News update written by Shamane Tan, APAC Cyber Security Advisor
Despite the heavy rain this morning, attending an educational breakfast presentation hosted by Lloyd's Register together with Privasec was a great way to start the day! It was quite enjoyable hearing from our very own Dr. Ignatius Swart as he demystified ISO 27001:2013, discussed common misconceptions, and explained what is really required for businesses to obtain certification. He was such a natural, having previously been invited to speak many times at huge conferences attended by ministers, defence and government bodies. This morning, he delivered a fantastic presentation in a clear and concise manner, going through 10 ISO27001 misconceptions that debunked incorrect theories and perceptions commonly stopping businesses from getting ISO 27001:2013 certified.
My key takeaways:
It's not about choosing a side between ISO 27000 or NIST. The focus is choosing what to govern with and we can actually have both. At the end of the day, having an Information Security Management System (ISMS) provides the business with a management process, and requires everyone (not just IT) to acknowledge that security is a business problem. It is a risk-based approach and not all controls are applicable. Getting an ISO 27001 certification is easier than we think it is since the standard was written for all types of businesses. Certification can also occur much quicker than commonly thought. Many of our clients at Privasec achieve certification within 5 to 6 months. Dr. Ignus shared how Privasec certified a huge multinational corporation with approximately 8,000 staff in 300 offices across 13 countries in just under 9 months. There is also more to certification than just better security, since certification allows companies to go after bigger tenders since their security posture is seen as matured and certified by a 3rd party.