HiComply & Industry Terminology Explained
Why do I need an asset inventory
Understanding the assets owned and used within your business is the cornerstone of any good ISMS. Most InfoSec standards will insist on a regularly maintained Inventory of Information Assets.
Assets need to be identified, classified and categorised. This may sound daunting, and you may feel you need to spend big on an InfoSec consultant if you have never done it before but Hicomply provides a comprehensive Asset Library which customers can import to automate the basis of their asset inventory.
Within minutes not days you can have an asset inventory ready to manage.
What is Cybersecurity?
Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage.
It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.
Full list of ISO 27000 standards, often referred to as the ISMS family of standards. The ISO 27K standards related to IS – security techniques (often referred to as the “ISMS family of Standards”) are:
ISO 27000 — Information security management systems — Overview and vocabulary
ISO 27001 — Information technology – Security Techniques: This is the standard that applies when organisations want to get a certificate
ISO 27002 — Code of practice for information security controls: an implementation guide and examples of typical controls mentioned in ISO 27001
ISO 27003 — Information security management system implementation guidance
ISO 27004 — Information security management — Monitoring, measurement, analysis and evaluation: expands of aspects in ISO 27001
ISO 27005 — Information security risk management
ISO 27006 — Requirements for bodies providing audit and certification of information security management systems:how CB’s should operate
ISO 27007 — Guidelines for information security management systems auditing: auditing practices on an ISMS
ISO TR 27008 — Guidance for auditors on ISMS controls
ISO 27009 — An internal document for the committee developing industry-specific variants or implementation guidelines for ISO 27K standards
ISO 27010 — Information security management for inter-sector and inter-organizational communications
ISO 27011 — Information security management guidelines for telecommunications organizations
ISO 27013 — Guideline on the integrated implementation of ISO 27001 and ISO 20000-1
ISO 20000 is the service delivery standard, based on ITIL
ISO 27014 — Information security governance: related to ISMS in the context of Australian e-health.
ISO TR 27016 — information security economics (note TR 27015 was withdrawn)
ISO 27017 — Code of practice for information security controls based on ISO 27002 for cloud services
ISO 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors GDPR relevance, especially in cloud apps
ISO TR 27019 — Information security for process control in the energy industry
ISO 27031 — Guidelines for information and communication technology readiness for business continuity
ISO 27032 — Guideline for cybersecurity
ISO 27033-1 — Network security – Part 1: Overview and concepts
ISO 27033-2 — Network security – Part 2: Guidelines for the design and implementation of network security
ISO 27033-3 — Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues
ISO 27033-4 — Network security – Part 4: Securing communications between networks using security gateways
ISO 27033-5 — Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
ISO 27033-6 — Network security – Part 6: Securing wireless IP network access
ISO 27034-1 — Application security – Part 1: Guideline for application security
ISO 27034-2 — Application security – Part 2: Organization normative framework
ISO 27034-6 — Application security – Part 6: Case studies
ISO 27035-1 — Information security incident management – Part 1: Principles of incident management
ISO 27035-2 — Information security incident management – Part 2: Guidelines to plan and prepare for incident response
ISO 27036-1 — Information security for supplier relationships – Part 1: Overview and concepts
ISO 27036-2 — Information security for supplier relationships – Part 2: Requirements
ISO 27036-3 — Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security
ISO 27036-4 — Information security for supplier relationships – Part 4: Guidelines for security of cloud services
ISO 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO 27038 — Specification for Digital redaction on Digital Documents
ISO 27039 — Intrusion prevention
ISO 27040 — Storage security
ISO 27041 — Investigation assurance
ISO 27042 — Analyzing digital evidence
ISO 27043 — Incident investigation
ISO 27050-1 — Electronic discovery – Part 1: Overview and concepts
ISO 27050-2 — Electronic discovery – Part 2: Guidance for governance and management of electronic discovery
ISO 27701 — Information technology – Security Techniques – Information security management systems — Privacy Information Management System (PIMS).
ISO 27799 — Information security management in health using ISO 27002 – guides health industry organizations on how to protect personal health information using ISO 27002.
What is GRC Software
Governance, Risk Management and Compliance Software (GRC Software) provides organisations with a platform for meeting their IT related compliance needs. As its name suggests the software provides the tools to measure IT Risk Management and the associated processes employed to mitigate those risks. Hicomply GRC Software provides an integrated platform with:
- Policy Management and the appropriate information dissemination for employees and teams within the business
- Asset Inventory management with information asset libraries linked to all associated risks
- Risk Management tools allowing for enterprise risk management, multiple risk methodologies for use across different areas of enterprise business risk
- Task Management and Tracking allowing easy communication, planning and scheduling of GRC project tasks
- Internal and External Audit planning and execution
Integrated Management System
An Integrated Management System (IMS) is where an organisation combines more than one of their adopted standards and systems into one more streamlined project. An example would be where an organisation combines their ISO9001 and ISO27001 compliance projects into one management system.
