IT Governance Blog on IT governance, risk management, compliance and information security.

Recently my neck of the woods has been taking a bit of a beating from the weather gods. First it was the rain, which flooded part of the town I live in and all but destroyed a couple of towns nearby. This week it’s been snow, which has reduced the main roads in and out of my home town to a complete standstill at some times, and an outright deathtrap at others.

Happily having a member of staff, or even several members of staff, trapped by the weather has little or no impact on ITG’s continuing operation. Why? Because we operate an Information Security Management System to the ISO27001 standard. We are prepared.

“Hang on Phil,” I hear some of you say, “ISO27001 is about security. How does that help when all your staff are watching the flood water carry their cars over the horizon, or locked indoors wondering if the supermarket delivery driver will be willing to brave a nine foot snowdrift to bring them their tea bags and value brand chicken kievs?”

The answer is simple: ISO27001 is about “security” in its broadest sense. To be specific, ISO27001 is concerned about the Confidentiality, Integrity and Availability of assets. What’s an asset? According to the standard, anything that has a value to the organisation. That includes me, and so the company have taken steps to ensure my Availability as an asset, whatever the weather.

“Great,” I hear some of you say again, “so if we want to go for ISO27001 we have to spend a fortune on making sure all our staff can work from home in case our head office gets hit by a freak hurricane or something.”

No. That’s the great thing about ISO27001; everything is Subject To Your Risk Assessment. The standard isn’t interested in forcing you to spend a fortune on controls you’re highly unlikely to need. Instead, working to the standard helps you identify those parts of your business that might be effected by things like freak weather, and (perhaps with a little bit of research and maybe some help) allows you to take measured, practical steps to make sure that such events won’t turn in to a complete disaster.

The benefits of ISO27001 don’t just stop at Confidentiality; the standard can be used to help any organisation achieve a good level of resilience without spending more than is needed. If you’re interested in knowing how it would work for you then feel free to get in touch. Oh, and whatever the weather where you are, have a very Merry Christmas and a Happy New Year.