Archive for the ‘Data Protection’ Category

Book a FREE Compliance Surgery at InfoSecurity Europe 2014

April 10th, 2014 by

Infosecurity Europe is the most important date in the calendar for information security professionals across Europe. Taking place at Earl’s Court in London, Tuesday 29 April – Thursday 1 May, the event will feature over 325 exhibitors, approximately 13,000 visitors and a diverse range of new products and services.

IT Governance will be at Infosecurity Europe (Stand F103) and we would like to offer you the opportunity to set up a 1:1 meeting with one of our expert consultants.

Make the most of your time at the event and reserve an appointment with an IT Governance specialist by booking a FREE 15-minute expert compliance surgery.

Our team of experts will help you to understand and make progress with:

  • ISO27001
  • PCI DSS compliance/completing self-assessments
  • Data Protection Act (DPA) regulations and responsibilities
  • ISO22301 Business Continuity Management Systems
  • ITIL/ISO20000 IT service management compliance
  • NHS N3/IG toolkit submissions/self-assessments
  • European directives (e.g. European e-Privacy directive).

Compliance surgery appointments are accessible to all Infosec visitors and are available throughout the full three days, at a time convenient for you.

Book your FREE 15-minute session today:

Telephone:   0845 070 1750

Germany suffers biggest ever data breach in its history

April 7th, 2014 by


There are numerous records that many wish to break, but the latest data breach isn’t one of them. German officials have recently confirmed that police in northern Germany uncovered a large amount of stolen email addresses and passwords (18 million).

For those with a keen interest in data breaches, you’ll remember that it was just three months ago that Germany suffered a similar data breach involving 16 million records.

Believed to still be in active use, these credentials have been used for online purchases due to the victims using the same password across several online accounts.

Sources claim that three million of these records belong to German civilians.

This breach sheds further light on the need for better data protection in organisations, and much better password habits amongst civilians.

The 5 most common types of data stolen

March 18th, 2014 by

iStock_000019633342_SmallCyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

What you should be doing is carrying out regular vulnerability assessments of your network to identify where you are vulnerable. After a vulnerability assessment is carried out, you should be conducting a risk assessment to identify critical components which will, if compromised have a high impact on the organisation. Finally, these systems should then be penetration tested to identify if they are exploitable and what the impact would be.

IT Governance is currently running a 20% discount on its CREST-accredited pen testing services if booked before 28 March 2014.

Cyber War has already started! (The Criminals just didn’t tell you.)

March 17th, 2014 by

Aerial assault


This post is about why you should book a place at our Cyber War London Event:

Event: ISO27001:2013 and PCI DSS V3: new Standards in the Global Cyber War (Churchill War Rooms, London, 8 May 2014)

If you are a C-Suite manager and you care about your organisation’s reputation, commercial advantage, share price and the cash in the bank… then I recommend that you join us in the bunker. [SFX: Air Raid Sirens] Read on…

Cyber War will not start at Midnight… it’s raging now. Are you in the fight?

Shocking though it is to report, the growing number of organised gangs and rogue states behind the escalation of cyber crime did not issue a media announcement before hacking into the systems of profitable businesses.

Global hacking without declaring a State of War? How jolly unsporting!

After all, you’re not meant to go around the Maginot Line. We’ve spent billions building firewalls and routers, installing intrusion protection and SIEM software, and now they are evading our best efforts by simply attacking us on the Cloud and infecting the CEO’s BYOD at home. Cheats!  

Windows XP support will end: which organisations are actually ready?

The fact is, war on the internet is not due to start at midnight on a future date, like the one on which Microsoft finally withdraws patch updates for Windows XP (8th April 2014) – even though there are still ATMs that are running this stable and much-loved Operating System from a different age.

I’ve just bought Windows 8.1 myself. I realise that I was clinging to the technology that I knew. It’s actually quite good so far, despite bad press. That’s the trouble though, isn’t it? Our perception wanes as we grow a bit older. We want to fight the last war, not this one. It’s a natural mistake for all politicians, business leaders and organisational decision-makers to make.

Even in the mid-1930s the Royal Air Force’s front-line fighters were biplanes, little different from those employed in the First World War. The rearmament programme [NF1] enabled the RAF to acquire modern monoplanes like the Hawker Hurricane and Supermarine Spitfire, such that sufficient numbers were available to defend the UK in the Battle of Britain in 1940 during the early stages of World War II. In the British Parliament, the case for rearming was championed by the man who later came to lead the nation in a time of total war: Sir Winston Churchill, whose Cabinet War Rooms we will be commandeering (courtesy of the Imperial War Museum).

