We find ourselves in a day and age where many organisations depend on technology to drive business processes in order to streamline operations and ultimately become more productive. Unfortunately, each and every technology-driven process comes with its own set of vulnerabilities that can expose security threats in an organisation. There are many solutions available to protect against this, and business usually is happy to add layers of protection in the hope that it leaves no weak points exposed in the network.

In order to mitigate business risk, organisations refer to some framework that can assist with adopting a best practice methodology around information security. One such framework under the banner of the Information Security Management System (ISMS) is the standard called ISO 27001:2013. It is one of the most widely used standards in onboarding an information security policy. In fact, the ISO 27001 standard includes many of the controls required to fulfil GDPR. PoPPIA and the Data Protection Act.

The ISMS framework focuses on Risk Assessment and Risk Management and consists of a set of security controls and control objectives; the 163 controls set the foundation and scope of mitigating potential threats associated with Information Security. ISMS and these ISO standards are in place to assist organisations in assessing their current security posture and making adjustments and improvements to stay ahead of the curve.

A common practice suggested by ISO is to follow the Plan-Do-Check model for continuous improvement;

1. Plan

Identify the problems and collect useful information to evaluate security risks. Define the policies and processes that can be used to address problem root causes. Develop methods to establish continuous improvement in information security management capabilities.

2. Do

Implement the devised security policies and procedures. The implementation follows the ISO standards, but the actual implementation is based on the resources available to your company.

3. Check

Monitor the effectiveness of ISMS policies and controls. Evaluate tangible outcomes as well as behavioural aspects associated with the ISM processes.

4. Act

Focus on continuous improvement. Document the results, share knowledge and use a feedback loop to address future iterations of the PCDA model implementation of ISMS policies and controls.

Starting a journey to compliance should not be feared, nor should it be taken lightly, done correctly could save businesses a significant amount of money and public embarrassment by protecting against security and privacy fraud.