Topic

Risk & resilience in security systems

Today’s rapidly changing political, socio-economic and environmental landscape has created a climate of disruption and risk that is constantly evolving. Our increased connectivity and dependency on complex, global supply chains and technology increases the risks arising from accidental hazards and human-generated threats. Security standards help organzations work to risk management best practices to ensure future resilience.

Challenging emerging risks with best practices

Learn how standards create a culture of resilience

Data, security and risk: Taking a standards-based approach
Article

Data, security and risk: Taking a standards-based approach

Across the globe, the pandemic has made significant social and economic impacts, which has caused long-term changes to working culture and consumer behaviour and has heightened other serious risks for the industry. Amongst these risks, cybersecurity has proved to be one to look out for. During the past few years, reports of cybersecurity incidents and attempted data breaches have increased drastically. The rise of hybrid working and the trend towards the digitization of services e.g., retail banking, have meant that individuals, businesses, and institutions are relying more heavily on digital networks for all aspects of communication and operation. As usual, cybercriminals have been quick to try and take advantage of this greater vulnerability. Unfortunately for a large organization with a regional, national, or even international reputation, a single information security incident can have a significant impact on brand perception and consumer trust. Once data is lost or stolen, even if the breach is caused by a mistake, the consequences can be long-lasting. Organizations risk financial loss, fines, and reputational damage. Operations are often disrupted too, and if any intellectual property is compromised, competitors may be able to access critical information to erode a brand’s competitive edge. The Importance of Information Security Standards A standards-based strategic approach to information security protocols pays dividends – particularly in uncertain times. It helps larger organizations secure varying operational and geographical priorities, as well as ensuring that an increasingly dispersed and home-based workforce becomes a cybersecurity advantage, rather than a risk. Executives can use information security standards to better understand information security risk levels, consulting BS EN ISO/IEC 18045:2020, which outlines a methodology for evaluation, and BS EN ISO/IEC 15408-3:2020, for evaluation criteria and assurance components for IT security. With benchmarking complete, executives can use BS EN ISO/IEC 27001 to design a bespoke information security management policy. This standard provides a systematic framework to counter an array of evolving cybersecurity threats. Importantly for larger companies, it highlights the requirement for a holistic approach to information security management. Documented, company-wide policies based on international standards will enable leaders to instill the right awareness and vigilance amongst employees. They should prioritize education and training for all, regardless of department. To learn more about how standards help organizations to manage their security requirements, click here. Other information security standards in the ISO 27000 series are also very helpful – particularly when ensuring that staff understands their responsibilities. BS EN ISO/IEC 27002:2022, for example, provides a code of practice for information controls, which is useful for corporations with homeworking teams across multiple locations. With a strong foundation in place, executives can then consult BS EN ISO/IEC 27014:2020 for guidance on key concepts, objectives, and processes for the top-level governance of information security. It sets out roles and responsibilities for executive management and boards of directors, helping them to make timely decisions in support of their business objectives. Meanwhile, the proper storage of organizational, customer, and stakeholder data are a vital consideration for legislative compliance and reputational safety. Cloud-based services are ubiquitous, and every company should have specific storage policies. Thankfully, there are some well-established standards for managers to use in this area. BS ISO/IEC 27017:2021 provides enhanced controls for both cloud service providers and their customers. This is important when defining precise roles and responsibilities and ensuring that all cloud storage relationships are as secure as possible. Legislation around personal data, and its secure management, has made the headlines in recent years, with the introduction of regulations like GDPR in Europe. BS ISO/IEC 27701:2021 provides a common set of concepts with which organizations can tackle personal data protection, and better demonstrate compliance. The standard works as a privacy extension to BS EN ISO/IEC 27001 and 27002, outlining how to establish and run a privacy information management system (PIMS). Beyond this, modern supply chain operations demand secure information exchange and storage capabilities to maintain trust and confidence between partners. Organizations can use BS ISO/IEC 27036-1:2014 to provide an overview for information security within supplier relationships, and BS ISO/IEC 27036-3:2013, which outlines related guidelines for supply chain security. All the information security standards we’ve highlighted here underscore the importance of frequent monitoring, benchmarking, and continued improvement. Effective information security is an ongoing process and no organization can afford to become complacent – the nature and complexity of external threats are constantly evolving. Implementing international standards demonstrates an organizational commitment to the highest levels of information security. This is vital in the current climate of uncertainty and tentative economic recovery. A standards-based approach enables companies to mitigate risk and reduce the overall impact in the event of any incident. The BS EN ISO/IEC 27000 series and over 100,000 more internationally recognized standards are available with a BSI Knowledge subscription which can help build a culture of digital trust in your business. Our tailored subscription service provides flexibility, access, visibility, and control over the standards and insights your educational institution needs to achieve cybersecurity. Build your own custom collection of standards and keep updated with any relevant changes to your cybersecurity strategy. Request to learn more. Ensure your organization is implementing information security management best practices by adding these information security standards to your collection today.Read more
How do we protect privacy while accessing the benefits of surveillance technology?
Article

How do we protect privacy while accessing the benefits of surveillance technology?