Thursday, May 8th, 2014: a date that will go down in your company’s history?

At 09:30 on May 8th, our event will begin. After an introduction by our Executive Chairman, Alan Calder, our keynote speaker, Neira Jones, will begin speaking on the subject of:

“The Global Cyber War: Using ISO27001:2013 and PCI DSS Version 3 to drive business, cost and security improvements”.

Her point will be that security isn’t necessarily a cost; it can be profitable to think in terms of protecting your own and your customers’ private data.

In the course of the day other cyber security experts, including UKAS technical advisor on Information Security, Steve Watkins, Bridget Kenyon, the Head of Information Security at University College, London, and Geraint Williams, a QSA and leader in the field of PCI DSS compliance, will explain what your organisation needs to do to protect its confidential data and achieve ‘cyber resilience’ – the cyber age equivalent of ‘Business As Usual’.

What can we do about Cyber Security – assuming that we are not doing it?

I sympathise with the C-Suite and senior IT managers over this question. There are as many answers as there are suppliers of software, hardware, technical services, consultancy and the gamut of training options out there.

Not surprisingly, everybody with a vested interest is claiming that they have the weapons that you need to defeat the terror of the cyber criminals. The noise from their marketing campaigns, strident ‘fear, uncertainty and doubt’ messaging and loud calls to action are in danger of defeating us all.

But wars are not won with new weapons alone. Technology often tips the balance in favour of one side or the other, just as a well-trained army with a high level of morale has a better chance of overcoming a poorly-prepared and frightened group of raw recruits. But in the end, the winners in the game of war are more likely to be those that understand the need for their people, processes and technology to work in a coordinated, strategic way.

So what measures should we be taking to protect our business interests?

First: think ‘People, Process and Technology’. (Note: not just Technology).

Second: do not fall into the trap of thinking that your organisation is too low-profile/small/not in an ‘at risk’ business sector to be a victim of crime.

Cyber attackers seek out vulnerabilities: if your system has them, attackers will exploit them. Sooner or later (and it may already have happened), you will join the burgeoning list of enterprises that have suffered a security breach.

Would you like to book your place? The cost is only £45+VAT.

For just £45 you could receive some of the best advice that you will hear in your career: advice that could help you to resource where needed, train staff across your organisation, and put in place procedures and controls to enable you to manage cyber security in line with HM Government’s advice.

In Churchill’s words:


Book your place now

Want our expert help, but can’t make this date? Then…

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS) to help you comply with PCI DSS Version 3.0, talk to our consultants on 0845 070 1750.

Bookmark this page as well!


Save up to 30% on your training with the IT Governance 3-Course Training Passport

March 11th, 2014 by

As the end of the financial year approaches, IT Governance is pleased to announce an offer that will enable you to get the most from your remaining training budget.  The IT Governance 3-Course Training Passport provides delegates with complete flexibility and guaranteed booking dates at a significantly lower cost than normal: if you book by 28th March you will save up to 30% on the listed course prices.

Our courses offer a unique opportunity to develop the knowledge required to implement and audit key IT-GRC standards and best practices, including ISO27001, ISO22301, PCI DSS, ISO20000 and COBIT® 5. Compliance to these standards and frameworks will not only strengthen and streamline your existing business practices, but also give you the competitive edge you need to win more business.

Visit the IT Governance 3-Course Training Passport webpage for more information about the offer or read on to find out how booking just three training courses can help your organisation.


ISO27001 is the best-practice specification that helps businesses and organisations throughout the world to develop an Information Security Management System (ISMS), a systematic approach to managing confidential or sensitive corporate information so that it remains secure. An ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively, enabling you to improve your existing management approach to information security, and assuring your suppliers, customers, stakeholders and staff that you are following fully-auditable best practice.

The 3-Course Training Passport package will enable you to plan, implement and maintain an ISMS compliant to ISO27001. Courses include:

With these three courses, your implementation team will learn all it needs to deliver and maintain a successful ISO27001 project in your organisation. All courses are fully up to date with the requirements of the new ISO27001:2013 standard and all support career development with the award of IBITGQ qualifications.

Book these three courses together with the 3-Course Training Passport and save 20%.


