ISO security standards build trust in online public engagement
As governments continue to engage and activate their communities online, a focus on cybersecurity and privacy is needed to ensure you build and sustain your citizens’ trust. Before engaging a technology partner to help you connect with online communities, you will need to evaluate how secure and robust their platform is.
How do you compare online platforms? How do you know whether the platform “walks the talk” when it comes to a commitment to security and privacy of the data stored within? Do they conduct regular tests to ensure security? Do they work on improving their systems and processes on a continuous basis?
Enter the ISO/IEC 27001 standard. ISO 27001 is an international standard published by the International Organization for Standardization (ISO), and it describes how to manage information security in a company. Certification is obtained through an audit by external, internationally-accredited organizations. The ISO is an independent, non-governmental international organization that “brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges”.
An organization that has achieved ISO 27001 certification has been thoroughly evaluated by a third-party auditor for the following criteria:
ISO Security Standards:
Senior Management Commitment to Quality
All ISO certifications are contingent upon achieving high quality standards and practices as well as continuous improvement. Maintaining certification requires significant time, resources and personnel to review and assess all processes and minimize risk on a continual basis. It is a significant indicator of senior management’s commitment to quality.
The ISO 27001 process requires frequent management reviews to be conducted. These in-depth reviews allow leadership to allocate budgets and resources adequately, and track projects’ quality on a regular basis.
Information Security Management System
Organizations need to establish a comprehensive Information Security Management System (ISMS) with leadership authorization. This is a set of policies and procedures for systematically managing the collection, storage and processing of personal and sensitive data. The goal is to minimize risk and ensure business continuity by pro-actively limiting the likelihood and impact of a security breach.
The ISMS needs to define the framework for how information security objectives are managed within the organization, by whom and how often. It must be communicated to internal and external interested parties with all employees trained on the policies and procedures outlined.[s1] The ISMS needs to be continually reviewed with a view to improvement; staying on top of the latest security trends and threats.
Risk Assessment and Controls
Prior to an ISO accreditation, an organization will need to submit detailed documentation that depicts a thorough risk assessment conducted on the company’s Information Management Systems.
Ideally, a Security Officer needs to be designated within the organization to spearhead this cross-functional team effort. This core team will need to meet with all internal stakeholder teams in charge of handling data and map out potential risks to the security of the data or the systems at each stage. Risks are then managed within a risk register with each risk categorized as high, medium or low. A clear plan of action should be drawn up with controls defined to address said risks with timelines and specific designated team members responsible for implementing the controls defined.
Procedures and Adequate Training
All quality and security processes will have to be documented within the ISMS as detailed procedures and adequate and regular training will have to be provided to all levels of the organization. Employees can be trained in-person through instructor-led courses and/or e-learning modules based on their seniority and the level of access they have to sensitive information and technology. Employee awareness about ISO and the company’s procedures will need to be tested and measured on a regular basis.
Robust Internal Audit Program
ISO certification will require an external audit by an internationally-certified body. Additionally, organizations will require a robust internal audit program on a continual basis to ensure compliance to quality standards and procedures.
Internal audit reports should be generated and shared with key stakeholders including senior leadership. These internal audits are conducted with an intention to see if defined procedures are robust and if they are being followed. This way, any gaps in the system can be addressed and employees will be more forthcoming with their challenges and identified issues.
Continuous Improvement through CAPA – Corrective Action Preventive Action(CAPA)
Any issues or gaps in the quality processes due to employee non-compliance or a risk identified in an internal or external audit need to be addressed. This is done through an organization’s Corrective Action Preventive Action (CAPA) procedure.
A CAPA process requires a strong root cause analysis approach for tackling issues identified as well as regular monitoring of solutions implemented, to ensure effectiveness. Periodic leadership review of issues resolved via the CAPA process as well as lead-time to CAPA resolution is also a requirement to ensure that continuous improvement is driven as a culture throughout the organization. Particularly in our field of work where citizens and governments connect, data security is of utmost importance. As a best practice, the CAPA process is evaluated regularly to ensure it is relevant and is effective in addressing the right issues.
It’s essential that organizations that handle personal data about their communities and citizens have an obligation to treat the security of data that has been entrusted with them as their highest priority and to demonstrate their compliance to the highest standards relating to data security.
An ISO 27001 certification is an internationally recognized information security standard awarded to organizations that implement robust procedures and policies to manage the security of their data. International quality standards can go a long way in gaining your citizens’ trust in their online public engagement platform.