Hicomply gives organisations a multi-project approach where with the single application interface many compliance projects can be combined and managed within the same platform. Allowing multiple standards to be managed and certified using a single set of policies, procedures and operational processes. Using an IMS approach can provide significant cost savings to an organisation.
Hicomply provides IMS combination support across ISO/IEC 27001:2013, ISO/IEC 27701:2019, ISO9001, NIST SP 800-53, HIPAA Standard, PCI-DSS V2.0, AUP V5.0, CSA, SOC2 and more.
ISO 27001:2013 is an information security standard that was published on the 25th September 2013. It is published by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is the international specification for information security management system (ISMS). The ISO27001-2013 standard may be independently certified by a certification body in order to show that all requirements of the standard have been met. In recent years it has become a requirement for some organisations to entrench the system to certification in order to meet client, contractual and tender needs. The overall system is designed around reducing IT risks in a company thus ensuring business continuity, and financial savings due to good internal controls.
What are the benefits?
By entrenching a formal management system according to ISO27001 requirements a company will have:
- Confidence that all legal requirements for IT related items are met. E.g.(Email usage, web usage, indemnity issues, POPI act-Protection of Personal Information Act, Access to information act).
- A detailed risk assessment process for internal auditing that are measurable and structured.
- Be able to identify risks to your electronic information and put in place security measures to manage or reduce them.
- Procedures to enable prompt detection of security breaches. Check sheets.
- Continual improvement, and allow review of the effectiveness of your information security management system (ISMS) and take action to address new and emerging security risks.
- Cost savings through reduction in incidents. Reduced internal failure, and prevention measures.
- Compliance to customer and tender requirements.
ISO 27001:2013 has the following sections which need consideration when implementing the standard.Introduction – the standard uses a process approach.Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.Normative references – References to other entrenched and certified standards or guidelines used.Terms and definitions – a brief, formalized glossary.Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.Planning – outlines the process to identify, analyse and plan to treat information security risks, and clarify the objectives of information security.Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.Operation – a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.
ISO 27001:2013 requires the management program to:
ISO 27001:2013 formally specifies a management system that is intended to bring information security under specific management control. ISO 27001:2013 requires the management program to:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
- Design and implement a comprehensive set of information security controls through a documented management system with all processes and forms needed.
- Enforce any legal requirements through the effective control of company policies and requirements.
- Give guidance to what is required in a company in order to ensure IT risk is managed. Policies are set at corporate level.
- Basic risk management is applied according to ISO27001 requirements.
What is ISO27004?
ISO / IEC 27004:2016 Provides guidance to organisations that wish to monitor and measure the performance of their ISO / IEC 27001:2012 information security management system. Hicomply can provide the tools needed to evidence, review and measure the impact of your isms and our team of experts will provide guidance on how best to implement our software in line with ISO / IEC 27004:2016.
|Stage||ISMS||DP & GDPR|
|Project mandate / pre-project||Scope / boundaries, Customer focus, Leadership / Structure of team, Objectives.||Organisational awareness|
|Initiation||Policies, processes and procedures,||Information analysis – what, where and sharing, Data flow mapping|
|Management framework||Organisational context, Stakeholders and interested parties, Engagement, Risk impacts||Communication of privacy information, Individuals’ rights, Management of personal data|
|Baseline||Security criteria identified; Arrangements implemented; Mandatory ISMS requirements; Legal compliance||Consent – how, then record and manage|
|Risk Management||Tyne of methodology, e.g. asset management, Risk , 31000, etc Risk register(s)||Children & parental consent|
|Implementation||Management review forums, Staff trained, Competencies assessed, Data transfer methods and targets, Ts and Cs with suppliers||Data Collection techniques, Data breaches – detection, reporting and investigation|
|Measure, monitor and review||Evaluation measures established, Benchmarks and metrics, Improvement schedule established, Management reporting / dashboards||DP by Design, DP Impact Assessments (may be introduced at an earlier stages)|
|Audit||Verification and validation, Training, NCs and corrective actions||Internationalisation, Inter-corporate arrangements|
|Post certification||Inter-group exchanges, Liaison with authorities, Supply chain, Outsourcing||Revised statutes, DP practice developments|
The following documents need to be available in order to be compliant with ISO 27001: (Please note that the documents below are mandatory only if there are risks which would require their implementation). It they are not relevant they can simply be left out, there is no need to document a justification, it is suffice to say not applicable
Scope of the ISMS (clause 4.3)
What is the NIST Cyber Security Framework?
