COVID-19 (Also known as coronavirus) has taken us all by surprise. The most interesting aspect though is the home working advice which will have driven a coach and horses through many certified management systems for information security (ISO/IEC-27001:2017) and business continuity (ISO/IEC-22301:2012). The reason for this is that many of these management systems rely on artificial scope boundaries to deliver compliance in a manner that doesn’t reflect current working practices.
What’s the problem?
How many of you referred to your risk assessment or BCP plans to guide you through how to adopt remote working in light of the recent government guidance? Unless you did, then your current certifications are now at risk as they haven’t functioned.
Of those who didn’t refer to the risk assessment or BCP plan, how many of you identified deficiencies in your current processes as part of the management meeting to discuss remote working and recorded them in your corrective and preventive actions log? Those who haven’t have now compromised their management systems to the point where they are no longer valid, as the management system has completely failed.
Don’t forget, it is the management system and not the controls that are certified as part of an ISMS or BCMS. I often find clients have large management system manuals audited by the leading names in ISO management system audit and they are merely compliant management systems rather than living ones.
What’s a compliant management system?
The features of a compliant system are typically the following:
- The view is that the management system has “passed an audit”, when the audit itself is merely assuring that they system is conformant with the audit standard – the auditor is not a consultant, and is not making sure it works for you!
- The controls/processes which are part of the management system are not consulted as part of business operation, and are merely communicated as part of induction and reviewed before the next audit – the management system is what is audited not the controls in isolation.
- There is a fear that changing controls/processes will impact the certification, and they are maintained even when they are impacting the business processes (and therefore often bypassed) – defining control performance and understanding when controls require review is part of the management system.
Creating a living management system
A living management system is one that typically:
- Has looked to identify the assets that they are trying to manage.
- Has looked to integrate the assessment of the risks into their corporate governance.
- Has identified what the controls/processes of the management system are trying to achieve and how to determine if they are working as intended.
- Has its controls/processes consulted to guide actions as part of business operations, and certainly at this time.
- Has processes to capture when the controls/processes of the management system aren’t working for the business and looks to evolve
So what should be done now?
So hindsight is a wonderful thing, and you may now be thinking that hindsight is always 2020 (no pun intended), but what do you do now if you have started to work remotely and haven’t done anything yet?
I would recommend:
- Identify why you weren’t able to use your ISMS or BCMS to guide you and capture the actions to address the gaps.
- Identify all company data being upload to, and processed by, Cloud services.
- Consider what physical security and internet connectivity is available from the remote working environment and whether any further action is required to manage risks (i.e. how much do you rely on central systems in the office locations that aren’t there at the remote working location).
- Consider if changes are required to security policies.
- Consider what control you have over the data on personal devices and how much control you wish to have over the device (and what impact that might have on staff if you wipe the entire device).
- Ensure that you can extract the company data held within the Cloud services and you can obtain evidence that it has been deleted.
- Ensure that the company data held within the Cloud service isn’t used for anything other than your own purposes.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the GDPR 12 steps guidance for data protection.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the NCSC 10 steps guidance for cyber security.
- The above assessments will give you 30 areas to assess against, which you should be able to assess your gaps as they stand in your use of remote working today and create plan of action to address the gaps.
- Look to ensure that all endpoints you use for processing company data are supported for the latest security updates (i.e. not older than an iPhone 6s or iPad Air 2 and with iOS 13 installed for iOS devices, any Android device earlier that Android 8.0 – Oreo, and really any Windows device not running Windows 8 or above).
- Ensure that any endpoint not running iOS has anti-malware installed which updates daily).
- Ensure that all endpoints have the latest updates applied.
- Ensure that you follow NCSC password guidance.
- Ensure that you are using two factor authentication (sometimes called Multi-Factor Authentication) enforced on any Cloud service you are using.
What should I consider for the medium term?
Dependant on whether you intend your move to the Cloud to be permanent, the following guidance areas are very useful:
- GDS modern network guidance is very good for considering the risks to be considered from the use of Cloud services, even though some of it is specific to the public sector.
- The NCSC has great guidance on Cloud service security and end user device configuration.
- The NCSC and ICO have published GDPR security outcomes which define the security of processing under the applied GDPR, and this should be viewed as the next step after complying with the GDPR 12 step guidance.
Summary
We’re all reacting to the largest pandemic in over a century, but that doesn’t mean that your certifications should be at risk. Even though organisations will have to act fast, it should be an opportunity to move from mere reactive compliance to proactive governance and change the working behaviours safely for the 21st century. Stay safe everyone, and remember to wash your hands!
Further reading
Further articles I’ve published that may help are:
The importance of a common framework
Looking beyond the hype of the BA fine