Making IT work… IT Security Standards
As a business grows, risk management and corporate governance become more important to the owners. This is mainly because the business is now likely to be profitable and so sustaining and protecting the business and its assets is critical.
Information Assurance (IA)
Protecting systems, information & data is possible by an effective set of policies, procedures, and processes. Collectively these form an Information Security Management System (ISMS).
Complementary to Quality Management Systems
Credible businesses are accredited to ISO 9001, which is the quality management standard. In IA terms, ISO 27001 is the standard to aspire to. However, ISO 27001 accreditation is quite a challenge to achieve for smaller businesses, and our local University of Worcester has designed an IA framework for SMEs, aptly called IASME.
The policies and procedures needed for IASME and ISO 27001 standards can be easily dove-tailed into an existing business’ quality management system. For the borwell business, this meant adding a new business functional area, which we simply called ‘IA’. We added new policies for Privacy, IA, System usage, Social media, Security awareness and BYOD.
We also added new procedures for Backup, Asset records and management, Physical & environmental management, and finally Access control.
This new standard is a pragmatic sub-set of the ISO 27001, and is specifically aimed at SMEs. To start with you can self-certify and get a bronze certification. Silver and Gold certifications need an external consultant to help, but the costs and effort are much lower than ISO 27001 certification. You can always extend the ISMS to comply with ISO 27001 later on.
Whichever standard you choose, effective training, implementation, reviews and audits will be needed to ensure the business is actually complying with the relevant sections of the standard. An annual audit by an external accreditor will also be needed to renew certification or accreditation.