NIST is an agency based in the USA, and stands for the National Institute of Standards and Technology. NIST has created a security framework NIST 800-53 which broadly maps against other Information Security standards.
Hicomply has all elements of the NIST framework in the ISMS Platform, we have mapped this to the other standards supported in our system e.g. ISO27001, CSA, HIPAA, PCI-DSS and this can significantly reduce the overhead of managing an IMS across multiple standards. Using the same policies, procedures and management processes around Risk, Assets, Incidents etc across multiple standards.
There are a number of non-mandatory documents that allow for the control of ISO 27001-2013 that should be in the management system in order to define various controls
There are a number of non-mandatory documents that allow for the control of ISO 27001-2013 that should be in the management system in order to define various controls. Some of these documents might be built into existing ISO standards that you might have entrenched in the operation such as ISO9001-2016 or ISO14001-2015 or even ISO45001-2016.
In the event that you have one of the above documented ISO management systems you may integrate this ISO27001-2013 system into the existing one in order to reduce the documents below.
The hard part of risk management is identifying all associated risks. Most businesses pay large sums of money to have these risks identified for them. The easy part is then working through these risks to estimate impact and likelihood of the risk happening. Hicomply Predictive Risk AI uses the information you provide and the assets within your business to predict your associated risks. We identify and describe all associated risks, giving you all the information you need to assess the potential impact and likelihood of the risks happening. Most InfoSec standards will insist on a regularly managed Risk Assessment process, by using hicomply you can either adopt our own methodology or apply your own if you have one.
What is a risk assessment methodology?
Any Risk Assessment Methodology should the rules by which your organisation will identify risks, assess the impact and the likelihood, prioritize, assign responsibility/ownership and the criteria for accepting and treating risk.
This may sound complicated by Hicomply provides a turnkey solution. Adopt our Risk Assessment Methodology and all the tools are available to you for the effective management of risk in your business.
The system also caters for all risk assessment types: Create your own risk assessment methodology in line with your own business processes, or use multiple depending on the type of risk assessment being undertaken.
Within risk assessment it is standard practice to categorise risks based on the likelihood of it happening and the impact it would cause if it did. Most risk assessments will use this approach and use a Risk Matrix to visualise the risk against the likelihood and Impact.
The solution comes with a pre-define 5 x 5 risk matrix approach, but could be changed to more or less. Some use 3 x 3 - low, medium, high. ISO27001 does not enforce a particular process, but does insist that one is in place.
ISO/IEC 27001:2013 has 114 information security clauses in Annex A of the standard. An organisation implementing an ISMS attempting certification, is required to review their business activity against each of these clauses to ascertain relevance/applicability. All applicable clauses require controls to be implemented, and any that are not applicable require justification, explaining why it is not relevant to the business. The statement of applicability outlines this in a single reference.
The Do’sRemember the ‘need to know’ principle of data access.Operate a clear desk policy when working in the office or at home.Always keep your devices locked when you are away from them in the office and at home.Keep passwords secure at all times; don’t write them down where visible to others; don’t share your passwords or use anyone else’s password.Always follow the Acceptable Use Policy for e-mail and internet usage.Dispose of paper and removable media in an appropriate manner. If in doubt, ask your manager. Store all documents and records according to their sensitivity.Report all information security incidents, weaknesses and suspicious circumstances to your manager as soon as possible.The Dont’sDon’t remove sensitive papers or software from the workplace without your manager’s approval.Don’t transfer personal information, confidential or restricted information to anyone without the written approval of the information owner.Don’t give out information unless you are absolutely sure who you are talking to, that they have a business need to receive it and that there is no chance of anyone eavesdropping on your conversation.Don’t process or give out anyone’s personal information without their written consent.Don’t leave visitors unescorted in the office or around your working area at home.Don’t click on any links in emails unless they have been sent by a trusted source (check the email address carefully!) and you are expecting to receive the link. If in doubt, ask.
- Safeguard your computer
- Use strong passwords
- Update and patch your operating system
- Have an up‐to‐date firewall
- Have up‐to‐date anti‐malware software
- Act anti‐spam
- Secure wireless networks
- Be sensible – don’t take unnecessary risks
- Back it up
- Fix problems as soon as they arise
Health Insurance Portability and Accountability Act of 1996(HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information.
HIPAA is an information security management framework that broadly maps to ISO27001 and other standards like PCS-DSS, NIST 800-53 and SOC2.
Hicomply has the HIPAA standard implemented in its entirety and has mapped its controls against the other leading standards supported in our multi-standard Information Security Management Platform.
Please get in touch if you would like to know more about maximizing your ISMS investment by utilizing the same policies, processes and business activities across multiple Information Security Standards.
ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.