Supply chain assurance
12 December 2016 | 0
In today’s globalised economy, doing business successfully involves the transfer of ever-increasing amounts of information to suppliers and partners around the world. Sharing information is essential for the supply chain to function, but many smaller organisations are not cognisant of the risks associated with the open transfer of data. The fact of the matter is that your supply chain is only as secure as the weakest link in the chain, and cybercriminals and other malicious online elements are constantly on the lookout for the smallest vulnerability.
Further compounding the problem, is the issue that expanding data volumes have resulted in many organisations turning to cloud storage and other third party solutions. Most businesses consider these services to be completely safe, but in a survey carried out by TechPro on behalf of Ward Solutions earlier this year nearly one-fifth of Irish organisations admitted to not knowing where their data is located. Further highlighting the vulnerable nature of data in the supply chain is the fact that 23% of respondents stated that they had no policies in place to govern third party handling of data.
ISO 27001 certification
This weak application of processes and controls coupled with a lack of visibility or understanding of data processing and handling can lead to increased risk of a data breach. Larger organisations are aware of these shortcomings and are beginning to demand evidence of supply chain assurance from prospective business partners or suppliers. Irish enterprises and government bodies in particular are increasingly making standards and evidence-based Information Security Management system benchmarks, such as ISO 27001 certification, a mandatory requirement to work with them as part of their supply chain assurance.
“Larger organisations are aware of shortcomings and are beginning to demand evidence of supply chain assurance from prospective business partners or suppliers”
ISO 27001 certification is an internationally recognised and established means of demonstrating your competence in managing the security risks to data in your possession and the information systems and personnel that process that data. As well as this, it provides partners with the peace of mind that your organisation is doing its part to minimise the risk of a data breach internally and externally, ensure continuity of your business services to your customers and reduce the risk of fraud being perpetrated by internal or external agents.
ISO 27001 accreditation is also a tried and tested means to set yourself apart from your competition. Studies show that organisations with a reactive approach to information security spend approximately 3% of their ICT budget on information security measures that are often ineffective. Organisations attempting to be compliant and proactive can spend up to 8% of their ICT budget on information security with some increases in effectiveness. However, when organisations adopt a systemic, focused, targeted, risk based approach (such as ISO 27001) they typically spend approximately 4-5% of the ICT budget on Information Security and achieve optimum levels of effectiveness. Thus there is a strong ROI argument for implementing and certifying to the IS027701 standard. For this reason, ISO 27001 accreditation is one of the better investments to which to devote some of your information security budget.
Achieving compliance is difficult, and companies should work with recognised consultant partners such as Ward Solutions to guide them through the complex certification process. We work with our clients to ensure that they are ready for the rigorous assessment by conducting server audits, audits of their information security processes and taking an in-depth look at their hardware vendors. Following this we design a comprehensive roadmap of the steps that they need to take to achieve accreditation. Following certification we continue to work with the customer to conduct re-assessment audits every six months thereby ensuring that they remain compliant.
For the time being, ISO 27001 accreditation remains a means of giving your organisation a competitive edge by displaying a proven ability to manage information security and mitigate risk. However, in the not-too-distant future certification will transform from a nice-to-have into a must-have, and it will become extremely difficult for businesses that aren’t compliant to win new business. Organisations need to get ahead of the curve now, instead of trying to play catch up when the time comes.
Pat Larkin is CEO of Ward Solutions