Glossary

Why do I need an asset inventory

Understanding the assets owned and used within your business is the cornerstone of any good ISMS. Most InfoSec standards will insist on a regularly maintained Inventory of Information Assets.
Assets need to be identified, classified and categorised. This may sound daunting, and you may feel you need to spend big on an InfoSec consultant if you have never done it before but Hicomply provides a comprehensive Asset Library which customers can import to automate the basis of their asset inventory.
Within minutes not days you can have an asset inventory ready to manage.

What is Cybersecurity?

Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage.
It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

Full list of ISO 27000 standards, often referred to as the ISMS family of standards. The ISO 27K standards related to IS – security techniques (often referred to as the “ISMS family of Standards”) are:

ISO 27000 — Information security management systems — Overview and vocabulary

ISO 27001 — Information technology – Security Techniques: This is the standard that applies when organisations want to get a certificate

ISO 27002 — Code of practice for information security controls: an implementation guide and examples of typical controls mentioned in ISO 27001

ISO 27003 — Information security management system implementation guidance

ISO 27004 — Information security management — Monitoring, measurement, analysis and evaluation: expands of aspects in ISO 27001

ISO 27005 — Information security risk management

ISO 27006 — Requirements for bodies providing audit and certification of information security management systems:how CB’s should operate

ISO 27007 — Guidelines for information security management systems auditing: auditing practices on an ISMS

ISO TR 27008 — Guidance for auditors on ISMS controls

ISO 27009 — An internal document for the committee developing industry-specific variants or implementation guidelines for ISO 27K standards

ISO 27010 — Information security management for inter-sector and inter-organizational communications

ISO 27011 — Information security management guidelines for telecommunications organizations

ISO 27013 — Guideline on the integrated implementation of ISO 27001 and ISO 20000-1

ISO 20000 is the service delivery standard, based on ITIL

ISO 27014 — Information security governance: related to ISMS in the context of Australian e-health.

ISO TR 27016 — information security economics (note TR 27015 was withdrawn)

ISO 27017 — Code of practice for information security controls based on ISO 27002 for cloud services

ISO 27018 — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors GDPR relevance, especially in cloud apps

ISO TR 27019 — Information security for process control in the energy industry

ISO 27031 — Guidelines for information and communication technology readiness for business continuity

ISO 27032 — Guideline for cybersecurity

ISO 27033-1 — Network security – Part 1: Overview and concepts

ISO 27033-2 — Network security – Part 2: Guidelines for the design and implementation of network security

ISO 27033-3 — Network security – Part 3: Reference networking scenarios – Threats, design techniques and control issues

ISO 27033-4 — Network security – Part 4: Securing communications between networks using security gateways

ISO 27033-5 — Network security – Part 5: Securing communications across networks using Virtual Private Networks (VPNs)

ISO 27033-6 — Network security – Part 6: Securing wireless IP network access

ISO 27034-1 — Application security – Part 1: Guideline for application security

ISO 27034-2 — Application security – Part 2: Organization normative framework

ISO 27034-6 — Application security – Part 6: Case studies

ISO 27035-1 — Information security incident management – Part 1: Principles of incident management

ISO 27035-2 — Information security incident management – Part 2: Guidelines to plan and prepare for incident response

ISO 27036-1 — Information security for supplier relationships – Part 1: Overview and concepts

ISO 27036-2 — Information security for supplier relationships – Part 2: Requirements

ISO 27036-3 — Information security for supplier relationships – Part 3: Guidelines for information and communication technology supply chain security

ISO 27036-4 — Information security for supplier relationships – Part 4: Guidelines for security of cloud services

ISO 27037 — Guidelines for identification, collection, acquisition and preservation of digital evidence

ISO 27038 — Specification for Digital redaction on Digital Documents

ISO 27039 — Intrusion prevention

ISO 27040 — Storage security

ISO 27041 — Investigation assurance

ISO 27042 — Analyzing digital evidence

ISO 27043 — Incident investigation

ISO 27050-1 — Electronic discovery – Part 1: Overview and concepts

ISO 27050-2 — Electronic discovery – Part 2: Guidance for governance and management of electronic discovery

ISO 27701 — Information technology – Security Techniques – Information security management systems — Privacy Information Management System (PIMS).

ISO 27799 — Information security management in health using ISO 27002 – guides health industry organizations on how to protect personal health information using ISO 27002.