The scope of surveillance has broadened over the years to include an electronic data trail that can reveal almost every aspect of our lives. Social media platforms, for example, are likely to know a great deal. Your age, employer, relationship status, likes, dislikes and location are just the start. Vast amounts of data builds a very clear picture of your lifestyle and behaviours. Data protection law has developed to address the privacy implications, but there are still ethical and legal considerations for organizations to negotiate. So, what do we really mean when we talk about ‘surveillance’ today? What are the implications for organizations that overstep the mark? And can standards help navigate the complexities of balancing privacy and surveillance? The current state of surveillance The term ‘surveillance’ is now about much more than video cameras capturing our image on the street. In our daily lives, we leave data trails everywhere: ●      Electronic payment and banking information ●      Browser search history and social media content ●      Medical records ●      Mobile phone tracking information and call records While some of the above might not be considered ‘surveillance’ in the traditional sense, it comes with many of the same ethical and security considerations. Governments in some countries have now ordered their employees to remove TikTok from work devices over surveillance fears. Surveillance technology is also increasingly finding its way into the workplace. Employee monitoring software on home computers became much more common during the pandemic. Some companies went as far as using webcams to monitor employees working from home. Non-desk-based employees can also be monitored. Amazon requires its delivery drivers to download an app that monitors their driving behaviour on the road. It’s not just cutting-edge data collection that is changing the face of surveillance. Traditional solutions, augmented by newer technology, are also influencing the privacy and surveillance debate. For example, while we have had CCTV in the UK for decades, there are growing concerns over the privacy implications. London is now home to almost one million CCTV cameras, capturing the average resident 70 times per day. Combine this with advances in technology – particularly AI and machine-learning enabling facial recognition – and there is renewed debate about their role in society. In his annual report, presented in February 2023, the Biometrics and Surveillance Camera Commissioner called for more legislation and guidance around the usage of facial recognition technology. The balance between privacy, protection, and productivity None of us want to spend our lives being watched, but on the other hand, surveillance technology provides clear commercial benefits if used thoughtfully. For example: ●      Deterring crime ●      Gathering information that can protect a company’s reputation against complaints ●      Identifying unsafe driving practices ● Enabling IT teams to check that staff are using up-to-date security software and best practice While it’s clear that surveillance technology is a feature of modern life (providing genuine benefits if used ethically), companies need to tread carefully. Overzealous use of surveillance technology can in some cases do more harm than good. Pitfalls include: 1.   Lack of trust While employee monitoring is technically legal in the UK, it can contribute to a toxic workplace characterized by mistrust. According to one study, more than half of employees would consider quitting if monitoring software was implemented.  2.   Reputational harm The independent grocery group Southern Co-operative was singled out by the privacy group Big Brother Watch. Its use of facial recognition technology in 2022 was dubbed ‘Orwellian’ and ‘unlawful’.  3.   Legal considerations Data law seeks to balance safety, security and privacy. GDPR is the main source of law although the UK is replacing this with fresh legislation following Brexit. The Data Protection Act 2018 also sets out the principles that employers need to follow if they want to monitor their employees.  How can security standards and surveillance standards help? To avoid surveillance technology doing more harm than good, organizations need to think carefully about the strategy and technology employed. Standards can provide best practice for rolling out technology and using it ethically. Useful standards include: BS 16000:2015 Security management. Strategic and operational guidelines provides a generic, high-level security management framework, including the use of CCTV. BS ISO/IEC 30137-4:2021 Information technology. Use of biometrics in video surveillance systems - Ground truth and video annotation procedure BS 8593:2017 Code of practice for the deployment and use of Body Worn Video (BWV) BS 7958:2015 Closed circuit television (CCTV). Management and operation. Code of practice provides recommendations for the management and operation of CCTV within controlled environments where data – which might later be offered as evidence – is received, stored, reviewed or analyzed. There is clearly an important role for surveillance technology, but it is equally true that organizations need to carefully assess the benefits against potential reputational and legal risks. Discover BSI Knowledge Over 100,00 internationally recognized standards are available for simple and flexible access with a BSI Knowledge subscription. Our tailored subscription service allows you to build your own custom collection of standards or opt for access to one of our pre-built modules, keeping you up to date with any changes. With support from a dedicated BSI account manager, our subscription service helps you achieve a more coherent and effective approach to best practice. Request to learn more.
Celebrating the outreach of information security management standards
Article

