Using ISO 27001 Annex A to Protect Your Data
With information security quickly becoming your organisation’s biggest threat, it’s time for you to look at some real actions to protect you and your business. I think the controls listed in Annex A of ISO 27001 are some of the best actions you can take to prevent you from a major business disruption. Read more... I really like these controls as they are logical and give you a systematic way of implementing them. In this webinar recording we are joined by Nathan Cottom from Mango on how to meet and implement those controls. The ISO 27001 standard is not just about your IT Department or your IT Contractors, it covers all your business processes.
To watch the video click play below:
Here are the slides from the webinar.
In this presentation, you're going to get some great advice on how you can use ISO 27001 and it's Annex A to help you protect your information in your business. Hello, and welcome to our ongoing series of Business Improvement presentations presented by Mango.
Today, we have our colleague, Nathan, to help explain how Mango use Annex A of ISO 27001 to protect its information from vulnerabilities and threats.
If you want to contact us and ask us any questions, then just contact us through email there and hopefully we'll answer those questions for you. We've also got a free giveaway for you as well. So we're going to be talking about Annex A mostly in this presentation. But all the clauses from clause 4 to clauses 10 of ISO 27001 and if you want to know more details about that, then download this ultimate guide to the ISO 27001 standard that I wrote last year, that can be found on our website. So if you just go to www.mangolive.com/resources or click on the tab at the top of the page called resources and filter for “types”. So click on E book and it's one of the free eBooks you can get there. So if you click on that, you'll see a link so that you don't need to give me your email or anything like that. It's just a free download. Before we get into the annex, just to explain the ISO 27001.
ISO 27,001 is a little bit more than what you expect. It is actually ISO 27001, which is clauses 4 to 10 plus it has an Annex A, which lists 108 controls, which we will talk about today in this presentation. These are the clauses we're going to go through so we'll go from five down to 18. And go into a little bit of detail about each of those. I'll explain the objectives of each of them. And then we'll give you some examples of how Mango achieved that and how maybe you could achieve that was inside of your business
A.5 Information security policies So the objective there is to provide management direction and support for information security, in accordance with business requirements and relevant laws and regulations. So what does that actually mean, in practice? I've taken an example here from us. So we wrote up an information security policy and included in that there are other things in the policy I haven't shared here. But the main part of that is that we are committed to meeting all current legislation as well as a variety of regulatory and contractual requirements. We're continually improving our information security management system, meaning we continually review it and update it. And we're committed to meeting the security needs and expectations of interested parties. So we've got a whole bunch of interested parties, including customers, suppliers and other interested parties. So Nathan, have you got anything there that's extra that you could add.
Nathan One of the key things here is communicating those policies to your employees as well. So within Mango, you would keep the policy within the documents module and control it within there. You would capture the training records through the HR module, but it's important that you capturing that your employees are being communicated to with the policy information. It's also a good idea maybe to put some visual items up maybe some posters or some sort of visual cues to show that it's an important thing for the organization.
Why are we doing information security?
Why are we looking at ISO 27001?
So you have posters and reminders. In New Zealand, you've got CERTNZ reminders to come through. Anything visual like that, that you can share with your team, just to get them on board, and give them understanding what you're trying to achieve
A.6 Organization of information security There's a couple of objectives here. First one is to establish a management framework to initiate and control the implementation and operation of information security within the organization. And secondly, to ensure the security of tele-working and the use of mobile devices. What did we do at Mango? We updated our individual employment agreement and got the staff to agree to and resign those employee agreements. So we tightened up a whole lot of information security in those documents. We then we also updated everyone's job descriptions just to make it clear what their responsibilities are around Information Security. We developed a mobile device use policy and a remote working policy. We also got help from our lawyers as well.