What is GRC Software

Governance, Risk Management and Compliance Software (GRC Software) provides organisations with a platform for meeting their IT related compliance needs. As its name suggests the software provides the tools to measure IT Risk Management and the associated processes employed to mitigate those risks. Hicomply GRC Software provides an integrated platform with:

• Policy Management and the appropriate information dissemination for employees and teams within the business
• Asset Inventory management with information asset libraries linked to all associated risks
• Risk Management tools allowing for enterprise risk management, multiple risk methodologies for use across different areas of enterprise business risk
• Task Management and Tracking allowing easy communication, planning and scheduling of GRC project tasks
• Internal and External Audit planning and execution

Integrated Management System

An Integrated Management System (IMS) is where an organisation combines more than one of their adopted standards and systems into one more streamlined project. An example would be where an organisation combines their ISO9001 and ISO27001 compliance projects into one management system.
Hicomply gives organisations a multi-project approach where with the single application interface many compliance projects can be combined and managed within the same platform. Allowing multiple standards to be managed and certified using a single set of policies, procedures and operational processes. Using an IMS approach can provide significant cost savings to an organisation.
Hicomply provides IMS combination support across ISO/IEC 27001:2013, ISO/IEC 27701:2019, ISO9001, NIST SP 800-53, HIPAA Standard, PCI-DSS V2.0, AUP V5.0, CSA, SOC2 and more.

ISO 27001:2013 is an information security standard that was published on the 25th September 2013. It is published by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] It is the international specification for information security management system (ISMS). The ISO27001-2013 standard may be independently certified by a certification body in order to show that all requirements of the standard have been met. In recent years it has become a requirement for some organisations to entrench the system to certification in order to meet client, contractual and tender needs. The overall system is designed around reducing IT risks in a company thus ensuring business continuity, and financial savings due to good internal controls.

What are the benefits?

By entrenching a formal management system according to ISO27001 requirements a company will have:

• Confidence that all legal requirements for IT related items are met. E.g.(Email usage, web usage, indemnity issues, POPI act-Protection of Personal Information Act, Access to information act).
• A detailed risk assessment process for internal auditing that are measurable and structured.
• Be able to identify risks to your electronic information and put in place security measures to manage or reduce them.
• Procedures to enable prompt detection of security breaches. Check sheets.
• Continual improvement, and allow review of the effectiveness of your information security management system (ISMS) and take action to address new and emerging security risks.
• Cost savings through reduction in incidents. Reduced internal failure, and prevention measures.
• Compliance to customer and tender requirements.

ISO 27001:2013 has the following sections which need consideration when implementing the standard.

Introduction – the standard uses a process approach.Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature. Normative references – References to other entrenched and certified standards or guidelines used.Terms and definitions – a brief, formalized glossary.Context of the organization – understanding the organizational context, the needs and expectations of ‘interested parties’, and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” a compliant ISMS.Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.Planning – outlines the process to identify, analyse and plan to treat information security risks, and clarify the objectives of information security.Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.Operation – a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate.Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.

ISO 27001:2013 requires the management program to:

ISO 27001:2013 formally specifies a management system that is intended to bring information security under specific management control. ISO 27001:2013 requires the management program to:

• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
• Design and implement a comprehensive set of information security controls through a documented management system with all processes and forms needed.
• Enforce any legal requirements through the effective control of company policies and requirements.
• Give guidance to what is required in a company in order to ensure IT risk is managed. Policies are set at corporate level.
• Basic risk management is applied according to ISO27001 requirements.

What is ISO27004?

ISO / IEC 27004:2016 Provides guidance to organisations that wish to monitor and measure the performance of their ISO / IEC 27001:2012 information security management system. Hicomply can provide the tools needed to evidence, review and measure the impact of your isms and our team of experts will provide guidance on how best to implement our software in line with ISO / IEC 27004:2016.

Stage	ISMS	DP & GDPR
Project mandate / pre-project	Scope / boundaries, Customer focus, Leadership / Structure of team, Objectives.	Organisational awareness
Initiation	Policies, processes and procedures, HR Information classification Access management Encryption Physical and environmental Operations Communications Acquisition and development Suppliers Business continuity Compliance Compliance records, Tool kit / DMS	Information analysis – what, where and sharing, Data flow mapping
Management framework	Organisational context, Stakeholders and interested parties, Engagement, Risk impacts	Communication of privacy information, Individuals’ rights, Management of personal data
Baseline	Security criteria identified; Arrangements implemented; Mandatory ISMS requirements; Legal compliance	Consent – how, then record and manage
Risk Management	Tyne of methodology, e.g. asset management, Risk , 31000, etc Risk register(s)	Children & parental consent
Implementation	Management review forums, Staff trained, Competencies assessed, Data transfer methods and targets, Ts and Cs with suppliers	Data Collection techniques, Data breaches – detection, reporting and investigation
Measure, monitor and review	Evaluation measures established, Benchmarks and metrics, Improvement schedule established, Management reporting / dashboards	DP by Design, DP Impact Assessments (may be introduced at an earlier stages)
Audit	Verification and validation, Training, NCs and corrective actions	Internationalisation, Inter-corporate arrangements
Post certification	Inter-group exchanges, Liaison with authorities, Supply chain, Outsourcing	Revised statutes, DP practice developments

