Journey to ISO 27001

Source : wallarm The OSI network  communications model is made of  7 layers. Each layer  handles a specific process to enable reliable communication between two or more devices. When the Internet was designed, its focus was on ensuring of reliable communications. The challenges of communication security emerged later.  These 7 layers act like a chain of links. If one lnk breaks, the whole chain of communication breaks. Hence security threat can happen at any of the 7 layers.  These layers are named as Application, Presentation, Session, Transport, Network, Data link and Physical layer. The application layer is your email application, physical layer is your communication cable, and everything else is in between help you communicate. In abstract the application layer provides user interface, while presentation layer handle formating, encoding and encryption. The session layer manages connections. The transport layer handles segmentation, sequencing, and establishing virtual circuits. The

Image : governmenttechnologyinsider The United Nations Declaration of Human Rights (UDHR) Article 12 states : "No one shall be subjected to arbitrary interference with his privacy...." which makes privacy is undeniable human right. Privacy is like breathing. Everyone needs it. Personal Data Protection is an emerging issue in the world. Most nations are following European Union GDPR model of regulations to enact local laws. Sri Lanka enacted Personal Data Protection Act No. 9 of 2022, on march 9th 2022. It binds all public and private organisations to protect personal information to ensure privacy of data subject, and to give individuals control over their personal data. Data Subject : In data protection legislations, an individual is legally known as a data subject. A data subject have various rights relevant to their Personally Identifiable Information (PII).  Personally Identifiable Information (PII): PII represents any information that allows identification of an individua

Image comptia The threats of data breaches are becoming more common. They are also more difficult to detect and mitigate. The most dangerous issue is the time taken to detect and contain it. Some APTs intrude and  prevail in your system undetected for a long time. This requires your business to have an efficient  detection, mitigation and prevention process against data breaches.  the best solution for detecting and preventing threats to information security. The aim of SOC is  to protect the organization from security breaches by monitoring, detecting, analyzing, and reacting to information security threats. The SOC team comprises of security analysts, security engineers. and a manager. They work with IT and operational teams for threat detection, and decrease the likelihood of security breaches. They monitor servers, databases, networks, endpoints, applications, to identify security threats, investigate, and respond to security incidents as they occur. The SOC uses a Security Informa

Image : libguides Personally Identifiable information (PII) is defined as any data that could potentially identify a specific individual. In simple, PII is any information that can be used to distinguish one person from another.  The legal definition of PII may vary from jurisdiction to jurisdiction. However,  universally it refers to information that can be used to trace an individual identity, with by one or more information that is linkable to a person. Following are personally identifiable information.  name address email race ethnicity telephone number date of birth passport number fingerprint facial image mother's maiden name driver's license number credit or debit card number Social Security number/ID no The reasons to protect PII are : Protecting PII is important to ensure personal privacy. Personal data is collected, recorded, processed, tracked and used daily. They include names, IDs , biometric scans with fingerprints, facial recognition systems used to login to syst

Image : whiteknightit Security awareness, and training are the first line of defence in securing your organization against cyber attacks. The first barrier that you will face is resistance to information security. This is a normal situation as employees tend to think security is not their job. But they are the problem. Majority of cyber attacks have been resulted from employee vulnerabilities  exploited by hackers through social engineering. How to reduce resistance to information security ? If you provide adequate awareness and training to your employees, and make them understand that they are also responsible for the information security of the organization.  Then your employees will be much better, more effective, and more efficient in using security controls. They will appreciate having the security controls, hence they are less likely to ignore, bypass, or disable them. When they know why they need long passwords, why not share them with colleagues, and importance of vigilance in

The Communication Plan is a key element of a good Information Security Management System(ISMS). Your organization need to  communicate  most accurate Information to it's stakeholders at the best moment. It's equally important in security management to make people to respond to situations in the proper way. Effective communication includes proper content, format and time to ensure creating trust among recipents both internal and external parties. Your communication will show how prepared you are, and whether you are reactive or proactive. ISO 27001 clause 7.4 requires your organization to have a clear communication plan. It should include :  Who should communicate? To whom?  What messages?  On what? When? How? On what? means the content that will convey your message. It should clearly communicate what is important to the organisation and what's relevant to the recipient. The content should match the interest of the recipient. The content need to conform to the organization r

Image : Shutterstock Despite all the efforts made by organisations to establish a perfect ISMS, there still may exist not fully imlemented or unimplemented controls . A non-conformity is  non-fulfillment of a requirement in ISO 27001. The internal and in external auditor use nonconformities to judge the level of ISMS compliance with ISO 27001 standard. non-conformities take up major part of audit report. Following are common non-fulfillment examples. Lack of records on corrective actions taken. Not using specific reporting form defined by a procedure. Not producing reports for customers as agreed. A control not implemented as specified. A control is not implemented at all. non-conformities are found from a missing a report on a control or reported result not in specified from as required. It's possible for an organisation to fail in fulfilling an ISO 27001 requirement, as well as management review not done for taking corrective action. For instance you have a requirement to make ba