Well frankly yes it is…but you wouldn’t be without it in my opinion.
Over the last few months we have been on the journey to ISO27001 accreditation. It’s been a big investment in time and resources but we are committed as a cloud services provider in maintaining the accreditation. We have a huge responsibility in hosting the critical systems and data for all of our customers, no matter how big or small. In gaining and maintaining the ISO27001 accreditation, I feel it is another way we are demonstrating that we take this responsibility seriously.
Now that we have the ISO27001 framework in place, implemented and led by Peter Brook as our Information Security Manager, the on-going effort has reduced, and I feel hugely proud of what Peter and the whole team have achieved so far. I am confident we will fly through our internal and external audits over the coming months and years to come. In working through the process, we implemented an ISMS or Information Security Management System, that’s right another industry acronym for us all to become familiar with. The ISMS is basically a framework for managing risk around information security. Now I could get into all the technical recommendations around how to manage risk with more IT acronyms, but basically it’s a process, whereby you identify and mitigate information security risks and then rinse and repeat month-on-month. This is basically IT’s equivalent to a good health and safety management system so that you wouldn’t need a real ambulance for you, your staff or your customers.
One of the key ingredients of a good ISMS, is the risk committee and the risk register. Once you build a good risk register and support it with the right people as part of managing your information security risk, you will almost certainly find gaps in your information systems. These risks and gaps keep evolving and changing as your business changes. ISO27001 has taught us that all risks should be raised and ultimately mitigated through improved processes and with all the IT goodness that keeps people in the IT industry employed. Things like two factor authentication, system backups, regular restore tests, business continuity plans, firewall technologies, security software, regular operating system and application patching and updates etc. etc., the list goes on. These are the things, that when well implemented and managed, ultimately mitigate the risk in your business and prevent the need for the ambulance at the bottom of the cliff being the cyber insurance policy.
I get that not all companies will want to go to the effort of getting ISO27001 accreditation, but including information security as part of your wider business risk management is not that hard. Basically you need some good technical advice, an information systems risk register and a regular check in meeting to ensure newly identified risks are being resourced and mitigated. Check out these resources from www.digital.govt.nzhttps://www.digital.govt.nz/dmsdocument/3-risk-assessment-process-information-security/html
If you are needing to call on the insurance policy an event has already occurred, then the cyber insurance will help you get access to the right people and resources you need to get your information systems back up an running. You have a much lower chance of an event occurring causing financial, reputational and all other kinds of impact to your business, if you have taken the time to consider, manage and mitigate information security risk in your business. The cyber policy should be your last port of call. I think all companies should have a good cyber policy in place, but don’t do this without also putting in some serious commitment from leadership and resources required to mitigate the information security risk in your business, so that you don’t need to call on the cyber policy.