Celebrating the outreach of information security management standards

BS EN ISO/IEC 27001 is the international high-profile, best-selling information security management system (ISMS) standard. BS EN ISO/IEC 27001 is recognized as the common international language that facilitates many opportunities for growth, trade, and harmonization across all market sectors and with national governments. The standard has also become a game-changer for many organizations that seek to demonstrate conformance to international information security management requirements – this gives the organization the opportunity for their ISMS to be independently assessed and certified. ISMS certification provides trust, assurance and confidence to business and trading partners, governments and consumers. Evolution from a British to an international standard The evolution of BS EN ISO/IEC 27001 has spanned more than thirty years, from the time it was a British Standard: BS 7799-2 Information security management - Code of practice for information security management in 1997 to its progress through ISO as BS EN ISO/IEC 27001 (first published in 2005). Under the leadership of Dr. Edward Humphreys (ISO/IEC Convenor) and the collective energy of the international community of experts, a business-oriented standard for top management was created and maintained for international use. As is the normal practice, BS EN ISO/IEC 27001 has been regularly reviewed and revised over three editions (2005-2022) to ensure the standard remains up-to-date with the needs of business today and incorporating improvements to continue to deliver trust and assurance in the organization’s ISMS. Celebrating international cooperation The development and maintenance of BS EN ISO/IEC 27001 has been a truly global project which has brought together professional experts from many National Standards Bodies (NSBs) and Liaison Organizations (LOs) around the world. The combined global expert opinions and contributions voiced the needs of the global market and its stakeholders, building a standard that is internationally recognized and acclaimed as the leading standard in the field of information security management. The ISO group SC 27/WG 1 has championed the BS EN ISO/IEC 27001 project under the leadership of Dr Humphreys and the international team of world class experts – from the time BSI submitted its standard BS 7799-2 into ISO in the early 21st century until today. An achievement to applaud BSI for its evolution of the initial standard through to the take-up and global outreach by ISO and its international partners. On behalf of the international community, there is much to celebrate to mark the success of BS EN ISO/IEC 27001 – effective management of cyber risks and organizational information assets, giving global business a safe option and for international trade opportunities to flourish, providing international certification across all market sectors. This international cooperation is a most noteworthy achievement of ISO, IEC and its members. Global outreach and benefits The impact of BS EN ISO/IEC 27001 has been a global sensation, having influenced both public and private businesses and industries alike, giving them protection to support their growth, development and investment. BS EN ISO/IEC 27001 is also being referenced in laws and regulations in many countries and in commercial contracts, as something mandated or highly recommended. It can be used as a business tool for providing resilience against cyber-attacks, giving wide protection for the confidentiality, integrity and availability of information and protecting from cyber risks. Today the BS EN ISO/IEC 27001 concept has grown into a set of international standards commonly called the BS EN ISO/IEC 27000 series that encompasses the standard itself and supporting standards and guidance for BS EN ISO/IEC 27001. An international certification success This year 2024, is the 25th year of BS EN ISO/IEC 27001 accredited certification. Over these 25 years, certificates awarded in conformance with BS EN ISO/IEC 27001 have been issued to over 500,000 organizations in over 91 countries. Congratulations are due to all those involved these 25 years, with a big thanks going to BSI and the UK government for their vision and support. A more in-depth narrative of the history of this development is given in three articles published in the SC 27 Journal Vol.2 Issue 01 2022 - The Voyage of 27 Thousand and One - BS 7799-2 to ISO/IEC 27001 - Hall of Fame, World of ISMS. Watch the video series To help you better understand the history and future of the BS EN ISO/IEC 27000 series, BSI has interviewed 5 industry experts to go through the development and benefits of this global standard. Watch them now. The Evolution of ISO/IEC 27001: 30 Years of Information Security Explore How BSI Leads Cybersecurity Innovation in the UK BSI's Global Leadership in Cybersecurity Standards Top Benefits of ISO/IEC 27001 for Your Business Navigating the Intersection of Cybersecurity and AI with BSI Discover BSI Knowledge Subscriptions Being able to effectively manage personal information not only helps your business avoid large fines for data breaches but also helps you gain the digital trust of your stakeholders. With a cost-effective BSI Knowledge subscription, you will have the flexibility and visibility to manage the essential standards you need all in one place, to work confidently and embed a culture of reliable privacy management. Build your own custom collection of standards, or opt for access to pre-set modules, and keep up-to-date with any relevant changes to your standards strategy. Request to learn more.

Key Risk & Resilience Standards for Security Systems

Browse or Search our Security Systems Standards Catalogue

Trending Topics in Security Systems Risk & Resilience