Tips from URM – What dictates which information security controls you should implement?
The information security controls that all organisations need to implement are heavily dependent
on the information being stored, processed or transmitted and the purpose of the processing. For
example, whilst regular penetration testing may be appropriate for some organisations, it may not
be required for others.
This is where risk management kicks in. Best practice dictates that you need to identify the risks that
your organisation faces before proceeding with the implementation of appropriate controls to reduce
these risks to a level which is acceptable to your stakeholders. Risk appetite will typically be defined
by directors, shareholders or regulators along with compliance requirements that you must adhere to.
Regardless of the environment that you operate within or the size of your organisation, we would strongly recommend
you implement an information security management system (ISMS). The best practice for implementing an ISMS is specified
in ISO 27001, the International Standard for Information Security Management.
A critical step when implementing an ISMS is to understand what information assets you have and then assess the risks
associated with these assets. Here, we would advise you to make use of ISO 27005 (Guidance standard) which includes a
methodology for assessing information security risks that includes identifying assets, threats, vulnerabilities and existing controls.
To illustrate this key step, let’s suppose you have a CRM system that stores and processes customer data and some of
that data is uploaded to a SaaS marketing platform. You need to identify the threats that could potentially impact on
these supporting assets (e.g. personal data might be misused by your SaaS marketing platform) and why you might be
vulnerable (e.g. have you got sufficient coverage to ensure processing of data outside of the EEA). You must then look
at what controls you have in place and ensure these result in an acceptable level of residual risk.
Some of the information security control requirements may, however, be dictated to you by legislation or stakeholders.
For example, to process payment card data you must comply with the Payment Card Industry Data Security Standard
(PCI DSS) or to be awarded UK government contracts that process data, you must acquire the Cyber Essentials certification.
Both PCI DSS and Cyber Essentials include requirements for patching critical systems, i.e.:
PCI DSS requires ‘Critical’ updates to be applied within 30 days
Cyber Essentials requires ‘Critical’ updates to be applied within 14 days
However, both requirements only apply to the scope of that standard (e.g. payment card data for PCI DSS), therefore, it is
critical that you have a management system to balance these compliance requirements against your own risk appetite.
The other advantage of an ISMS is the continuous improvement focus, i.e. it’s not just about implementing controls but
checking that those controls are working effectively and if not, modifying and improving them.
If you would like to explore how URM’s consultancy and training services can benefit your organisation,
we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know
the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001,
PCI DSS), data protection (GDPR, DPA 2018) and risk management so that we can arrange a discussion.