The following documents need to be available in order to be compliant with ISO 27001: (Please note that the documents below are mandatory only if there are risks which would require their implementation). It they are not relevant they can simply be left out, there is no need to document a justification, it is suffice to say not applicable
Scope of the ISMS (clause 4.3)

Information security policy and objectives (clauses 5.2 and 6.2)Risk assessment and risk treatment methodology (clause 6.1.2)Statement of Applicability (clause 6.1.3 d)Risk treatment plan (clauses 6.1.3 e and 6.2)Risk assessment report (clause 8.2)Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)Inventory of assets (clause A.8.1.1)Acceptable use of assets (clause A.8.1.3)Access control policy (clause A.9.1.1)Operating procedures for IT management (clause A.12.1.1)Secure system engineering principles (clause A.14.2.5)Supplier security policy (clause A.15.1.1)Incident management procedure (clause A.16.1.5)Business continuity procedures (clause A.17.1.2)Statutory, regulatory, and contractual requirements (clause A.18.1.1)And here are the mandatory records:Records of training, skills, experience and qualifications (clause 7.2)Monitoring and measurement results (clause 9.1)Internal audit program (clause 9.2)Results of internal audits (clause 9.2)Results of the management review (clause 9.3)Results of corrective actions (clause 10.1)Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)

What is the NIST Cyber Security Framework?

NIST is an agency based in the USA, and stands for the National Institute of Standards and Technology. NIST has created a security framework NIST 800-53 which broadly maps against other Information Security standards.
Hicomply has all elements of the NIST framework in the ISMS Platform, we have mapped this to the other standards supported in our system e.g. ISO27001, CSA, HIPAA, PCI-DSS and this can significantly reduce the overhead of managing an IMS across multiple standards. Using the same policies, procedures and management processes around Risk, Assets, Incidents etc across multiple standards.

There are a number of non-mandatory documents that allow for the control of ISO 27001-2013 that should be in the management system in order to define various controls

There are a number of non-mandatory documents that allow for the control of ISO 27001-2013 that should be in the management system in order to define various controls. Some of these documents might be built into existing ISO standards that you might have entrenched in the operation such as ISO9001-2016 or ISO14001-2015 or even ISO45001-2016.
In the event that you have one of the above documented ISO management systems you may integrate this ISO27001-2013 system into the existing one in order to reduce the documents below.

Procedure for document control (clause 7.5)Controls for managing records (clause 7.5)Procedure for internal audit (clause 9.2)Procedure for corrective action (clause 10.1)Bring your own device (BYOD) policy (clause A.6.2.1)Mobile device and teleworking policy (clause A.6.2.1)Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)Procedures for working in secure areas (clause A.11.1.5)Clear desk and clear screen policy (clause A.11.2.9)Change management policy (clauses A.12.1.2 and A.14.2.4)Backup policy (clause A.12.3.1)Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)Business impact analysis (clause A.17.1.1)Exercising and testing plan (clause A.17.1.3)Maintenance and review plan (clause A.17.1.3)Business continuity strategy (clause A.17.2.1)

The hard part of risk management is identifying all associated risks. Most businesses pay large sums of money to have these risks identified for them. The easy part is then working through these risks to estimate impact and likelihood of the risk happening. Hicomply Predictive Risk AI uses the information you provide and the assets within your business to predict your associated risks. We identify and describe all associated risks, giving you all the information you need to assess the potential impact and likelihood of the risks happening. Most InfoSec standards will insist on a regularly managed Risk Assessment process, by using hicomply you can either adopt our own methodology or apply your own if you have one.

What is a risk assessment methodology?

Any Risk Assessment Methodology should the rules by which your organisation will identify risks, assess the impact and the likelihood, prioritize, assign responsibility/ownership and the criteria for accepting and treating risk.
This may sound complicated by Hicomply provides a turnkey solution. Adopt our Risk Assessment Methodology and all the tools are available to you for the effective management of risk in your business.
The system also caters for all risk assessment types: Create your own risk assessment methodology in line with your own business processes, or use multiple depending on the type of risk assessment being undertaken.