Nathan The later 2. The mobile device, and the remote working policies are covered in other annexes as well. But the key things to consider here is, if my mobile device is lost, left in a taxi or stolen, what controls have I got around that to protect me out information. Also if people are working off site. And we're especially seeing this through COVID is, do the people at home have the same level of security and access that they need in order to function. In a nutshell, it's about keeping the key stakeholders up to date with what's going on. And that can be captured within Mango and the HR module, especially around those employment agreements and job descriptions, and the HR module is ideal for that.
A.7 Human Resource Security The next one ties in nicely, which is around HR or human resource security. There's three objectives here. So firstly, prior to employment. Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are being considered. So that's the first objective. Secondly, is to ensure that employees and contractors are aware of and fulfil their information security responsibilities. So that's what they're doing the job or during their employment. Then finally at termination or change of employment. To protect the employees, the organization's interests as part of the process of changing or terminating employment. So here at Mango, we tightened up our recruitment processes, particularly around screening employees and looking at what sort of criteria we're going to assess people during this screening of, of the people that are applying for the roles. Once we looked deeper during their employment or early employment, we'd looked at and have installed police checks as well. So our checks at induction were tightened up. Nathan When we come to induction, it's with your new employees or changing role employees. It's too late if you leave it down the track to start talking about information security with these people. As soon as they start with the business, they're being exposed to information that may be sensitive in nature. We're trying to protect that. The induction process is the ideal time to inform these people that you've got a process, why that process in place, and what they can do to help manage that process. Whether it's from reporting issues, or just the way that they behave. A couple of things is around your part time or occasional employees, don't forget about them in this induction or on boarding process. They're just as much of a potential risk as anybody. And they are quite often overlooked, because they're not around necessarily at the time that the rest of the employees are going through the training for information security. And so they may get missed and therefore become a bigger risk. The other thing you can do within this module is just look out for any unusual activity. You've done your police checks your head, you're screening in place, but if someone suddenly starts acting a little bit differently, just monitor and be mindful of that it might be leading to something else.
A.8 Asset Management So the next one is asset management. Three control objectives there. The first objective is to identify organizational assets and define appropriate protection responsibilities. The next one is around classification. To ensure that information receives an appropriate level of protection in accordance with the importance of the organization. So you classify the information to ensure that it's properly protected. And finally, three, to prevent unauthorized disclosure modifications removal or destruction of information stored on media. Here at mango, we created an asset register. We went through a bit of a process here took a while, but we've created an asset register of all our equipment, all our software, all the information that we including whiteboards and, posters and things like that. We then went through a classification process to classify them. We labelled everything. Then we looked at how we handle and dispose media, including SD cards, USB, server disks, things like that. So a whole lot of management around your physical information assets. Nathan For us there in the classification that involved you know, is this information secret. So is it the highest level of security, through to is it public and stuff that we're able to make available for other people. It's really important to consider not just physical assets, but also software assets, and anything that can show or display information. Hence why we sort of included things like whiteboards because you can write things on whiteboards and people can inadvertently see them who maybe shouldn't be looking at information. You’ve just got to be mindful of that as well. As far as Mango goes, we capture the assets in the plant and equipment module. We put in a classification, and we set up a risk template and did the risk assessment on those assets through the risk module. When it comes to disposing of equipment, such as hard drives or anything like that, obviously, there's a risk there. In order to manage that process we will raise an improvement so that it's going to the correct people to get disposed of and the correct process has taken place.
