Topic

Risk & resilience in retail and tourism

Risk management standards are vital to the resilience of retail and tourism organizations. The performance of both rely on the success of their global and complex supply chains. Any disruptions to the supply chains can have a detrimental impact to operations. A resilient organization is one that not merely survives over the long term, but also thrives - ready for the future. Discover how our standards can help your business achieve resilience and protect itself from a range of risks.

Managing risk to ensure future success

Learn how standards can help your business recover from disruptive incidents

International business travel: What’s the risk?
Article

International business travel: What’s the risk?

Corporate trips, like all travel, halted abruptly when the COVID-19 pandemic shook the world and flights everywhere were grounded. But now, as business travellers begin to hit the road again, the dramatic events of the last year have highlighted just how important it is to be prepared for any eventuality. Every organization that asks people to travel for work can benefit from an improved approach to travel risk management. A new international standard gives guidance on how to manage the risks to an organization and its travellers undertaking business travel. BS ISO 31030:2021 Travel risk management. Guidance for organizations aims to promote a culture where travel-related risk is taken seriously, resourced adequately, and managed effectively. Why is Travel Risk Management Important? Business trips present an ever-changing risk landscape for organizations to navigate. Organizations need to meet their duty of care responsibilities, comply with any relevant legal and ethical obligations related to travel (across multiple jurisdictions) and have a plan in place to safeguard their staff. It is important to show employees that they are supported by their company when travelling on its behalf. Employees, whether travelling international or national, can be faced with unfamiliar situations and environments that have different risk profiles. Risks such as road accidents, disease outbreaks, natural disasters, as well as crime (including cyberattacks), terrorism, political and social instability, can threaten the safety, security, and health of travelling employees and affect the outcome of their business trip. All businesses need to demonstrate that travel decisions are based on their capacity to manage all the potential risks involved. Consequently, travel risk management is a strategic necessity - both in terms of business continuity and organizational resilience - since it demonstrates an organization’s commitment to protecting its employees. What Does BS ISO 31030:2021 Cover? BS ISO 31030 is a key tool to help any size organization put a realistic and comprehensive plan in place to manage risks and keep their workers safe when on the move. It provides a structured approach to the development, implementation, evaluation and review of travel risk management. The standard covers pre-planning and risk assessment of destinations and travel arrangements, security and information security precautions, challenges to travel logistics, emergency response and more, including: Policy Programme development Threat and hazard identification Opportunities and strengths Risk assessment Prevention and mitigation strategies To read more about how standards can help manage risks in the business or corporate travel sector, click here. What are the Benefits of Implementing a Travel Risk Management Framework? BS ISO 31030:2021 is the only international standard covering this topic and could be particularly important to organizations as they review their travel risk given the COVID-19 pandemic. This standard can help organizations to: Protect personnel, data, intellectual property and assets Reduce legal and financial exposure Enable business in higher-risk locations Enhance reputation and credibility, which in turn can positively impact competitiveness and staff retention and acquisition Contribute to strengthening business continuity and resilience Demonstrate to stakeholders that robust governance is in place, which may lower insurance premiums and make investors more willing to commit funds Enter new markets and accelerate innovation, by giving organizations the confidence to take opportunities they would otherwise miss Develop expertise in travel management Operate more efficiently and grow sustainably BSI is also committed to the UN Sustainable Development Goals, with this standard contributing to Goal 3 on good health and well-being and Goal 8 on sustainable economic growth, productive employment and decent work for all, and Goal 11 on making cities and human settlements inclusive, safe, resilient and sustainable. Wherever your team are in the world, ensure they have access to all your BSI standards in one place, with a BSI Knowledge subscription. Becoming a subscriber will give your employees the flexibility and visibility to comply with risk management best practices and your other standards, no matter where their work takes them. Request to learn more. Ensure your organization is managing its corporate travel risk effectively, by adopting standard BS ISO 31030:2021 today.Read more
Achieving payment card data security in the retail sector
Article

