Here at PwC’s Auditor Training we have recently released our latest auditor training course, and it’s all about ISO 27001 Information Security, the Internationally recognised information security standard.
We asked Ryan Ettridge, PwC Partner in Digital Trust and Risk Assurance, to explain why ISO 27001 and Information Security is so important, particularly in today’s security conscious business environment.
Ryan has extensive experience in information technology, particularly in IT risk and cyber security. He has managed and embedded transformation programs for clients across all industry sectors; and his strong focus on cultural change and an ability to successfully blend people, processes and technology provides businesses with the security imperatives they need to confidently manage modern information technology risks.
What is ISO 27001?
“ISO 27001:2013 is a well-respected international information security standard that outlines the key processes and approaches a business needs to manage information security risk in a practical way.”
Why do we need it?
“Information security is a business problem, not an IT problem. Risk-based approaches are vital for modern information security effectiveness.
There are many ways to achieve security risk management, so a good standard like ISO 27001 puts formalities in place to ensure the right thought processes were followed and captured when the inevitable breach is realised.”
What value does ISO 27001 certification add to a business?
“Certification is fundamentally about providing trust and confidence – and these can provide a competitive edge. In today’s world, our customers, business partners and shareholders want to be sure that you’re not putting them or their businesses at risk by not having appropriate safeguards in place around information and technology enabled business assets.
Boards want this confidence; management wants this confidence; and certification is a solid way of showing that you have invested and continue to invest to maintain appropriate levels of security based on acknowledged risks.”
Can I achieve the same processes without certification?
“Many organisations do follow the same process to achieve their security objectives without ever certifying, however certification is the formal proof that the standard has been integrated.Consistency and repeatability are key for traceability and justification of security investments. Understanding the standard in enough detail to appropriately apply it is necessary if you want to be truly effective.”
Why is ISO 27001 over other standards such as NIST and IS 18?
“This is a common question, and the reality is that the standard is flexible enough to be adopted for all industries and maturities. It can be integrated at many layers to ensure both security and compliance.”
Where do you see information security heading into the future?
“Anything that can be digitised is being digitised, so access to information and anything that is connected presents far greater risk to society than ever before.
As long as there is a dependence on technology to live, there will always be malicious, accidental and other ways to cause negative impacts. Security is a byproduct of risk management. Security in the context of this conversation is about shifting the cyber risks in your favour – InfoSec must become part of your everyday personal and professional lives just like locks on your doors. Live it, breathe it.”
What are the potential career pathways for a person with ISO 27001 knowledge and experience?
“We talk a lot about ‘lines of defence’ in risk management and assurance. Let me briefly explain…
Line 1 involves Management/Leadership/Operations – these people set the tone for risk and manage the day-to-day running of a business.
Line 2 involves the SMEs and advisors to the business involved in how to manage risk within the business’s frameworks and policies.
Line 3 is independent audit.
In all three lines of defence, this skill is well respected such that we know how to operate within our risk appetite; we know how to tailor and integrate a practical framework/standard; and we know what to audit against. Whether I look to hire a security architecture, analyst, auditor or otherwise, knowledge and experience with this standard is always included.”
To find out how PwC’s Auditor Training can help click here