{"id":10899,"date":"2017-03-13T15:38:01","date_gmt":"2017-03-13T15:38:01","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=10899"},"modified":"2024-12-21T13:35:37","modified_gmt":"2024-12-21T13:35:37","slug":"information-security-focus-asset-protection-compliance-corporate-governance","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2017\/03\/13\/information-security-focus-asset-protection-compliance-corporate-governance\/","title":{"rendered":"Should information security focus on asset protection, compliance, or corporate governance?"},"content":{"rendered":"<p>Traditionally, information security has been perceived as an activity that was built around protecting sensitive information assets \u2013 after all, this is what the first (2005) revision of <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, and its predecessor BS 7799-2, also emphasized. These standards required companies to identify all the assets, and then build the safeguards (i.e., defense) around those assets.<\/p>\n<p>But, in the last decade, other ways to look at information security have emerged as well: that security is primarily a compliance job, and that security is part of an internal control, i.e., part of corporate governance. (Note: this blog post has adapted the model presented in the paper <a id=\"target_blank\" class=\"no-lightbox\" href=\"https:\/\/www.researchgate.net\/profile\/Elspeth_Mcfadzean\/publication\/38177580_Information_assurance_strategic_alignment_and_competitive_advantage\/links\/0c960522450af7e2fc000000\/Information-assurance-strategic-alignment-and-competitive-advantage.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Information assurance: Strategic alignment and competitive advantage<\/a>.)<\/p>\n<p>So, which of these three approaches is the best to take?<\/p>\n<h2>Information security as a protection of information assets \/ IT security approach<\/h2>\n<p>This traditional approach of protecting the assets came from the philosophy that has existed in physical security for thousands of years \u2013 you have a physical asset, and then you build a security perimeter around it. (See also: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2015\/03\/23\/physical-security-in-iso-27001-how-to-protect-the-secure-areas\/\" target=\"_blank\" rel=\"noopener noreferrer\">Physical security in ISO 27001: How to protect the secure areas<\/a>.)<\/p>\n<p>This traditional approach was mostly taken over by IT departments who had developed their IT security technology \u2013 e.g., firewalls, anti-virus protection, intruder-detection systems, etc. \u2013 around the assets they wanted to protect. (See also: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2010\/03\/01\/information-security-or-it-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">Information security or IT security?<\/a>)<\/p>\n<p>And this approach worked fine for physical security; however, the problem is now with cloud services, mobile devices, insiders, backdoors, hackers, etc. \u2013 it is becoming really difficult to define the security perimeter around information assets and then build the controls around them; obviously, something else is needed.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Information security as a compliance job<\/h2>\n<p>Since protection of sensitive corporate and\/or private information is becoming a very hot issue, governments \u2013 as well as customers \u2013 are taking a more proactive approach and defining various information security requirements through laws, regulations, and contracts. (See also: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2017\/02\/06\/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to identify ISMS requirements of interested parties in ISO 27001<\/a>.)<\/p>\n<p>And then companies are starting to focus on fulfilling all these requirements \u2013 in most cases, this is done through writing various policies and procedures, but this kind of \u201cbox-ticking-by-writing-documentation\u201d approach doesn\u2019t really resolve the main issue \u2013 how to decrease the number of security incidents by making the processes in companies more secure.<\/p>\n<h2>Information security as part of internal control\/corporate governance<\/h2>\n<p>This approach is more typical for larger organizations who want to know exactly who is responsible for what, which reports are sent to whom, who has to make which decisions, etc. These kinds of organizations basically want to reduce the risk of something going wrong, although very often they do not have a formal risk management process.<\/p>\n<p>This approach fits quite well with the compliance approach; however, there are many companies taking this approach without the compliance \u201cpush.\u201d The downside of this approach might be that the communication is usually one-way \u2013 from the corporate headquarters down to every department \u2013 this way, it is very difficult to explain to the top management the real problems that are faced in the day-to-day operations when it comes to threats, vulnerabilities, or difficulties of adoption of new corporate rules.<\/p>\n<h2>A blended approach<\/h2>\n<p>Now, the question is: Which of these three approaches should be your guiding light? If you look at the latest 2013 revision of ISO 27001, then the answer is: none. Or, to be more precise, ISO 27001:2013 requires you to mix all of these approaches into a single management system based on risk approach. (See also: <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-risk-assessment-treatment-management\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 risk assessment &amp; treatment \u2013 6 basic steps<\/a>.)<\/p>\n<p>ISO 27001:2013 requires you to perform the <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/risk-assessment-and-treatment-report\/\" target=\"_blank\" rel=\"noopener noreferrer\">risk assessment and treatment<\/a>, and choose the most appropriate <a href=\"https:\/\/advisera.com\/27001academy\/documentation\/statement-of-applicability\/\" target=\"_blank\" rel=\"noopener noreferrer\">controls<\/a>\u00a0for your information; it also requires you to identify all legal and regulatory requirements, and requirements from your partners and clients, and then to comply with those; finally, ISO 27001:2013 requires you to set up a management system with clearly defined roles and responsibilities, measurement, reporting, and internal audit functions.<\/p>\n<p>So, what\u2019s the point here? Don\u2019t be misled into viewing one of these approaches as your main information security philosophy \u2013 that would be a mistake because you wouldn\u2019t be able to protect your information properly.<\/p>\n<p><em><span class=\"notion-enable-hover\" data-token-index=\"0\">To automate your compliance with ISO 27001 security controls,<\/span><\/em>\u00a0<a class=\"notion-link-token notion-focusable-token notion-enable-hover\" tabindex=\"0\" href=\"https:\/\/advisera.com\/conformio\/\" target=\"_blank\" rel=\"noopener\" data-token-index=\"2\"><span class=\"link-annotation-unknown-block-id-1092142182\">sign up for a free trial<\/span><\/a>\u00a0<em><span class=\"notion-enable-hover\" data-token-index=\"4\">of Conformio, the leading ISO 27001 compliance software.<\/span><\/em><!-- notionvc: f7c35a5b-1f33-4233-830e-f171a1d796cc --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Traditionally, information security has been perceived as an activity that was built around protecting sensitive information assets \u2013 after all, this is what the first (2005) revision of ISO 27001, and its predecessor BS 7799-2, also emphasized. These standards required companies to identify all the assets, and then build the safeguards (i.e., defense) around those &#8230;<\/p>\n","protected":false},"author":26,"featured_media":10900,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[176,381,771,1597,1598],"class_list":["post-10899","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-compliance","tag-iso-27001","tag-it-security","tag-corporate-governance","tag-internal-control"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=10899"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10899\/revisions"}],"predecessor-version":[{"id":103235,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/10899\/revisions\/103235"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/10900"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=10899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=10899"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=10899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}