The letter to CEOs, published on January 12th, outlines key priorities for international banks active in the United Kingdom, stating: “We expect firms to develop their security controls and capabilities to manage the increasing risk of cyber threats, as set out in Supervisory Statement (SS) 1/21. We encourage all firms, regardless of size, to test their resilience against such threats.”
By the end of March 2022, banks will need to have:
- Identified and mapped their important business services;
- Set impact tolerances for these;
- Initiated a programme of scenario testing.
So, how can ISO 27001 certification help?
The ISO 27001 certification process
ISO/IEC 27001:2013 provides a framework to help businesses from any industry, and from small operations to multinational corporations, protect their information. This is done by implementing an Information Security Management System (ISMS) and a related set of policies and procedures.
1. Identifying and mapping important business services: Asset register
The very nature of the ISO 27001 standard means that businesses seeking certification must identify and map their important business services, as stated in the PRA letter to CEOs. This forms the ISO 27001 asset register, and must include informational assets as well as physical – for example HR cabinets, offices and warehouses, removable media, application software and more.
2. Set impact tolerances: Risk assessment
Once the asset register is complete, the business attempting ISO 27001 certification must undertake thorough risk assessments for each asset. One way to approach this is to score the likelihood and impact of each risk that has been identified to generate an overall risk score, as seen on the matrix below:
3. Initiate a programme of scenario testing: Tasks, policies and procedures
The business will then need to set up actions to manage and reduce each risk. This could be by applying security controls, such as controls for the management of access rights of users. Risks can then be reevaluated with new scores once controls are in place.
Tasks should be assigned across the organisation where relevant, for example reading a clear desk policy so all staff are aware this is part of their obligation to protect sensitive information.
How does this apply to the PRA letter to bank CEOs?
As outlined above, much of the ISO 27001 certification process applies directly to the requirements for banks operating in the UK set out by the PRA. ISO 27001 certified companies must also recertify annually, ensuring that their approach to information security is regularly considered and updated.
Hicomply’s software is designed to aid this process, providing businesses with the tools to:
- Develop the scope of their ISMS;
- Generate and manage an asset register;
- Automatically link and integrate risks and risk assessments to those assets;
- Automatically assign tasks to relevant owners or company-wide;
- Securely implement and manage policies;
- Prepare for an external audit.
This reduces the time and manual effort of becoming ISO 27001 certified significantly, and will allow banks to demonstrate the ongoing process of “developing dynamic, effective operational risk and control frameworks to manage the threat of operational disruptions” in line with PRA requirements.
How will the PRA requirements impact bank suppliers?
While banks themselves will be primarily responsible for ensuring risks from third-party suppliers are managed, the new requirements are also likely to impact how banks assess their partners and suppliers. In these instances, ISO 27001 can help suppliers to assure banks that operational risk – and the mitigation of risk – is taken seriously.
To learn more about how Hicomply can help banks and their suppliers obtain ISO 27001 certification and comply with the January 2022 PRA requirements, get in touch or book a demo.