ISO22301 sets out the requirements for a Business Continuity Management System (BCMS), compliance to which will ensure that your organisation is best prepared for a disruptive incident and, more importantly, is able to return to business as usual as quickly as possible after an incident. An ISO22301-compliant BCMS will protects your organisation’s turnover and profits by ensuring its preparedness for unplanned disruption, and will reassure stakeholders that best practice is being followed and that the organisation is committed to its supply responsibilities.

The 3-Course Training Passport package will enable you to plan, implement and audit compliance to ISO22301. Courses include:

With these three courses, your implementation team will learn all it needs to deliver and maintain a successful ISO22301 project in your organisation. All courses support career development with the award of IBITGQ qualifications.

Book these three courses together with the 3-Course Training Passport and save 16%.

COBIT/IT governance

COBIT® (Control Objectives for Information and Related Technology) is an IT governance control framework developed by ISACA which helps organisations meet business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organisational goals. COBIT® 5 (released in early 2012) is the latest iteration of the framework, and incorporates the governance activities of ISO38500 and other ISACA frameworks.

COBIT® has helped organisations around the world to bridge the gaps between control requirements, regulatory compliance and business risks and to significantly increase the value of their investment in IT.

The 3-Course Training Passport package will enable you to plan, implement and assess the effectiveness of COBIT® 5 best practice. Courses include:

With these three courses, your implementation team will learn all it needs to deliver and maintain a successful COBIT project in your organisation. All courses support career development with the award of APMG qualifications.

Book these three courses together with the 3-Course Training Passport and save 20%.

Visit the IT Governance 3-Course Training Passport webpage before 28th March to use your training budget the most efficient way and start the new financial year in the best possible business position.

The Internet of Things – a new cyber crime target

February 10th, 2014 by

As we are entering the era of the Internet of Things (IoT), our homes are becoming increasingly populated by devices that are connected to the Internet in order to share information with each other and the external world more easily. Ranging from smart phones and smart TVs to motor-cars with 4G and Wi-Fi, from automated household appliances to sophisticated business tools, this web – connected smart devices are collectively known as the Internet of Things. According to a Cisco report, it’s predicted that 50 billion objects worldwide will be connected to the internet by 2020.

The benefits that the Internet of Things can bring are numerous, but so are the concerns that it can facilitate cyber attacks. According to a Proofpoint’s report on cyber attacks, cyber criminals are beginning to target home appliances and smart devices. Often these Internet-connected devices have significant implications for device owners. They are easier to hack as they don’t have robust security measures, such as strong passwords, in place so are obviously easier to infiltrate and to infect than PC, laptops or tablets.

Organisations using the Internet of Things can see huge benefits such as greater efficiency, lower costs, improved services, greater accessibility to information, increased employee productivity and higher customer satisfaction. But although there are numerous benefits, organisations face grave risks such as espionage, corporate and personal data breaches, theft of intellectual property, and attacks on infrastructure components because they are more exposed to the internet. It is strongly recommended that manufacturers of smart devices need to start focusing on building more secure tools for organisations and individuals. Organisations should implement robust measures to secure their infrastructures and business information.

According to an ISACA report on how European IT professionals perceive the Internet of Things, 27% stated that the risk outweighed the benefits. 39% of respondents said that increased security threats were seen as the biggest governance issue, followed by data privacy at 26%.

European Internet users are very concerned about cyber security. According to the Eurobarometer report carried out by the European Union in 2013, 28% of Europeans don’t feel safe when simply browsing the Internet and carrying out online transactions. The main fears among European Internet users are that personal information is not kept secure by websites and organisations and that banking information can be stolen and bank accounts hacked while transactions are carried out. 84% use the internet for email access, 50% for commercial transactions and 48% for online banking are Swedish, Dutch and Danish, but they are also the ones who feel more informed about cybercrime and cyber security. In contrast, the Romanians, Hungarians and Portuguese are less likely to use the internet for e-commerce and feel less informed about cybersecurity, and as a result are more concerned.

With a robust Information Security Management System (ISMS) in place, customers and clients will feel more secure when making online transactions, and will build trust towards organisations and experience greater customer satisfaction. IT Governance EU thinks that cyber security training course are necessary for individuals and organisations in countries like Portugal, Hungary and Romania in order to raise awareness of cyber security risks. ISO 27001 ensures organisations are protected from information risks and threats which could otherwise lead to reputational damage, financial repercussions and the loss of assets. The ISO27001 Certified ISMS Foundation Training Course is an introductory training course which raises awareness and builds information security knowledge. To those who need an advanced level of training to deliver information security management to an organisation, we recommend attending the ISO27001 Certified ISMS Lead Implementer Online which is designed to give comprehensive and practical advice for implementing and maintaining the requirements for ISO27001.