Within risk assessment it is standard practice to categorise risks based on the likelihood of it happening and the impact it would cause if it did. Most risk assessments will use this approach and use a Risk Matrix to visualise the risk against the likelihood and Impact.

Riskmatrix

The solution comes with a pre-define 5 x 5 risk matrix approach, but could be changed to more or less. Some use 3 x 3 - low, medium, high. ISO27001 does not enforce a particular process, but does insist that one is in place.

ISO/IEC 27001:2013 has 114 information security clauses in Annex A of the standard. An organisation implementing an ISMS attempting certification, is required to review their business activity against each of these clauses to ascertain relevance/applicability. All applicable clauses require controls to be implemented, and any that are not applicable require justification, explaining why it is not relevant to the business. The statement of applicability outlines this in a single reference.

The Do’s

Remember the ‘need to know’ principle of data access.Operate a clear desk policy when working in the office or at home.Always keep your devices locked when you are away from them in the office and at home.Keep passwords secure at all times; don’t write them down where visible to others; don’t share your passwords or use anyone else’s password.Always follow the Acceptable Use Policy for e-mail and internet usage.Dispose of paper and removable media in an appropriate manner. If in doubt, ask your manager. Store all documents and records according to their sensitivity.Report all information security incidents, weaknesses and suspicious circumstances to your manager as soon as possible.
The Dont’s

Don’t remove sensitive papers or software from the workplace without your manager’s approval.Don’t transfer personal information, confidential or restricted information to anyone without the written approval of the information owner.Don’t give out information unless you are absolutely sure who you are talking to, that they have a business need to receive it and that there is no chance of anyone eavesdropping on your conversation.Don’t process or give out anyone’s personal information without their written consent.Don’t leave visitors unescorted in the office or around your working area at home.Don’t click on any links in emails unless they have been sent by a trusted source (check the email address carefully!) and you are expecting to receive the link. If in doubt, ask.

ISMS Awareness

1. Safeguard your computer

Workstations should be set up in a secure, clean, calm, stable environment.Don’t have (large coils of) loose cables that might be a safety hazard; tripping over a cable and pulling it out of the computer – or pulling the computer over – might not be something you want to do.Always log out of and shut down Windows, and switch your computer off when it’s not in use.The biggest risk associated with laptops is, in fact, the loss or theft of the laptop

2. Use strong passwords

You use a computer on a corporate network, you will have been allocated a user name with user rights described in your access agreement.Be sure to use a strong password – make it something that is not easy for a miscreant to guess.It is particularly important that any password you use over the Web is a strong one.By all means, use the same password for a number of sites and services – it’s difficult to remember more than one or two strong passwords – but see the advice below, about disposable e‐mail addresses for use on the Internet.Be sure to change your password, on all those websites, every three to four months – just in case someone, somewhere has intercepted a communication containing it but doesn’t yet have the rest of the information necessary to do damage to you.

3. Update and patch your operating system

One reason why there are so many viruses and hackers out there is that Microsoft’s Windows product is so widely distributed. It does have faults – the consequence of ever more complex code, with ever more sophisticated features, rushed out as fast as possible. It’s also a consequence of its widespread use: hackers target the most commonly used software, not the least used.Microsoft release hot fixes, patches and upgrades to their software as and when vulnerabilities are identified and they’ve adequately tested the new code.Once you know that your computer is running a fully updated version of the operating system, keep it that way.Keep yourself informed: Microsoft provides an e‐mail update service that provides non‐technical alerts for users about security issues and software updates.You should also update and patch your applications, if necessary.

4. Have an up‐to‐date firewall

A firewall is essential for any computer – respect it whether on the network gateway or on your personal computer (e.g. when working wirelessly and/or mobile).Of course, you can’t think why anyone should attack your machine – but it’s the automated hacks that will do the damage – who wants their computer to be a part‐time member of a massive zombie network used for distributed denial of service (DDOS) attacks, spam distribution or illegal data storing?If you are operating a small network with a single Internet gateway (such as on a wireless modem, for instance), you will need to install a firewall on the gateway. Internet modems should come with pre‐installed firewalls.You should familiarise yourself with the basics of your firewall, rather as you familiarise yourself with the basics of car maintenance or home security.

