Information security needs management, says SGS
“Many organisations would claim that information is their most valuable asset, yet they don’t have the management commitment to ensure that information is secure,” says Richard Skipsey of SGS United Kingdom Ltd. “Managers delegate online security to the IT department and think the job is done.”
Yet the cost to UK plc of security breaches is “in the order of billions of pounds per annum…. (and) … it’s roughly tripled over the last year”, according to the 2013 Information Security Breaches Survey by the Department for Business, Innovation and Skills*.
The survey shows that 78% of large organisations were attacked by an unauthorised outsider in the last year and that smaller businesses, “which used not to be a target, are now also coming under increasing attack”.
The average cost to a large organisation of its worst security breach ranged from £450,000 to £850,000, while smaller organisations faced bills of £35,000 to £65,000 for the worst incidents.
Mr Skipsey welcomes the fact that the importance of management commitment, along with effective measurement, is emphasized in ISO 27001:2013, the revised international standard covering the security of an organisation’s information and IT systems.
“Effective information security must be championed, funded and managed at board level,” says Mr Skipsey. “It needs to be implemented as part of an overall business strategy, not in isolation.”
The strategy must also include all information that is valuable to an organisation – from research and design prototypes to forecasts and negotiating positions. It is also not limited to online activity and includes paper records, images and even conversations.
Mr Skipsey is Global Product Manager - ISO 27001 and ISO 22301 at SGS, the world's leading inspection, verification, certification, testing and training organisation.
SGS, which has been accredited by UKAS to assess ISO/IEC 27001:2013, has just updated its booklet on ‘Issues to be considered when establishing an Information Security Management System’ to reflect the changes since the initial standard ISO 27001 was established in 2005. To learn more about ISO 27001:2013, go to www.sgs.co.uk/iso27001.
The booklet summarises the principal requirements for guiding and establishing an information security policy and system. To download your free copy of the booklet, go to www.sgs.co.uk/iso27001booklet.