We recommend downloading our ISO27001 & Information Security greenpaper overview which gives organisations the foundation to start with their implementation towards a better security.Download our free green paper on information security and ISO27001 >>

IT Governance is a specialist in helping organisations with cyber security, cyber governance and cyber compliance. Find out more about our products and services here.

For more information about IT Governance training courses call us on 00 800 48 484 484 or
email us at

European Data Protection Day 2014: Looking to the future

January 28th, 2014 by

Today marks Data Protection Day in Europe, distinguishing the signing of an international treaty to do with privacy and data protection from 1981.

Two years ago the EU data protection reform was proposed in aid to benefit citizens who want to be able to trust online services. The European Commission wanted the individual to have more control over their data, including the right to be forgotten, easier access to their own data and the right to know when their data has been hacked. These proposals are likely to be adopted in April 2014.

With more power to be given to the consumer, businesses throughout Europe will have to strengthen their information security management systems (ISMS) and data privacy controls so that they fall in line with the proposals. If businesses fail to comply, or incur a data breach, the proposed regulations will see compromised organisations facing fines of up to €100m, or 5% of their annual worldwide turnover.

Can your business afford a €100m fine?

We thought not….so we’re encouraging organisations to act before it’s too late.  With data protection within the EU being a “fundamental right”, data privacy will be a hot topic for 2014 and nearly all organisations will have to strengthen and/or adapt their information policies in one way or another.

IT Governance is Europe’s leading provider of information security books, standards, tools and training, helping organisations around the world implement an ISMS to win trust with customers and to compete with competitors.

Data Protection: A Practical Guide to UK and EU Law, Third Edition is a valuable handbook that offers practical solutions to issues arising in relation to the UK and EU data protection laws. It has been fully updated and expanded to include coverage of all of the significant developments in the practice of data protection.

“This book really is a practical guide, being a good deal more readable than the legislation that underlies it” - Datonomy

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

What’s the most effective way to protect sensitive Healthcare data – technology, processes or people?

December 3rd, 2013 by

What’s the most effective way to protect sensitive Healthcare data – technology, processes or people?

Trick question? Could be. The answer is of course “all three”. Take the case of Pervasive Health, who have recently achieved certification to ISO27001 – read our case study here:

Pervasive Health protects data with ISO27001 – download free of charge!

Protecting confidential patient data in the healthcare sector is of vital importance: Pervasive Health’s ISO27001 certification is a landmark achievement in the sector, showing the importance of combining the best IT security with an ISO standards-based approach to information security.

Handling sensitive health data requires the implementation of rigorous technology, standards and processes. For Pervasive Health, it’s business as usual, as they empower health enterprises and professionals to discover health insight every day. The USA-headquartered company chose IT Governance to help them gain ISO27001 accredited certification for the organisation’s US and European operations – making their platform the first in the field to achieve this.

But why is applying the ‘rigor’ of ISO27001 important in this emerging sector (Healthcare insights)? Evidence of what happens as a result of far less responsible behaviour on the part of software developers needs to be understood:

HIT – or miss? Today’s Healthcare technology can prove to be vulnerable!

The healthcare industry is rapidly adopting health information technology (HIT). Sometimes so rapidly security measures are lagging behind, leaving healthcare entities open to dangerous data breaches.

For example, in the first three years of the U.S.Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, about 260 data breaches affected more than 10 million patients, according to the U.S. Department of Health and Human Services. The costs of a healthcare breach for both businesses and affected patients are staggering. The statistics speak for themselves:

• HITECH carries violation fines of up to $1.5 million
• Data breaches cost the healthcare industry $6 billion per year1
• The total economic impact of medical identity theft is $30.9 billion annually, up from $28.6 billion in 20102
• Healthcare firms spend about $1 million per year, per firm, on data breaches.

[Source: Experian]

And of course, the healthcare industry is a particularly attractive data breach target. Healthcare records have it all: names, Social Security numbers, birth dates, payment information, insurance identification numbers, protected health information (PHI) and more. Healthcare entities manage large amounts of both PHI and personally identifying information (PII). So it’s little wonder why data breach prevention is the leading concern among healthcare IT decision makers. So what actions are they taking to improve information security?