A.9 Access Control The next one is a biggie. There's four objectives here. The first one is to limit access of the information and information processing facilities. Secondly, ensure authorized user access and prevent unauthorized access to systems and services. Thirdly, make users accountable for safeguarding their authentication information. Fourthly, prevent unauthorized access to systems and applications. Here at Mango, we went through all our networks and looked at the controls that we've got on all our networks, our services, including utilities, power and whatnot, we looked at all the privileges that everybody's got for the information that they need to be able to do their job. For those products that we felt two factor authentication was necessary, we implemented that. Those passwords that people use, they needed to be complex passwords as best they can with phrases or whatever is best for them. Then we put special processes around our source code, because we are a software development company. Special privileges and access around source code. Nathan Other things to consider things like your services, your power, your phone, the internet? Are they able to let you down in some way with your security? Are people able to plug the device into your, your network connection and access your network? Or is there some protections in there? As a whole, it should be a principle of least privilege. So you shouldn't only be giving people access to things that they actually need to have access to. Quite often, people say I'll just give you full access and you can see the whole system or see the whole lot of employees. If they don't need to see all their information and you are giving then more than they actually need? That can lead to issues and itself. On the other side of it, you also need to check whether there's any barriers to people doing their job. So you don't want to stop want someone doing the job by not giving them appropriate access rights. So one way of managing that that we use is discussing this in our Management Review meetings. We always check with an employees have got any barriers around access, that are preventing them from doing things. And whether they come across a meeting that they maybe think they shouldn't have. Within Mango, the software itself, you can use access profiles to help you manage that. And you can apply further restrictions on what people can see just to keep their information other more secure.
A.10 Cryptography The one objective here is to ensure proper and effective use of cryptography to protect confidentiality, authenticity and integrity of the information. For us in “Mangoland”, particularly for our software development, we use keys and key management. We also have encryption and decryption as well. We've got strong processes around that. And only very senior developers in the company actually look after that. Very few people know the processes around encryption and decryption. Nathan This is not an area that I'm particularly skilled in. It’s where your IT department really comes into their own. They know about cryptography. They'll be able to advise you what they're doing, and, and how they can help protect the transmission of your data.
A.11 Physical and Environmental Security The first objective around that is to prevent unauthorized physical access, damage and interference to the organization's information, and information processing facilities. Secondly, to prevent loss, damage, theft, or compromise of assets and interruption to the organization's operations. Here at Mango, we're on a physical location, we've actually got two offices, one on top of each other. There's a boundary there with alarms and pin codes on those alarms. So you need to think about that for your organization. What sort of boundary do you have? And what protection do you have around that? Then when you're looking at your equipment, what maintenance, cabling and utilities is security around that which sort of we've sort of covered off previously, but it also involves this clause. There's a section there on making sure you've got a clean desk and clean whiteboard. Our policy here as we have clean desks. At the end of the day, people should be removing any confidential information from their desks and either shredding it or disposing of it appropriately. Nathan Obviously, we've been talking a lot about the data and that sort of security, but getting access to a location is also coming through here. The thing with alarms and locks is how you know whether they're actually working or not. You got to make sure that you're testing them on a regular basis, making sure the right alerts are coming through to the right people. If you're using the Mango software, you can use the Events module to prompt you and that sort of thing needs to happen. It's also around employee awareness of who should be on site. I know in manufacturing plants, that I've worked in before, it's quite easy to sort of truck and trailer into a company’s premises just by following the car that's in front of you. Then obviously, they are in your site, and they can access physical location or your data if that's available. Being aware of who should be onsite, and protecting your equipment (maybe it's sitting in a loading bay).
A.12 Operations Security There's seven different objectives here. The first objective is to ensure correct and secure operations of information processing facilities. Secondly, to ensure that information and information processing facilities are protected against malware. Next one is to protect against loss of data that’s through backup. Next objective is to record events and generate evidence so that's around logging. The next one is to ensure the integrity of operational systems. Next one is to prevent exploitation of technical vulnerabilities. And finally, to minimize the impact of audit activities. So when you're doing audits, you got to make sure that those audits don't affect your operational system. In Mango, we put a lot of effort around this. Particularly around patching, making sure all our servers, and all our devices are all patched accordingly. We are protected from Malware. Our backups are in place, and we check to make sure the backups are done. We've got plenty of logs in place. We also protect ourselves against the two biggest threats that are happening in New Zealand at the moment, which are phishing and credential harvesting. That's through mainly through email and making sure people don't click on silly links. And suddenly, you're, you're protected there, and you're getting silly phone calls and whatnot. Those are sorts of the things that we look at in terms of their operational security. Nathan This is about avoiding disruption, so you don't want to be hacked and lose your ability to function for a particular period of time. So we do things like reviewing our logs for unwanted activity that may not be what we expect. As far as the backups, we have a schedule on backups, as well as those that are forwarded to us. We keep that up to date, via the management review meeting. We discuss with all the team members about the risk of clicking on to unsolicited emails, especially those that have got links inside them. So again, it's coming back to that communication with teams, but also the technical aspect of how you manage your malware and your backups.
