Guest user Created: Jul 05, 2017 Last commented: Jul 05, 2017

Information security implementation

Based on little more than general awareness of security risks, we had a technical security review done. The conclusions were pretty damning. We are a small UK/Norway company using lots of data. We're pretty thinly staffed on the IT side (half an FTE, if that), but want to make sure we do this properly. Were do we start; hiring a cyber expert, cyber essentials, or ISO27001? I am a bit worried that we are spending more time 'doing documentation' than actually improving security. All advice welcome!!

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jul 05, 2017

Answer: Considering the situation you presented, it seems you need a quick action to fix some issues as soon as possible and a longer term plan to maintain the results. Also considering you mentioned a limited staff, maybe hiring a cyber expert for the quick action would be the best option, even considering the higher costs of a consultant, because in this case delaying the fixes let you vulnerable for much more time. And you could ask the consultant to use as reference the practices of cyber essentials.

For the longer term plan, the implementati on of ISO 27001 can help you manage the implemented security, and for that you have three implementation alternatives: hiring a consultant (maybe the same you hired for the quick fix), implementing on your own, or implementing on your own with expert support. Each alternatives have their pros and cons, and I suggest you to take a look at this white paper to identify which alternative is best for you: Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

Regardless the way you choose, when ISO 27001 is implemented properly, you won't focus too much on documentation - rather, you'll focus on changing the way your employees are using the technology, and therefore decrease the number of security incidents. Here's an article that will help you: ISO 27001 project – How to make it work https://advisera.com/27001academy/blog/2013/04/22/iso-27001-project-how-to-make-it-work/

This article will provide you further explanation about information security implementation:
- 3 strategic options to implement any ISO standard https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/

These materials will also help you regarding information security implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 05, 2017

Expert Advice Community