Data Breach - Trusting Partners Has Become More Than A Human Matter

ISO/IEC 27001:2022 and BNC - Building Trust in the Digital Era 

Addressing the Constant Threat of Data Breaches through Common Standards 

In the rapidly evolving digital landscape, trust and security have become paramount concerns for businesses. In response to this challenge, ISO/IEC 27001:2022 and the BNC approach present a powerful solution to establish standardized information security practices and proficiently manage risks. Learn how this certification and its methodology aid businesses in fostering trust, persuading customers and partners, and solidifying their reputation as trustworthy stakeholders in the data-centric world.

Trust has always been central in human interactions and the foundation of reliability, such as in diplomacy. In business, trust also plays a key role, but with the rise in cyber-attacks, it's no longer enough. Today, technological and information security trust must be established, with clear contractual actions defined for adverse situations. However, ensuring a partner's capacity to meet these security levels can be challenging.

The impact of cyber-attacks on partnerships affects companies directly. Their ability to protect data depends on their business needs in customer, partner, or supplier relationships. This involves two key aspects: contractual obligations that define responsibilities, due diligence, and liabilities, and the company's security capabilities, which lay the groundwork for trust and align with relevant contractual commitments.

A crucial aspect of building trust in information security is the ability to communicate using the “same language” and thereby understand each other's strategy, commitment, and controls. Therefore, a robust solution may be found in a normalized, standardized framework, ideally recognized as a reference across various sectors. Thomas Viguier, Cyber Security Consultant at BNC explains:

"At BNC, we firmly believe in establishing trust in security posture through ISO/IEC 27001:2022, leveraging expertise from our professionals, and incorporating other frameworks like nDSG/nLPD or GDPR. This approach allows us to establish a common language at the top management level, addressing topics such as strategy, decision-making, prioritization, resource allocation, and process definition. As a result, we guide our clients towards a mature understanding of complex requirements related to regulatory and contractual obligations."

However, this is not the end of the story, as the central question highlights:

// How can we be certain that other parties, including ourselves, are trustworthy?

// Can partnerships be considered as meeting our security standards?

The assurance of having an engaged counterpart that will respect minimum criteria may be easily verifiable with an ISO/IEC 27001 certification. But what if the organization applies higher, stricter standards? How is it possible to ensure that such standards will be applied? 

In such cases, the standard comes into play with a set of specific measures in addition to 

• Company Awareness, Risk Management, Support and Commitment (Clause 4, 6, 7 and 8, and A.5.19, A.5.2) 
• Supply Chain Management, Audit and Review (A.5.21, A.5.20 and A.5.22) 
• Compliance (A.5.31) 
• Definition of Contractual Requirements (A.5.31 and A.5.34) 

• Definition of Information Security Measures for Projects (A.5.8)
  
  

As it can be noted, there are 2 different groups of measures: Clauses and Annex controls. Clauses form an integral part of the framework, defining the core of the ISMS (Information Security Management System) and laying the foundation for key principles, such as the risk-based approach through a risk management process. On the other hand, controls are designed to guide the organization in addressing specific topics. This two-step approach allows for the implementation of minimum information security controls that are tailored to the organization's unique context, reality, and requirements.

However, as the standard is open to interpretation and does not provide specific solutions, guidance and support in the implementation is required. 

"In this sense, BNC provides a methodology based on risk management, business requirements and financial relevance. Although some guidelines or principles are laid down in the standard, BNC assists with advice, analysis and perspective to build the tools and thus implement suitable and compliant solutions, such as information security strategy, organization of resources, incident response policy and processes, business continuity management policy and requirements, risk management criteria and requirements, among others", explains Thomas.

The Role of ISO/IEC 27001:2022 in Identifying Stakeholders and Ensuring Security Standards

The ISO/IEC 27001:2022 Clause 4.2 outlines the requirement for an organization to identify its "interested parties" and address related legal, regulatory, and contractual obligations. For example, if a SaaS provider seeks certification, they must view customers not only as a source of revenue but also as potential cyber-attack targets, demanding specific attention to prevent legal, financial, or regulatory fallout. Consequently, this leads to targeted information security actions in project development, contract management, and incident response. BNC plays a key role in identifying stakeholders and aligning management's visions with security practices. Furthermore, the standard prompts questions about trustworthiness and security standards, affirming its role in building trust through a third-party-approved risk management process, verified by independent audit and certification.

In summary, the two key fields highlighted by the benefits are awareness and an established maturity level. 

For organizations, especially small and medium enterprises (SMEs), this portrays trustworthiness and security. Awareness informs risk discussions, while maturity ensures effective implementation and monitoring of controls.

Adopting this approach enhances an SME's image of trust, signaling to stakeholders and potential partners that the organization is prepared to operate securely. Certification demonstrates business maturity and readiness for partnerships, establishing credibility as a reliable provider.

Thomas Viguier, Cyber Security Consultant at BNC sums up:

"In conclusion, the need for trust-building due to increased cyber-attacks has made ISO/IEC 27001:2022 vital. It's recognized for defining needs, promoting control, and enhancing security awareness.Though obtaining certification requires effort, it leads to increased reputation, collaboration with stakeholders, and offers organizations, especially SMEs, a chance to elevate their security and business performance.
Adopting ISO/IEC 27001:2022 represents a pathway toward success, trust, and growth in today's data-driven world."