A.13 Communications Security There's a couple of objectives here, firstly, is to ensure that prediction of information and networks, and its supporting information processing facilities. The next objective is to maintain the security of information transferred within an organization and with an external entity. We've got some tight controls around our network security, I can't give you a lot of details about that. But for information security, and transferring data, encrypt using encrypted services to be able to do that. We also manage that as well. But the important thing really is communication, team communication. We use external providers, like Microsoft Azure to host our servers for us. We've got good network security around that and good communication with them to make sure that everything is operating and there are no holes. Nathan This brings in the human aspects and communication within teams. We have a closed-circuit communication devices through here, so that no one can access from outside of Mango. You have to actually be an employee to use that method of communication. It's also ran to me confidentially agreement. So you're going to discuss things with suppliers or employees, as a matter of course of that relationship. It's important that they don't didn't communicate that information off to others. That's where the confidentiality agreements come in. It’s around email guidelines and who are you communicating with? How are you communicating with them? Are you providing any link back into your organization that you may not be wanting, like, avoid putting links in because there's a good chance that they won't be delivered? Or the tone and the information that's given on emails.
A.14 System acquisition, development and maintenance There are three objectives. First to ensure that information security is an integral part of the information systems across the entire lifecycle. This also includes requirements for information systems which provide services over public network. Secondly, is to ensure that information security is designed, implemented and implemented within the development lifecycle of information systems. Thirdly, to ensure the prediction of data used for testing. This is very critical for us because we are actually a software development company. Not only do we have our own networks that we have to design, develop and test, we also have Mango that we designed, develop and test. We've sort of got two areas we've got to cover off in this particular clause. When we get audited the auditor's keep a very close tab on this. We've got purchasing processes around how we acquire things, and then how we then put those and implement them into our network. We've got design and development process, not just for our network, but also for Mango itself. We've got some strict design and development processes around that making sure that the customer's requirements are fulfilled, but also the information security around that that's fulfilled. We write information security, into our requirements documents right up front, and then we test them at the end. Then when we're doing support, which Nathan looks after, he’ll give you a bit more detail around some of the information security things here because we are supporting mango and have access to some customer information there. We've got to put some really strict guidelines around how do we actually support customer’s information when we can actually see some of their information. Nathan When we're acquiring a new piece of equipment, and we include software as being new equipment, we obviously need to know if that's going to bring any vulnerabilities will it. We use an improvement within Mango to manage that process of on boarding the equipment. We do a risk assessment on it to see what those risks of business are. If we are going to do some maintenance on it, we use the maintenance request module to make sure that we're not letting any information out as part of that maintenance. Within Mango itself, whenever we are looking at bringing new enhancements or changing things within the Mango software itself, considering how that data is used and accessed is a huge part of it. Right from the writing of what we want to achieve right through the testing of it that's a huge part of that whole process. When it comes to support, we gain access to the client data, for helping for supporting a query that they’ve got. One thing that we do you sometimes hear is people sharing too much information with us, such as maybe access information. So it's really important for us that we capture if we're told that sort of thing, and that we are telling people to reset their passwords or anything like that, if they share that sort of stuff with us. Obviously, we only gain information, we only look at the information to help a client at the time when it's not something that we're looking at otherwise. We can't share that information with anyone else because it wouldn't it be appropriate to do so. Some organizations might have consultants that they want to help run the processes, and they want to talk to us, we're not going to talk to a third party unless we've got that level of authorization to do that. It's really, really important that we maintain the security of our clients data.