What attracted Pervasive Health to ISO27001?

Pervasive Health already had strong internal processes to protect data; however, in the words of Information Security Manager, Rinaldo Tempo: “ISO27001 helped us to consider all the risks that we faced with the benefit of the rigor of what is, we believe, the most demanding security standard.”

The scope of Pervasive Health’s ISO27001 certification applies to their organisation in Europe (they have a base in the UK), but also to their facilities in the USA, where they have developed a new powerful and secure self-service platform. Apervita empowers health enterprises and professionals to unleash data and evidence-based research, transforming them into a shared computable insight. Medical practitioners register for Apervita, upload their data, author their insights, and start using them straight away. The advantages to both medical practitioners and patients are obvious: Apervita brings together a community of enterprises, professionals, data owners and insight authors to improve health, together.

Bringing together fragmented data sources, giving health professionals a unified view of all data, has enormous advantages. Authors can build, test, and publish their knowledge as computable insight. Insights are authored in hours, not years. And, thanks to a rigorous approach to information security issues, they can then be securely shared with anyone, anywhere, or kept for private use. Data owners can quickly publish their datasets with the confidence that the data is protected by the technology itself, by the processes that the organisations has put in place, and by people who care because they are trained to properly protect the data held in their system.

Apertiva breaks down ‘Healthcare silos’ – without compromising security

Healthcare today is facing the triple challenges of excelling in quality, within an environment of expanding regulatory requirements, while minimising costs. The key to achieving these aims is capturing the value of information locked into health data silos. The average health enterprise can have more than 30 silos which frequently need to be shared. Apertiva addresses all these needs, by unifying health data silos, converting them into portable health insights, and allowing health enterprises, health professionals, health payers, and pharmaceutical companies to share them.

Aaron Symanski, Pervasive Health’s COO said: “Our team has extensive experience across sectors where information security is a paramount concern, including healthcare, telecommunications, and finance. We deeply understand the concept of data walls, security entitlements, and the granular security measures that health enterprises require to be implemented and maintained as part of an Information Security Management System. Developing and managing software that handles sensitive data with excellence is the nature of how our team operates. ISO27001 enabled us to formalise and continue to improve our processes.”

Pervasive Health started their ISO27001 journey helped by IT Governance

Pervasive Health contacted IT Governance to provide the consultancy support to create an ISO27001 compliant ISMS. This required the identification of any interfaces and dependencies with functions or services falling outside the scope, and consideration as to how these might be addressed. The exact scope of the project and the objectives for information security which led to the information security policy was determined by Pervasive Health’s senior team with support from IT Governance consultants. This included helping to develop the risk assessment framework required and recommendations for risk acceptance criteria.

IT Governance ‘Mentor & Coach’ transferred knowledge of ISO27001 fast

The work under this phase of support also assisted Pervasive Health’s Information Security Manager in developing the profile of the project team and an outline project plan. IT Governance provided ‘Mentor and Coach’ consultancy support. In order to comply with the ISO27001 standard and the Health and Social Care Information Centre (HSCIC) IG Toolkit requirements (formerly the NHS Connecting for Health CTP requirements), an asset based information security risk assessment was conducted. This was achieved through carrying out interviews with asset owners to produce an asset register and then assessing potential risks to the assets.

Once the risks were identified and decisions made on how to manage them, a full Risk Treatment Plan was produced, which in turn led to the development of a Statement of Applicability to comply with the standard.
IT Governance assisted Pervasive Health in creating ISO27001 documentation in conjunction with the team, who committed resources to introduce the security controls while IT Governance developed the associated documentation identified as necessary.

Rinaldo commented, “IT Governance kept us on the road all the way – right up to the arrival of the external auditor. The training that they provided was very useful, as were the document templates. Having a different set of eyes at every stage was one of the reasons that we felt confident throughout, and the result of the final audit justified this.”

ISO27001 is the international standard that applies to whole organisations, which is why it often seems like a daunting challenge to the C-suite and senior managers in all sectors. However, as Pervasive Health have shown, leadership in this field pays handsome dividends. See the company’s News page for the growing evidence of how ISO27001 helps to build confidence among your partners and clients:

To read the Pervasive Health case study, follow this link: - it’s free for you to download. Let us know what you think. Is this the type of project that you would like to pursue?

