Cyber Security in the Context of Information Security

Cybersecurity encompasses a range of measures designed to counteract technological threats and vulnerabilities, utilizing a variety of strategies and tools to prevent or minimize their impact. The frequency of cyberattacks and data breaches has become alarming, with reports of security incidents dominating the headlines.

A critical component of cybersecurity is data security, which prioritizes the protection of an organization's sensitive information from both unintentional and deliberate exposure to unauthorized entities.

An ISO27001 Information Security Management System (ISMS) is a set of policies and procedures organisations implement to manage information risks such as cyber-attacks or data theft.

Information Security Management is a critical aspect that every business should consider. A key example demonstrating the devastating impacts of information leaks on businesses is TikTok’s data breaches. According to Business of Apps (Apr 18, 2024), TikTok generated an estimated $16.1 billion in revenue in 2023 and had 1.5 billion monthly active users in 2023. It was further stated that Tiktok’s user base is expected to increase to 1.8 billion by the end of 2024. TikTok has been downloaded over four billion times.

The financial and social implications of TikTok being banned due to a lack of trust with regard to information security would be catastrophic for both the company as well as the many users that use the platform for either their personal or business interests.

It is evident that an Information Security Management System is not a cost to a business but an investment into a business.

ISO 27001 certification demonstrates a company's commitment to information security but will only be effective in achieving its intended purpose if the system is effectively implemented.

In the case of TikTok, the scope of the system should include data handling on all global operations. Geopolitical considerations should be taken into account as TikTok’s data breach controversy stems from geopolitical tensions between the US and China.

Certification of the system adds credibility to the organisation but ultimately the effectiveness of this system depends on proper implementation, governance and continuous monitoring of the system.

Further to the implementation of ISO27001, ISO27002 provides a set of information security controls and implementation guidance based on internationally best-recognised practices. The ISO27002 standard comprises of organisational controls, people controls, physical controls and technology controls.

Moreover, ISO 27701 could have helped mitigate the risks associated with TikTok's data transfer to China. This standard focuses on:

1. ISO 27701 builds upon the ISO 27001 framework, introducing privacy-focused controls to safeguard personal information and ensure its secure management.

2. The standard offers guidance on implementing measures to protect and manage personal data, including secure cross-border data transfers and adherence to data protection regulations.

3. ISO 27701 stresses the significance of obtaining explicit consent, upholding the rights of data subjects, and promoting transparency in data handling practices to foster trust and accountability.

4. The standard advocates for integrating data protection principles and controls into an organization's processes and systems, adopting a proactive approach to privacy and security.

5. ISO 27701 provides detailed guidance on securing personal data during transfer and storage, including the use of encryption, anonymization, and pseudonymization techniques to minimize risks and protect sensitive information. By implementing ISO 27701, organizations can demonstrate their commitment to robust privacy information management, reducing the likelihood of data breaches and unauthorized data transfers. However, it's crucial to recognize that certification is only the starting point, and ongoing monitoring and adaptation to evolving threats and regulations are essential for maintaining effective privacy and security controls.

These standards combined, provide a robust framework for information security management taking into account a comprehensive approach to data security and privacy, geopolitical considerations, and continuous monitoring.

GRC Link offers 2 software offerings to mitigate your information security threats. These are namely, MSXCyber and Hakware.

The MSXCyber solution allows you to see a holistic view of your ISMS while enabling you to make better decisions on real-time data. It further provides an integrated approach for managing, reviewing and improving information security risks to achieve business objectives. This is a fully paperless web-based software solution that integrates with ISO27001 and other management systems. The main benefits of MSXCyber include protecting your assets and reputation, complying with the latest regulatory requirements, minimising penalties and losses associated with data breaches, gaining a competitive market advantage and enhancing security audit practices.

Hakware is an Artificial Intelligence base Pentesting and Vulnerability Assessment Tool. Hakware allows you to identify vulnerabilities before cyber criminals do, by simulating an external attack the same way a pentester or threat actor would. We cover 34 attack vectors, deep/dark web monitoring, 365 Tenant auditor and our new cloud manager integrates directly with Microsoft Azure and VMware.

Should you require assistance in terms of the above or any other ISO related service, please do not hesitate to contact us directly.

E-mail: mishael@grclink.online

Tel: +27 83 406 7772