A.15 Supplier Relationships The first objective is to ensure protection of the information organization's assets that are accessible by suppliers. Secondly, to maintain an agreed level of information security and service delivery in line with supplier agreements. Here at Mango, we monitor our contractors performance monthly as part of our Management Review. We also have supply annual supplier reviews. You also need to consider how you talk with and engage with lawyers and accountants as well because they're looking at some of your information for you. Maybe they are doing a bit of work for you around that. Therefore how do you protect yourself to ensure any data there is not lost? Or there's vulnerabilities of losing data. Nathan When it comes to suppliers, your agreements ideally are relevant to the risk that their supplier might expose to your organization. You might have some sort of pre assessment of their supplier with, there's an assessment module within Mango to help you with it. That's getting information wrong to see if you want to work with them for a start. Assuming you want to work with them and you start that relationship, then you want to review on a regular basis that they are actually still performing the way you want them to. You might do an audit on them, there's an audit module inside Mango. To review, make sure that they're still performing the way that you want.
A.16 Information security incident management The objective here is to ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Here at Mango is all about incident reporting, and then managing the corrective and preventive actions that flow from that, and reviewing that, and making sure that you learn from those things and prevent them from happening again. Nathan This comes down to training and capturing information from your employees and your any teams. In a similar way that we would encourage employees to tell us about any safety accidents or incidents, or maybe some near misses, we want to encourage them to help us manage information security as well, by telling us if the aware of any issues that are coming through. Maybe they've received unsolicited email, maybe they've sent an email to a wrong place, they just need to put their hand up and say, “Yes, we need to deal with it”. Most countries have laws around this. It says that if the breach was likely to cause significant harm to anybody that you need to notify the Government. It's all about encouraging people to report incidents of a security nature. Within Mango, there's a new security incident module to help you manage that process. You’ve got to encourage your team to actually tell you when things are happening.
A.17 Business Continuity The objective here is information security continuity shall be embedded in the organization's business continuity management systems. And secondly, to ensure availability of information processing facilities for redundancy. For us here at Mango. We updated our business continuity plan. We're based here in Christchurch in New Zealand and we've been through a lot of business continuity events, including earthquakes and COVID, as well. As part of our ISO 27001 certification, we really focused in on this clause and updated our business continuity plans, and put in some emergency type events so that we would test those to see what would happen in case of a crisis or a disaster. Nathan It’s one thing having a business continuity plan, that's another one actually implementing it and testing it. Testing is really the key. Unfortunately in Christchurch we’ve had a number of events that we needed to test the system. But when that occurs, you know, actually step through it, and take learnings from it as well. Because every time we have either a test, or an unforced test, we're always tweaking things because maybe part works so well. Maybe this other part worked really well. Do that review to see how you can update your continuity plan. So that next time it's even smoother from the start. One more thing. Our product, Mango, sits on some servers in Microsoft Azure. We have some mirrored servers, they're if one goes down, the other one kicks off straightaway. So there's some redundancy there.
A.18 Compliance First objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and any security requirements. Secondly, to ensure that information security is implemented and operated in accordance with our policies and procedures. For us, we captured all of our legal requirements in a legal register. And other requirements as we saw fit, as a compliance register. We've listed all of the controls that we've gotten, as we've talked through today. And we say how we actually meet those, what policies we've got, what procedures we've got, what evidence we capture, and we have audit processes and reviews to make sure that we can continually meet that. Nathan We use their compliance module to capture them by clause. Then we use the audit module to, and the structure of the audit matches the Annex. So we can go through and say, is this in place? Is it documented, is it being followed? It's one thing having the compliance, not identifying what it is that you need to make, but you need to then be reviewing it to make sure you are actually consistently meeting? And nothing's changed in the last 6-12 months or so. So you're doing an audit doing some sort of review, based on the annex is a good way of structuring. That's the end of Annex A. Hopefully, you've got a good or a better understanding of each of those clauses, their objectives, and maybe some examples.