As a careered Internal Auditor and an IS/IT auditor, I can tell you with high level of assurance that many Fintech start-ups fail because of so many reasons but one of the main reasons for Fintech start-ups failure is the fact that they take their information security management responsibilities very lightly.
Most people that are guilty of this always have standard excuse to give. They ever ready to blame modern software development ideologies like ‘agile methodology / model’ for this ugly reality.
But that is not the case as, the real problem is that most IT entrepreneurs only focus on functionality of the software they are working on at the expense of overall systems security. This also applies to small and medium sized businesses in all sectors where they hurriedly acquire software without proper due diligence.
Why even bother with information security management?
Managers and business owners should bother with information security management systems for obvious reason which includes but are not limited to; lowering cost, gaining competitive advantages, attracting investment, meeting with compliant requirement, increasing brand equity, having a structured way approaching security incidents, etc.
If you are still not convinced with these few points as to why you should bother with information security, then nothing will ever convince you. Lol.
Who should care about ISO 27001?
In this modern day and age where information asset has become goldmine that hackers continuously target, anybody who has direct or indirect responsibility to manage any form of information asset should care about the requirements of ISO 27001. Below are just few examples:
- Hybrid accountants who are desperate to become disruptive accountants
- Modern day CFOs who really wants to make meaningful long term impact
- Internal auditors who still want to remain relevant as internal auditors
My intention and reason for writing this article on ISO 27001 Information Security Management is to provide guide for small & Medium sized businesses as well as startups in the fintech space. All that I discussed in this post are easy and economical to implement. Let us start by briefly introducing iso 27001 information security management
What is ISO 27001?
In its simplest form, ISO 27001 is the gold standard when it comes to information security in its entirety. ISO 27001 is published and regularly updated by the International Organization for Standardization (ISO), in collaboration with International Electrotechnical Commission (IEC). So many other ISOs have also been released by the former organization mentioned above like ISO 9001: 2005 – quality management. You can visit https://www.iso.org for more information on other standards that have been set by this body.
What is ISO framework?
ISO framework are those blend of policies, processes and procedures that are laid down for an organization to use for maximum result in any chosen area. ISO framework is not a standard itself but helps paved the way for various ISO standards to be developed.
Why do we need ISO 27001? | Importance of ISO 27001
Both businesses and individuals benefit tremendously from becoming ISO 27001 in the following ways:
- Cost effective and reliable way of protecting information assets
- Improved credibility
- Management and implementation of all kinds of cybersecurity risks with ease
- Saves resources
- Ensures compliances
- Global acceptance
- Provides baseline for effective Information Security management system (ISMS)
- Certification of individual’s skills
Are NIST and ISO same? What are the difference between NIST and ISO
In a nutshell, NIST and ISO perform similar functions with the only difference being that while NIST is very popular in the United States of America, ISO is cross border in nature.
How to implement ISO 27001 without breaking the bank
The whole idea of implementing ISO 27001 is to meet with the 3 objectives of ISMS. These objectives are
- Ensuring confidentiality
- Ensuring integrity
- Ensuring availability
To effectively implement ISO 27001 within budget, the following simple steps needs to be taken
- Identify those that really care about information security and gain understanding of what they really want.
- Identify information assets that needs securing
- Classify and rank these information assets – this is important as a company’s resources are finite and exhaustible
- Define controls and mitigations that must be fully implemented to meet the needs of stakeholders as identified in first step above
- Set clear objectives and other measurement KPIs as it relates to the information security campaign
- Implement and execute all identified controls in step (iv) above. This should include a combination of risk management strategies.
- Have a regular schedule for reviewing of actual outcome against projected or expected outcome
- Follow up on addressing any variance identified
- Continuously monitor and improve
ISO 27001 approach to information asset security is consistent with the idea in risk based audit where it all starts from risk assessment and ends with follow up activities. It is a requirement that all the controls that a company have put in place be listed in a document called ‘statement of applicability’. This document must be kept relevant by regularly being updated. I don’t need to bother you with the details of what the standard says but just know that the standard has two major parts. The Eleven (11) clauses and the Annex which has Fourteen (14) domains. Compliant with the Accounting Information Systems (AIS) audit tips provided in the linked article will do.
Leave a Reply