5. Have up‐to‐date anti‐malware software

There are some 500,000 viruses, worms and Trojans circulating in the wild. Some of them are worse than others, and some are very nasty indeed. Spyware, adware and other ‘free’ programs are also part of the problem.Your Internet Service Provider (ISP) should have anti‐virus software installed at its Internet gateway, and this should catch the majority of virus traffic. It is not fool-proof and you don’t want to rely on it alone.You need to install anti‐malware software on standalone computers and on each computer in a peer‐ to‐peer network. You need to have anti‐malware software even if you only use Webmail.DON’T open e‐mail attachments (including .txt ones, and especially not anything with an .exe, .scr or .pif extension) from people you don’t know or which you don’t specifically recall asking to have sent to you. Be particularly careful of ‘zipped’ files.Don’t close any window or website by pressing a button that says ‘agree’ or ‘OK’ as this may also download something to your computer – ALWAYS click the red ‘x’ in the top right hand corner of the window to close it.

6. Act anti‐spam

Spam is e‐mail that you don’t want, that clogs your inbox, trying to sell you all sorts of things that you don’t need. It is bulk e‐mail, sent by someone you don’t know, and it may be commercial, political, fraudulent or simply malicious in nature.There is also bulk e‐mail that you DO want to receive and, because you want to receive it, it isn’t spam. A spam filter is software that tries to sort the spam from the ham: to identify and block incoming spam but let through what you do want to receive.You want to ensure that any e‐mail that does reach your computer is sorted, with the stuff you want going into your inbox and the stuff you don’t want going into your junk mail box. Outlook has an inbuilt junk mail filter.Make sure that spammers can’t get your e‐mail address.

7. Secure wireless networks

The explosive proliferation in laptops, smart phones, tablet computers and wireless networks has given individuals greater flexibility, enabled businesses to be more responsive, driven down their operational costs, and improved both productivity and competitiveness. Deploying a wireless network is quicker and substantially less expensive (or intrusive) than deploying traditional cabling.Of course, as wireless communication becomes an increasingly substantial part of the economic infrastructure, so it is becoming an increasingly worthwhile target for hackers, virus writers, and organised crime. Information assets (and information is an asset because it is valuable to you – and, therefore, to others) are at ever greater risks because more and more of the technology in which they are housed and communicated is vulnerable and insecure.The keys to wireless security are encryption and authentication. A secure WLAN will have addressed both.

8. Be sensible – don’t take unnecessary risks

Be alert – pay attention – be sensibleAs we said at the beginning, the bad guys are just a mouse click away from you. You’ll be fine, as long as you take sensible precautions.When you’re surfing the Web, pay attention: if a website asks you for personal information of any sort, be very careful about providing it; if you’re offered a cool piece of software, be very wary about downloading it; when you do want to buy something, be sure that your vendor is genuine and likely to deliver what you think you’re buying.Another basic rule of life also applies: ‘if it looks as though it’s too good to be true, it probably is’. Everything has a price, even if you can’t see it right now – the real price might be the theft of your identity, followed by all your money.

9. Back it up

The worst thing that can happen to you is that you lose everything on your computer. This could be because of a major system crash, a major malware intrusion, or some other disaster. You need to have copies of everything available so that you can recover yourself.What’s on your computer is, essentially, stored in two sorts of folders: program folders and information folders.You should keep a paper list of any shareware/freeware or other programs (for instance, firewall, anti‐virus, etc.) that you have installed, together with website and purchase details, so that you can re‐install them should you need to do so.If you do have important information on your computer, you have to make back‐up copies of the relevant folders. The best way is (for each user) to make a copy of either the whole My Documents folder or just those folders that you care about (for instance, you may not want to back‐up the My Pictures folder), on a DVD disk, a USB ‘memory stick’ or external back-up hard drive.

10. Fix problems as soon as they arise

From time to time, something may get past your defences. t might be a virus, worm or Trojan. It might be a hack attack. It might be spyware. Sort the problem out as soon as possible – otherwise it is likely to get worse.The first step is to disconnect your computer from your network.The next step is to have your anti‐virus software run a complete system and disk scan. Close all your programs and run the scan. Wait for, and act on, the results of that scan.

Health Insurance Portability and Accountability Act of 1996(HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information.
HIPAA is an information security management framework that broadly maps to ISO27001 and other standards like PCS-DSS, NIST 800-53 and SOC2.
Hicomply has the HIPAA standard implemented in its entirety and has mapped its controls against the other leading standards supported in our multi-standard Information Security Management Platform.
Please get in touch if you would like to know more about maximizing your ISMS investment by utilizing the same policies, processes and business activities across multiple Information Security Standards.

ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based approach for establishing, implementing, operating, monitoring, maintaining, and improving your ISMS.