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ICMS), talk to our consultants by calling: 0845 070 1750.

We also have pages of relevant information on our ISO27001 Consultancy Services. Hiring our consultants will often save you money in the long run and get the job that you want done faster!

Bookmark this page as well!

Esri UK: Why ISO27001 information security management matters to one organisation, their partners and clients

November 22nd, 2013 by

Let us be about setting high standards for life, love, creativity, and wisdom. If our expectations in these areas are low, we are not likely to experience wellness. Setting high standards makes every day and every decade worth looking forward to.”  Greg Anderson

Who are Esri UK – and what can they teach us about being cyber resilient?

Esri UK is an entity within a truly global software phenomenon. In fact, Esri is now the third largest privately-owned software company franchise in the world, employing more than 4,500 people. Esri UK has a global presence.

Esri inspires and enables people to positively impact the future through a deeper, geographic understanding of the changing world around them. Their software holds a significant market share worldwide (more than 40% it is estimated) and their clients represent a high proportion of the Planet’s key activities: Aid and Development, Business (e.g. banking, insurance, marketing, media etc), defence and intelligence, education, government, health and human services, mapping and charting, natural resources (e.g. agriculture, petroleum, water etc), public safety (law enforcement, fire, security), transportation, utilities, and the whole gamut of modern communications:

From their continuing success over several decades, you can probably tell that Esri believes in and sets standards high standard in all that it does.

Cyber security: Esri’s management system approach to protecting data

To quote Nick Rigby, non-Executive Director and a former Director of Intelligence at the MoD: “Information Security at Esri UK is constantly evolving as we develop and implement new technologies. It’s a Darwinian process that has no endpoint and that requires us to test and measure what we are doing at regular intervals. We don’t regard security as a ‘quick fix’ problem because we know that the task is ongoing and we cannot afford to ignore the challenge. Therefore evaluating our own, and our customers’, risk is part of the Esri UK DNA.”

Board level decision – keep on improving security: it’s part of our business

In 2012, The Board of Esri UK resolved to adopt ISO27001: the information security Standard, and to seek UKAS-accredited certification by 2013.

The main drivers for gaining certification were:

1) Adopting best practice as defined in the ISO27001 information security standard

2) Differentiation: Esri UK would gain an advantage over its competitors by achieving certification

3) Compliance with the requirements of an ever growing number of potential ‘government’ let contracts.

In order to speed up the process and achieve the best results possible, Nick selected IT Governance Ltd to deliver a bespoke mix of consultancy advice and public and internal training courses, from the initial gap analysis to audit support based on their track record in ISO27001.

Esri chose to put its faith in the international standards approach for reasons that are becoming increasingly apparent to industry in general.

You see, without falling back on grandstanding terminology like “cyberwar” or “advanced persistent threat”, protecting your own and your clients’ and partners’ data really does matter. Esri has got there first in the spatial data market. But that’s hardly surprising, given their leading position. The fact is, to be a winner like Esri, you need Standards!

Here are a few reasons for following the fastest route on your corporate map to arrive at Esri’s robust information security management system.

Read the Esri ISO27001 case study here:

And talk to us without obligation. We can provide the very best references!

*  *  *  * 

How can you emulate Esri’s well-deserved success in gaining ISO27001?

Talk to IT Governance – today!

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!

Prevent data breaches from harming your business

November 19th, 2013 by

Since 2012 there has been a number of data breaches across Europe which have affected millions of people. In May 2013 several Dutch government websites suffered DDOS attacks causing 10 million citizens not being able to pay their taxes and bills online, and in December last year a Belgian railway company suffered an internal error which inadvertently published 1.46 million sets of customer data online.

So whether it’s an internal or external threat to your organisation that you’re worried about, it’s advised that you put information security practices in place to reduce the threat of a data breach.

ISO/IEC 27001:2013 is an internationally recognised standard that sets out best practice specification for an Information Security Management System (ISMS) for which your organisation can be audited and certified against. Even if you’re not looking to gain certification, the best practices in the standard can be implemented just for your own piece of mind.

To gain a good insight into information security and ISO 27001:2013, I suggest you take a look at ISO 27001 expert Alan Calder’s pocket guide – An Introduction to Information Security and ISO 27001(2013), Second Edition.

I also recommend that you download our free Information Security and ISO27001 Green Paper

%d bloggers like this: