Skip to the main content.

4 min read

Data Breach - Trusting Partners Has Become More Than A Human Matter

Data Breach - Trusting Partners Has Become More Than A Human Matter

ISO/IEC 27001:2022 and BNC - Building Trust in the Digital Era 

Addressing the Constant Threat of Data Breaches through Common Standards 

In the rapidly evolving digital landscape, trust and security have become paramount concerns for businesses. In response to this challenge, ISO/IEC 27001:2022 and the BNC approach present a powerful solution to establish standardized information security practices and proficiently manage risks. Learn how this certification and its methodology aid businesses in fostering trust, persuading customers and partners, and solidifying their reputation as trustworthy stakeholders in the data-centric world.

Trust has always been central in human interactions and the foundation of reliability, such as in diplomacy. In business, trust also plays a key role, but with the rise in cyber-attacks, it's no longer enough. Today, technological and information security trust must be established, with clear contractual actions defined for adverse situations. However, ensuring a partner's capacity to meet these security levels can be challenging.

The impact of cyber-attacks on partnerships affects companies directly. Their ability to protect data depends on their business needs in customer, partner, or supplier relationships. This involves two key aspects: contractual obligations that define responsibilities, due diligence, and liabilities, and the company's security capabilities, which lay the groundwork for trust and align with relevant contractual commitments.

 

 

Challenges of Data Protection in Interconnected Partnerships

The integration of technology in our lives has made data central to everything, from business calls to operational systems, often used across different geographic areas. This raises legal and regulatory concerns about data ownership, protection, and processing, particularly as various entities, some connected by contract and others not, may access this data.

In a time of data monetization and theft, proper protection measures are essential. This includes handling data stored across various platforms like SaaS/IaaS/PaaS, where partnerships become a common theme. Such partnerships require trust and coordination, but critical questions arise:

 

// Are partners informed about security?

// Can they be relied upon for accurate assessments or reporting of breaches?

// How can partnerships be evaluated and trusted to meet security standards?

 

These challenges underscore the need for vigilance in managing and protecting data in today's interconnected world.

 

A crucial aspect of building trust in information security is the ability to communicate using the “same language” and thereby understand each other's strategy, commitment, and controls. Therefore, a robust solution may be found in a normalized, standardized framework, ideally recognized as a reference across various sectors. Thomas Viguier, Cyber Security Consultant at BNC explains:

"At BNC, we firmly believe in establishing trust in security posture through ISO/IEC 27001:2022, leveraging expertise from our professionals, and incorporating other frameworks like nDSG/nLPD or GDPR. This approach allows us to establish a common language at the top management level, addressing topics such as strategy, decision-making, prioritization, resource allocation, and process definition. As a result, we guide our clients towards a mature understanding of complex requirements related to regulatory and contractual obligations."

 

However, this is not the end of the story, as the central question highlights:

// How can we be certain that other parties, including ourselves, are trustworthy?
// Can partnerships be considered as meeting our security standards?

 

The assurance of having an engaged counterpart that will respect minimum criteria may be easily verifiable with an ISO/IEC 27001 certification. But what if the organization applies higher, stricter standards? How is it possible to ensure that such standards will be applied? 

In such cases, the standard comes into play with a set of specific measures in addition to 

  • Company Awareness, Risk Management, Support and Commitment (Clause 4, 6, 7 and 8, and A.5.19, A.5.2) 
  • Supply Chain Management, Audit and Review (A.5.21, A.5.20 and A.5.22) 
  • Compliance (A.5.31) 
  • Definition of Contractual Requirements (A.5.31 and A.5.34) 
  • Definition of Information Security Measures for Projects (A.5.8)

As it can be noted, there are 2 different groups of measures: Clauses and Annex controls. Clauses form an integral part of the framework, defining the core of the ISMS (Information Security Management System) and laying the foundation for key principles, such as the risk-based approach through a risk management process. On the other hand, controls are designed to guide the organization in addressing specific topics. This two-step approach allows for the implementation of minimum information security controls that are tailored to the organization's unique context, reality, and requirements.

 

However, as the standard is open to interpretation and does not provide specific solutions, guidance and support in the implementation is required. 

"In this sense, BNC provides a methodology based on risk management, business requirements and financial relevance. Although some guidelines or principles are laid down in the standard, BNC assists with advice, analysis and perspective to build the tools and thus implement suitable and compliant solutions, such as information security strategy, organization of resources, incident response policy and processes, business continuity management policy and requirements, risk management criteria and requirements, among others", explains Thomas.

 

The Role of ISO/IEC 27001:2022 in Identifying Stakeholders and Ensuring Security Standards

The ISO/IEC 27001:2022 Clause 4.2 outlines the requirement for an organization to identify its "interested parties" and address related legal, regulatory, and contractual obligations. For example, if a SaaS provider seeks certification, they must view customers not only as a source of revenue but also as potential cyber-attack targets, demanding specific attention to prevent legal, financial, or regulatory fallout. Consequently, this leads to targeted information security actions in project development, contract management, and incident response. BNC plays a key role in identifying stakeholders and aligning management's visions with security practices. Furthermore, the standard prompts questions about trustworthiness and security standards, affirming its role in building trust through a third-party-approved risk management process, verified by independent audit and certification.

 
Building Trust and Security in Interconnected Partnerships: Leveraging ISO/IEC 27001:2022 Certification

The solution to trust-building leverages evidence gathering, risk management, and key strategic alignment. Using BNC's approach with ISO/IEC 27001:2022 offers a unique benefit: the certification attests to the organization's quality and adherence to robust information security standards. This not only validates the strategies but enhances reputation.

Moreover, even if there are uncertainties regarding security aspects, having both parties ISO/IEC 27001 certified ensures a serious approach to information security, with adherence to common methodology.

By employing BNC's methodology with ISO/IEC 27001:2022, the organization garners benefits that extend beyond being recognized as a secure partner. These advantages include: 

  • Enhanced and credible information security maturity 
  • Identify clear risks linked to the organization, its operations and its products 
  • Further development of existing capabilities, both technical and organizational 
  • Development of new capabilities 
  • Achieving compliance with the relevant regulatory, legal and contractual requirements 
  • Enhanced visibility over the organization’s information security aspects as well as components (e.g., assets, processes, policies, technical measures, traffic control, IAM, BCM, etc.) 
  • Enabling an improvement process within the organization towards higher information security standards 

 

In summary, the two key fields highlighted by the benefits are awareness and an established maturity level. 

For organizations, especially small and medium enterprises (SMEs), this portrays trustworthiness and security. Awareness informs risk discussions, while maturity ensures effective implementation and monitoring of controls.

Adopting this approach enhances an SME's image of trust, signaling to stakeholders and potential partners that the organization is prepared to operate securely. Certification demonstrates business maturity and readiness for partnerships, establishing credibility as a reliable provider.

Thomas Viguier, Cyber Security Consultant at BNC sums up:

"In conclusion, the need for trust-building due to increased cyber-attacks has made ISO/IEC 27001:2022 vital. It's recognized for defining needs, promoting control, and enhancing security awareness.Though obtaining certification requires effort, it leads to increased reputation, collaboration with stakeholders, and offers organizations, especially SMEs, a chance to elevate their security and business performance.
Adopting ISO/IEC 27001:2022 represents a pathway toward success, trust, and growth in today's data-driven world."

 

SASE PART 1: POTENTIAL AND LIMITS

6 min read

SASE PART 1: POTENTIAL AND LIMITS

SASE DECRYPTED, PART 1 LEARN MORE ABOUT THE ADVANTAGES AND DISADVANTAGES OF SASE (SECURE ACCESS SERVICE EDGE) AND HOW COMPANIES CAN DEAL WITH THE...

Read More
SASE PART 2: SECURE ACCESS SERVICE WITHOUT

5 min read

SASE PART 2: SECURE ACCESS SERVICE WITHOUT "EDGE"?

SASE DECRYPTED, PART 2 THE CONNECTION POINT - KEY TO THE ON-PREMISE ACCESS REVOLUTION AND LIBERATION FROM CLOUD DEPENDENCY In the second part of our...

Read More