. Those treatments and controls need to be strong enough to reduce the risks down to an acceptable level. If you can’t reduce the risk to an acceptable level then you will be more vulnerable to more and more threats.
Security of your information assets is fundamental to achieving ISO 27001. Discuss security regularly. Make it a priority for your business. Make people accountable. Keep security top of mind at all time. Remember security is not just the job of the IT department.
Learn More:
- Information Security - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
- Information Security - Principle 2 - Awareness of the need for information security
- Information Security - Principle 3 - Assignment of Responsibility for Information Security
- Information Security - Principle 4 - Incorporating management commitment and the interests of stakeholders
- Information Security - Principle 5 - Enhancing Societal Values
- Information Security - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk
- Information Security - Principle 8 - Active prevention and detection of information security incidents
- Information Security - Principle 9 - Ensuring a comprehensive approach to information security management
- Information Security - Principle 10 - Continual reassessment of information security and making of modifications as appropriate