Achieving payment card data security in the retail sector

The payment card industry data security standard (PCI DSS) is the global retail standard for securing payment card data. It's a set of security controls managed by the PCI Security Standards Council (PCI SSC), and developed by a body of experts from the international payment card brands (VISA, MasterCard, JCB, AMEX, and Discover) to help prevent credit card data breach. This data security standard provides a set of requirements to help protect cardholder data, taking into consideration the people, processes, and technologies involved in payment card processing systems. It focuses on security management, policies, procedures, system configurations, and secure software design. PCI DSS in the retail sector PCI DSS in the retail sector is often portrayed as a complex and painstaking endeavour.  However, payment processing models, technologies, and the payment standard itself is constantly evolving, as are the ways of achieving compliance. There are methods to de-risk your cardholder data environment (CDE) from card breach and in doing so, the burden of compliance activities is also reduced. It is no longer correct to think of retail as being traditionally brick and mortar based, eCommerce has been with us for so long that the eCommerce channel can now be the precursor of a physical presence and in many cases generates a greater proportion of revenue than physical stores. Nonetheless, from a PCI DSS perspective, locations, systems, processes, or people that store, process, or transmit cardholder data (CHD) are in scope for PCI DSS. This means that often eCommerce, back-office functions, and physical retail stores are in scope for PCI DSS. Why should the retail sector care about PCI DSS? The answer is simple: Your organization is extremely likely to have signed a contract with your acquiring bank, mandating that you will be PCI compliant Hackers continue to target the retail sector, and retail sector data (particularly eCommerce) is a rich source of data for hackers Typical attacks observed over the past number of years include a focus on retail, and cover the following attacks: Physical stores RAM scraping malware – targeting POS Physical card skimmers on card readers NFC based skimmers eCommerce Traditional application layer attacks resulting in a backend database breach eSkimming – focusing on eCommerce checkouts Remote access attacks on the production networks using combinations of phishing, credential compromise, and password stuffing Knowing how to store and manage the security of payment card data in line with regulations does not have to be complicated and time-consuming. Our tailored BSI Knowledge subscription service provides flexibility, access, visibility, and control over the standards and insights your team needs to remain compliant and build trust with your customers. Request to learn more. Who does PCI DSS compliance apply to? Compliance with the PCI DSS standard is mandatory for all organizations that store, process or transmit payment card data, as well as any businesses that may impact the security of a credit card processing environment, such as hosting companies, software developers, and managed service providers. Acquiring banks and international payment card brands may directly request an organization to demonstrate compliance with the standard. That's where we can help, by providing you with an independent validation of compliance to PCI DSS. There are benefits to being compliant, and drawbacks to non-compliance. The drawbacks of non-compliance include fines, which if left unmanaged can range from 2-6 figures per month per violation. However, if you are compliant at the time of a breach you can avail of safe harbour, i.e. you will not be subject to fines for breach of card data. Fines for a breach are significantly different from fines for ongoing non-compliance and depending on the scale of breach/cards stolen, fines can run into millions of dollars. The organization can also be forced to shut down card processing operations until the breach is contained and the source of the breach remediated. The most common areas which contribute to successful breaches are poor patching regimes, insecure identity and access management practices, and bad software development practices. Download your copy of the PCI DSS standard today. The key cybersecurity standard Since its inception in the early 1990s, global information security standards have grown in rigor and recognition. So too have information security threats and the best ways to manage them. Standard BS EN ISO/IEC 27001 helps you implement a robust approach to managing information security (infosec) and building resilience. It advances cybersecurity processes, to protect the data of your students and educators alike and also helps you to continually review and refine the way you do this, not only for today but also adapt for future innovations. This standard reflects current best practices for information security management. It provides specific recommendations to help you establish an Information Security Management System (ISMS), monitor its performance, and implement improvements when necessary. It also enables external assessment and certification of an organization’s information security. This standard is not unnecessarily prescriptive, allowing great flexibility in how requirements are satisfied and giving organizations the freedom to implement requirements in a manner best suited to your retail organization. If you’re involved with information security and understand the need to step up your organization’s approach to information management, shop the BS EN ISO/IEC 27000 series of standards today.
A complete guide to keeping your customer's data secure with standards
Article

