Over the past couple of years, we have seen a great shift in how businesses are run in the United States. According to an article by Forbes, “As of 2023, 12.7% of full-time employees work from home, while 28.2% work a hybrid model” with “98% of workers want to work remote at least some of the time.” Also within this article, it mentions that the “computer and IT sector leads as the top industry for remote work in 2023.” What does this mean for Cybersecurity and Information Security if not only your operational departments are remote, but also your IT teams?
The latest revision of ISO 27001:2022 is now available and all audits after October 2023 must be to the 2022 standard(DQS is a provider of ISO 27001:2022 certification). The 2022 revision has additions that cover remote work cybersecurity and new requirements to ensure cybersecurity in the workplace, even if that workplace is your home office. These revisions will ease the mind of executives and management teams as the revision outlines minimum requirements that can set up a healthy plan for information security.
One example of requirements in the 2022 revision is your organization is required to have a program for gathering info on InfoSec threats to be compliant. This aids organizations as IT teams do not setup the work environment of remote employees so there needs to be a way to track threats and use knowledge gained from this work to prevent data security breaches. And with implementing ISO 27001, the organization as a whole will have increased awareness as it takes continuous buy-in and commitment to stay compliant.
In what ways do individual employees commit to keeping an organization’s data safe while working remotely? Firstly, we have the required Cybersecurity trainings that all new on-boarded employees receive and annual renewals of training for established employees. These required trainings, although they may seem tedious to an average employee, do give guidance of what to do in situations where there may have been a phishing attempt, and provide information on new threats which can aid in a reduction of risky behaviors. Then, there’s things such as always being connected to the organizations VPN when working on business related items, such as contracts, and changing the router password from the initial default password.
When it comes to traveling with organization devices, and personal devices, always keep the devices in view, do not leave them unattended and do not let devices connect through Bluetooth and Wi-Fi as these devices can contain harmful threats such as spyware. Before traveling, and on a regular basis, devices should be updated to the latest versions when it comes to software and protections. New threats are created each day, and these updates should be conducted regularly to ensure that the devices are best protected.
But what if the threat is not from inside the organization, such as with the 23&Me data breach? According to the article on Wired, a 23&Me company spokesperson states “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” Things can always happen, even with the best software and security checks. New threats can come without notice – so what happens next? Within ISO 27001:2022, there are outlines for the organization to set up plans when faced with risk. From the second the issue happens, these plans are automatically pushed through to best address concerns, find sources, fix issues, and more. ISO 27001 does not only include requirements for employees, but also post-issue agendas as well as setting guidelines for customers and clients.
So, do we mean when it comes to ISO 27001:2022, it also works with protecting customer data and client data? Yes, it means that employees handle the data and information provided by customers with care, but also that the customer needs to follow through to aid in protecting data. Terms of Service [ToS] and Privacy Policy are not only for the organization to best protect itself from risks but to also aid customers to prevent risk to their own accounts and information. When a customer interacts with your product or uses your services, they agree to the TOS and Privacy Policies which may include the limits of how the service and products can be used and how the data provided by the customers are used. There may also be additional guidelines on setting up “two-factor authorization” to best protect data on the customer side included. As an organization, even with these agreements in place, you must try to expect the least expected, as not everyone will follow the requirements or find ways around barriers, and that could be internal as well as external.
ISO 27001 is the best place to start when it comes to figuring out the best ways to protect information. And from ISO 27001, there’s ISO 27701 and then moving onto management systems such as ISO 9001 and ISO 45001. We are happy to speak with you about ISO 27001, whether it is your first time implementing the standard or you’re looking to upgrade from ISO 27001:2013. We also provide ISO 27001:2022 Internal Auditor Training through DQS Academy to aid in the process. Speak with Sales today by emailing info.hk@dqs.de or using the link below.
Looking for something to provide information security for the automotive industry? We also provide TISAX® certification. We also have eLearning for those looking to build an educational basis in TISAX® and those looking to go deeper within the implementation process.
DQS Newsletter
Stay informed and subscribe to our newsletter!