Information security and data privacy are becoming increasingly important for businesses of all sizes, and across all sectors. The rapid increase in cyber-related incidents in South Africa, particularly affecting smaller, more vulnerable organisations requires urgent attention.
The purpose of information security is to protect information assets from unauthorised access, maintain accurate and complete records, and ensure that information and systems are available as and when they are required.
Key Takeaways
ISO/IEC 27001:2022 is the latest version of the most well-known standard in the family that deals directly with the establishment, implementation, maintenance and continual improvement of an Information Security Management System (ISMS).
Organisations of all sizes and across all industries can benefit from implementing the ISO/IEC 27001:2022 framework for information security.
Information security protects businesses from threats to confidentiality, integrity and availability of their sensitive information and systems. This is referred to as the CIA Triad of Information Security.
What is an ISMS?
An ISMS is a collection of management principles and information security specific policies, procedures and processes.
The primary objective of implementing an ISMS is to help companies protect their information assets from internal and external risks, such as unauthorised access and data leakage.
The standard also places emphasis on employee awareness and engagement, which helps to create a culture of security. A culture of security drives continuous improvement where employees naturally place information security at the forefront of their daily activities. As the business’ operational context changes, the ISMS evolves to maintain business activities within acceptable risk tolerance levels.
Applicability of ISO/IEC 27001:2022
There is a general misconception that standards are only applicable to large organisations. However, this is not the case. Organisations of all sizes and across all industries benefit from investing in information security.
All businesses are required to report any data breaches to the Information Regulator (South Africa), the independent body which monitors and enforces compliance with the Protection of Personal Information Act, 2000 (POPIA). In a recent statement, the chairperson of the regulator, Adv. Pansy Tlakula said “…the regulator has taken note of the alarming rate at which security compromises are increasing in the country…” This has rapidly increased from just over 500 reported incidents in 2022 to 1700 in 2023, and is projected to reach close to 2400 by the end of the 2024/25 financial year.
This increase is not limited to large organisations and government departments, but also has a significant impact on SMEs. Depending on the nature and depth of the breach, it can cost an exorbitant amount to recover services. This could be fatal for a smaller organisation, not only financially, but also reputational damage may be too severe for the organisation to survive.
The CSIR presented their findings from multiple surveys conducted across a broad range of public and private bodies, at a Media Briefing on 15 October 2024.
Their recommendations for improvement, following the key findings of each survey, reflect a common theme, including improved risk management, better employee awareness, stronger access control, asset management and incident preparedness, as areas for business to build resilience to the impact of cyber attacks. These are all part of the ISMS.
The outcome of the surveys also highlight common themes in terms of the origin of attacks which include insider attacks, phishing and 3rd parties associated with the company.
Information security properties
Information security protects businesses from threats to confidentiality, integrity and availability of their sensitive information and systems. This is referred to as the CIA Triad of Information Security.
Confidentiality deals with protecting information assets from unauthorised access. Assets could be either physical assets, such as laptops, or digital assets such as databases of personal information. The standard provides guidance for controls that help to guard against data leakage, exposure of sensitive information and protection of assets from unauthorised access.
The property of integrity is related to the validity, accuracy and completeness of information and data. Incomplete or inaccurate records can have a significant impact on a business’ ability to operate normally. For example, a malicious actor may have authorised access to systems, but if activities are not monitored, they may influence data integrity to their own benefit.
Availability speaks to continuity of services and an interruption to the availability of information assets can significantly disrupt business operations. For example, a data breach may mean that some or all business systems need to be shut down during recovery, negatively impacting the business ability to conduct its affairs.
Security domains
The ISO/IEC 27001:2022 standard outlines a set of security controls which are classified into 4 broad domains; Organisational, People, Physical and Technological.
Across these domains, controls address all aspects of information security, including:
- Risk management and treatment;
- C-level’s involvement in defining high level polices, information security objectives and a commitment to the implementation of an effective ISMS ;
- Access control;
- Asset management;
- Information management;
- Incident management;
- Physical security; and
- Business continuity.
Continuous improvement
The standard promotes a culture of continuous improvement in information security practices and includes regular monitoring, through internal and external audits. Regular reviews are conducted to evaluate the performance and effectiveness of the ISMS and amendment of processes and practices to guard against emerging threat trends and changes in the context of the business.
Certification
Certification against the standard is optional. An organisation may choose to be certified by an accredited certification body. This process requires the successful completion of an external audit.
Referring again to the CSIR Media Briefing on 15 October, just implementing a framework such as ISO 27001:2022 does not necessarily reduce the risks of cyber attacks. However, organisations who use 3rd party auditors to provide external oversight and those that drive a culture of continuous improvement see a marked reduction in the number of security-related incidents.
Conclusion
Many companies wait for an incident to occur before putting the most basic measures in place to protect their information assets. No individual or organisation is immune to cyber crime, don’t wait until it happens, prepare for the eventuality by implementing a framework, such as ISO/IEC 27001:2022 to protect your information assets, your employees and your business. The investment in implementing security standards will be worth it in the long run, the costs of recovery from a single incident often outweigh the costs of preparedness.
