Many folks ask Google “What is ISO 27001” Opinions vary. Some think it is a kind of ISO wrap-around for your IT security issues. They would be vaguely right.
On the other hand, sceptics say that it’s another bureaucratic set of wish-list principles and guidelines. Largely ignored, like the “hold the handrail” notices on many a staircase, someone’s idea of due diligence. Meanwhile we race up and down in mid-text…
A Bad Day at Heathrow
Taking a recent very high profile incident, how useful is ISO 27001 in the real world? For example, could it have prevented the IT systems failure at BA that will allegedly cost £80M. Well, Yes and probably Yes.
There is a very useful in-depth (but readable) analysis of the chain of events here. In short, normal power supply to their very large data centre was overridden during a switch-over from live supply to battery backup. Power was restored at the wrong time and in the wrong way. Vital hardware was cooked. Of three data centres, one was “fried”, the second mirrored corrupt data from the first, and the third one simply didn’t want to play. Oh dear me. Some queues at check in today, then…
Considering that “What is ISO27001” question is important here.
It’s primarily a cyber security standard, stopping your company’s data getting into the wrong hands, However, it does have some controls that will stop other bad things happening. A couple of them being:-
“When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.” (Section A14.2 Statement of Applicability for ISO27001)
“The organisation shall supervise and monitor the activity of outsourced system development.” (A14.2.7)
Could ISO 27001 have helped? On the one hand “yes”.
There are suggested steps intended to prevent very bad things happening as a result of poorly-executed maintenance or change procedures. It’s a small but important part of the standard and the Information Security System (ISMS).
On the other hand, “Yes” as well. Why?
Because, although procedures did exist, they weren’t followed. Nobody was “assessing and monitoring” to make sure they were being followed. A standard is only as good as its application, regardless of how many guidelines it contains. However, if you don’t bother checking they are followed, it’s just another catastrophe waiting to happen.
How to Live In The Real World
Whenever we write a security system for a customer, we always ensure that it is not abstract and theoretical. It must be applicable to everyday business. We make sure it’s usable, monitored, and actually works (BA, if you need to get in touch, please use our contact page. Can I have payment up front please you seem to have a large debt).
What is ISO 27001? A system to prevent breaches in cybersecurity and protect your business from bad procedure and nasty events. Can it help your business? Well, most probably. Contact us to find out more!