A complete guide to keeping your customer's data secure with standards

Digitalization, globalization, and personalization of services, from booking a doctor’s appointment to internet banking, have led to greater collection and processing of personal information than ever before. And this trend is growing as opportunities for new services arise, and new players enter the market. There are now so many different platforms people use as part of their daily routine where personal information is collected such as the growth in mobile applications, loyalty schemes, connected devices, and location-based advertising. This means we are regularly handing over our data without thinking it through, creating more data flows than ever before. And whether it’s dating sites, telecoms providers, or public service organizations, there is barely a day that goes by when you look at the news and don’t see a reference to a data breach where personal records have been compromised. This has only increased the focus on issues surrounding the misuse of personal information, meaning organizations cannot afford to be complacent. Greater awareness of these issues has led to growing concern, among both individuals and governments, around how personal data is collected, used, and protected; in response, some governments have proposed or enacted new regulations aimed at providing guidelines and requirements for the treatment of personal data. Within Europe, the introduction of the General Data Protection Regulation (GDPR) provides harmonization of data privacy laws that reflect the realities of the digital world we now live in. Being able to guarantee to protect your customers’ data makes up a huge part of modern-day customer service. Why Does Your Organization Need Data Standards? If your business requires you to store personal data, such as details of customers or employees, then you must comply with the Data Protection Act 1998 and General Data Protection Regulation (GDPR). The purpose of data protection legislation is to ensure that personal data is not processed without the knowledge and, except in certain cases, the consent of the data subject. It is meant to ensure that personal data is accurately processed, and to enforce a set of standards for the processing of the information. As such it is becoming an increasingly important piece of legislation, affecting the day-to-day operation of almost all organizations. As the privacy landscape evolves and quantities of personal data multiply, organizations need to protect individual privacy rights. Are you taking full accountability when you process and manage personal identifiable information (PII)?  Do you have the right controls, consent, and lifecycle management from collection to destruction? And what about when data is compromised? Building confidence internally and with clients, suppliers, and wider stakeholder groups is critical. How to Manage Your Customers’ Personal Information Given the dynamic environment in which we operate, the need for guidance on how organizations should manage and process data to reduce the risk to personal information is getting more important. Guidance, in the form of a new international standard, for how organizations should manage personal information and assist in demonstrating compliance with updated privacy regulations around the world is therefore very powerful. That’s why information management standards have been created. Which Information Management Standards Can Help You Protect Your Customers’ Data? For over a century BSI has been helping businesses to drive success through standards. And there are some great best practice frameworks that can help support your organization to address not only EU GDPR but wider information security and privacy requirements. From BS EN ISO/IEC 27001 to BS 10012, we have a range of standards that can help. BS ISO/IEC 27001 Information Security Management BS EN ISO/IEC 27001 is the internationally recognized standard for an information security management system. It gives you a great foundation framework to address information security risks with appropriate measures and controls. It’s an ideal starting point for any organization that needs to manage and respond to information threats and build resilience. BS EN ISO/IEC 27001 outlines specific requirements and controls that ensure you not only respond to contractual and regulatory requirements, such as EU GDPR, but you put the appropriate controls in place to manage risks to your business information, including personal records.  By adopting BS EN ISO/IEC 27001 as your best practice framework you’ll be in a good position to identify your requirements for the EU GDPR, as well as implement appropriate controls and any additional measures required. BS 10012 Personal Information Management BS 10012 sets out the requirements for a personal information management system. It ensures you identify and mitigate risks to personal information through implementing the appropriate controls. This standard is written to align with legislation. Originally written against the UK Data Protection Act requirements, BS 10012:2018 has now been revised so that it is more closely aligned to EU GDPR requirements. By using this guidance, along with a robust (Information Security Management System) ISMS, you will be in a good position to demonstrate EU GDPR compliance. BS EN ISO/IEC 27018 Personally Identifiable Information on Public Clouds  BS EN ISO/IEC 27018 is an international code of practice to support managing Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in BS EN ISO/IEC 27002 and is appropriate for any organization that processes PII. BS EN ISO/IEC 27018 ensures you address security issues related to personally identifiable information stored on the public cloud. By using this framework, along with a robust ISMS, you demonstrate your commitment to protecting personal records and can provide the extra reassurance clients require for cloud computing. Want to have access to all your data security standards in one place? A BSI Knowledge subscription gives you instant access to the resources you need to improve your information security processes. The flexibility and visibility it provides of the best practices guidance enables you and your team to get the most from standards - from privacy on the cloud to auditing your information management systems. Build your own custom collection of standards, or opt for access to our GBM24 Information Technology - Software & Networking module and keep up-to-date with any relevant changes to your information security strategy. Request to learn more. Ensure your organization is inspiring trust in customers and complying with regulations by adding these key information protection standards to your collection today.

Key Risk and Resilience Standards for Retail & Tourism

Browse or Search our Retail & Tourism Standards Catalogue

Trending Topics in Retail and Tourism Risk & Resilience