Financial services firms are typically focused on developing services, getting them out to market and operational management and can be reluctant to focus on compliance activities to manage cyber risks. This can be especially the case with firms who are at an early stage of their development or are small, niche service providers and may have limited time and resources available.
However, customers, business partners, shareholders and regulators are increasingly aware of cyber risks and have greater expectations of the firms to respond to and effectively mitigate these risks to protect their money and the market. Financial services firms should not ignore the significant cyber risks.
A pragmatic approach to managing cyber security risks inherent in the business environment and in the processes and systems that are central to financial services business models is to adopt an established framework which can be tailored to the scale and complexity of your business. The ISO27001 standard offers a comprehensive framework to identify and manage risk using technical, organisational, physical and people controls. How you implement the framework should be proportionate to the cyber risks your business faces and only the specific controls that mitigate those risks should be implemented; as your business develops and grows the framework can scale to address new or increased risks by implementing additional controls.
Our cyber security experts Will Finn and Brendan Dougan have extensive experience both in implementing and auditing ISO27001 in complex, highly regulated organisations. The team presented an overview in a webinar on how to use ISO 27001 to secure your company’s systems and information. Most of the firms who attended the webinar (93% of attendees) were already certified or considering starting the journey, so many financial services firms clearly recognise the value of certification.
Why should firms become certified?
This is a great question because the certification process requires a commitment of resource and staff time so your organisation should understand and be fully bought in to the process and to the benefits.
The standard has many advantages:
- It signals your information security compliance to customers, clients, business partners and regulators: Being certified lets you demonstrate to customers and regulators that you are on top of information security risks and can act quickly when they arise.
- It helps to manage 3rd party supplier risk: When your firm outsources services to a supplier, you are still held responsible by the regulator for the information security around those services. Asking a prospective supplier if they are ISO 27001 certified is a good way to determine whether you can have confidence in their information security controls.
- It is flexible and proportionate: Application of the standard can be scaled up or down in proportion to the size of your business and the risks you face.
- It provides an off-the-shelf framework to ensure you implement the right controls: The standard specifies 93 possible controls that a firm might implement to manage information security risks. Certification takes firms through the useful process of understanding and justifying why they do or don’t need a particular control.
How do firms become certified?
Although a benefit of the standard is that firms can choose which controls are most appropriate for their business and specific risks, there are nonetheless fundamental (and mandatory) controls without which you cannot be certified. In ISO27001 terms these controls are the building blocks of what is know as the ‘Information Security Management System’.
The mandatory controls include:
- Leadership: the key principle of the standard is that your senior management is aware of information security risks and is taking steps to manage them by developing an information security policy. This is the document that states how the firm will manage and reduce information security risk.
- Performance evaluation: The controls should be regularly monitored and tested so that you know if they are working as intended to reduce risk and can detect any information security issues if they arise. This could be done with an internal or externally commissioned audit.
- Improvement: Regulators will expect to see continuous improvement and corrective action taken to manage risk and improve the effectiveness of controls over time.
Alongside the mandatory controls, other specific technical, organisational, physical and people controls are designed and implemented to address specific risks. These controls are familiar to people who work in an IT environment, including controls to manage access to systems and data, controls to identify and respond to cyber incidents and controls to protect an organisations networks and systems from cyber attack, among others.
In the recently updated ISO27001:2022 framework there are 93 technical, organisational, physical and people controls which provide a comprehensive framework to address your firms specific risks. This recent update includes controls to secure cloud services, manage outsourced services, secure coding practices and protection against data leaks from your organisation.
The journey to certification
When a firm decides to become certified, they will often seek support from a specialist consultancy to support the programme of work required to achieve certification. The firm must also identify a UKAS (United Kingdom Accreditation Service) approved certification body that will conduct the Stage 1, Stage 2 and Surveillance Audits required over the three-year certificate lifecycle.
A typical programme will include the following steps:
- Strategy and programme: Company leadership must first identify information security risks they face and the relevant regulatory, contractual and other compliance requirements, then authorise development of an information security policy to mitigate risks and a strategy or plan to implement the policy.
- Risk and requirements: A detailed risk assessment should be carried out to identify the firms risk profile and priority risk areas highlighted.
- Scope definition: Following the assessment, the firm should then define which controls should be implemented as a priority or plan for later implementation of lower priority, but still necessary, controls.
- Gap analysis: review and testing should identify the firms progress with controls implementation and the positive impact on the firms risk. This review and testing will form the basis of on-going controls monitoring and auditing activities.
- Remediation: The firm must be prepared to respond to changing risks. Controls monitoring and testing will identify areas which require remediation. In addition changes to business systems and architectures, cyber incidents and other developments will require remediation to ensure new or increased risk is being managed.
- Stage 1 audit: At this point, the company is ready for the certification partner to review their documentation and assess readiness for certification. The assessment will point out any improvements or remediations that are needed.
- Stage 2 audit: When the remediations have been implemented the partner will undertake the second and final stage audit.
- Certification: If that audit is successful, certification will be granted and your organisation can identify itself as ISO27001 certified and share the physical certificate as evidence to provide assurance to customers, clients and regulators.
Certification lasts for three years with the UKAS approved partner returning to carry out the surveillance audits at least once a year.
Getting certified as ISO27001:2022 compliant is a tried and tested model for ensuring that your business has put the core information security measures in place to manage and reduce cyber risk. The certification process provides a framework and a guide to help you develop and mature as an organisation and will identify what you are doing right and where you can improve further.
If you would like to discuss how to use ISO27001 certification to improve your own cyber security, contact us today.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.