Cyber-security is an especially hot topic in aviation right now. I've written about it before (see related contents further down), but I haven't yet written about an ISO standard that would help ANSPs and airports to address it.
ISO/IEC 27001:2013 - Information Security Management Systems is the foremost international standard for information security. Compliance provides confidence that an organisation's current information-related policies, procedures and practices are appropriate to the risks they face. It not only puts directors' minds at ease, but also alleviates the potential worries of trading partners, customers, insurers and other stakeholders.
Although perhaps a daunting prospect, the task of organising a management system for information security is crucial. Then opening up your system to independent review is industry best practice and ensures that your organisation is ahead of the curve when it comes to threats.
Having recently qualified as a lead auditor for the standard, I thought I'd share some top tips to help you prepare:
- Get the basics right first: Inadequate or poor skills, time, money and leadership often lead to non-conformities with controls. Correcting one control to satisfy an auditor may absorb the resources of another, and end up moving the problem elsewhere. Your system must be underpinned by senior-management commitment and sufficient expertise and resourcing.
- Beware potential differences between procedure and practice: As part of the auditing process a sample of policies and procedures will be checked against day-to-day reality to see 'if they say what they do' and 'if they do what they say'. Make sure yours do!
- Ensure practices aren't undermined by natural human behaviour: It is perfectly human to open doors for people, open interesting looking emails, struggle with clear desk policies, etc. However, these behaviours are contrary to many information security procedures and so a key challenge is to change behaviour.
- Check your suppliers' scope of certification: People often don't' realise that certification does not need to cover a whole organisation. Some wily organisations deliberately limit the scope of their certification (e.g. only their front desk or website!) to pass more easily. Fortunately, with the 2013 version of the ISO 27001 standard this is harder for suppliers to do, as the scope needs to be demonstrably linked to customer needs. As a minimum, always check the scope.
- Make sure you have a robust document management system: Document management is a common failing. However, if you have a Quality Management System (QMS) in place, you may be able to use its mechanism for document review, approval, change control, etc.
If you're starting, or already somewhere along, the ISO 27001 and Information Security Management Systems process, I'd be very interested to hear of your experiences.