How to ensure that this relationship of trust continues in the interests of both? First of all by offering competitive products and services in terms of quality and price and ensuring timely and personalized assistance and support, before and after the acquisition. But one more element is often forgotten: in the era of digital processes it is essential, on the part of the supplying company, to guarantee the information and data security treaties: an aspect that becomes crucial for those working in the field of IT services.
This is why they are so important information security management and the norm associated with it: the UNI CEI ISO / IEC 27001, written in the 2005 and revised in the 2013 (the Italian version is of the 2014).
The risk of compromising information and data is indeed very high today: just think of the daily news on hacking acts, privacy violations and phishing practices. According to a Clusit report (commented here by Tech Economy), the 2016 was the worst year ever as for the increase in cyber attacks, in particular for the large-scale distribution sectors (+ 70% compared to the previous year) and banks (+ 64%). Total cybercrime activities would have increased by 9,8%. The 22% of companies also report having lost customers because of these criminal activities and the 29% has lost revenue shares (almost 3 on 10). And not only willful acts should arouse the attention of companies on computer security. In fact, if we consider some events much more usual in the life of a company, we realize the risk that our digital information runs: energy voltage fluctuations, IT structure malfunctions, physical accidents to the premises ...
Then, those who implement prevention procedures place their business in safety and that of the organizations whose data it deals with.
The most careful companies protect themselves and their customers by certifying themselves according to the standard UNI CEIISO / IEC 27001: 2014: the purpose is to provide the requirements for "establish, implement, maintain and continuously improve a information security management system in the context of an organization ". The 27001 is part of the family of UNI CEI ISO / IEC 27000 standards: a set of standards, published jointly by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC), which concern the safety management system of the information.
Certification according to UNI CEI ISO / IEC 27001 is not an obligation, but certainly the company that follows this path offers a surplus of safety to itself and its customers. The certification process can follow organizations from all product sectors and of all sizes.
UNI CEI ISO/IEC 27001 defifirst of all a series of requirements that the organization must possess in order to obtain the certification: these are intentionally general parameters (as we shall see in their formulation) precisely to allow all sectors to lower the overall principles in their own business context.
The focus is onprior identification of potential risks pertinent information held and used in the organization and, subsequently, on definition of a information security management system (Information Security Management System in English, ISMS). However, the companies' task does not cease here.
In fact, the UNI CEI ISO / IEC 27001 standard follows the logic PDCA (Plan - Do - Check - Act): therefore not a linear risk management, but a cyclical one, from the perspective of continuous process improvement. This means that, at the defidefinition of the seriousness of the risks and their treatment, follows the monitoring of the effectiveness of the set system and its re-defition through the analysis and review of the acquired data. And so on.
If the general principle is understood, and the possibility of monitoring the process over time is assessed, the company submits to theannual audit to get the certification or to renew it. The audit is carried out by a third-party certification body chosen by the same organization, provided it is accredited and present in the database of Accredia.
With which method defifinish and measure the risks related to the security of information that may be necessary to our company? First of all, the wealth of information must maintain three characteristics to be sure: confidentiality, integrity, availability.
Given the generality of the rule, each company will have to assess the risks in reference to its own organizational business context and decide how to measure them and treat them through a risk management process.
We have seen that in the era of digital processes, certification according to the UNI CEI ISO / IEC 27001 is a strategic asset for the company and for the security of its own information and even more so for customers. We have seen that the principles established by the law are of a general nature, so as to adapt easily to all sectors. Therefore, how to be sure to comply with requirements established by the standard? Even if the norm is not defiestablishes rigid and unambiguous criteria for the risk management, the requirements that must be applicable and applied in each company (which cover the 4-10 points of the text) are established:
A further reference is then theAppendix A, Control objectives and reference controls. This section lists the security controls to be implemented, taken directly from UNI CEI ISO/IEC 27002:2013 in chapters 5-18, and to be implemented within a company that is to be certified. Each control category contains: the control objective to be achieved and the controls that can be applied to achieve this objective. By way of example: provide guidance and management support for information security; ensure that staff and collaborators understand their responsibilities for information security; inventory the company assets associated with the information e defiappoint a manager; and so on.
—
Further information on the UNI CEN ISO / IEC 27001 can be found on site of the International Organization for Standardization: it appears that the information security represents a fundamental element of the productivity of a company and that the 27001 represents a real asset to guarantee the business continuity own and customers.
Author Paolo Ravalli
Coveware by Veeam will continue to provide cyber extortion incident response services. Coveware will offer forensics and remediation capabilities…
Predictive maintenance is revolutionizing the oil & gas sector, with an innovative and proactive approach to plant management.…
The UK CMA has issued a warning about Big Tech's behavior in the artificial intelligence market. There…
The "Green Houses" Decree, formulated by the European Union to enhance the energy efficiency of buildings, has concluded its legislative process with…
