VMware Debate: Is it Time for Companies to Rethink?
A conversation with Reto Fallegger, Solutions Architect Data Management, BNC AG Why Unified Data Management is more important than ever efore
4 min read
Thomas Viguier : Aug 3, 2023 4:02:59 PM
Table of Contents
In the rapidly evolving digital landscape, trust and security have become paramount concerns for businesses. In response to this challenge, ISO/IEC 27001:2022 and the BNC approach present a powerful solution to establish standardized information security practices and proficiently manage risks. Learn how this certification and its methodology aid businesses in fostering trust, persuading customers and partners, and solidifying their reputation as trustworthy stakeholders in the data-centric world.
Trust has always been central in human interactions and the foundation of reliability, such as in diplomacy. In business, trust also plays a key role, but with the rise in cyber-attacks, it's no longer enough. Today, technological and information security trust must be established, with clear contractual actions defined for adverse situations. However, ensuring a partner's capacity to meet these security levels can be challenging.
The impact of cyber-attacks on partnerships affects companies directly. Their ability to protect data depends on their business needs in customer, partner, or supplier relationships. This involves two key aspects: contractual obligations that define responsibilities, due diligence, and liabilities, and the company's security capabilities, which lay the groundwork for trust and align with relevant contractual commitments.
The integration of technology in our lives has made data central to everything, from business calls to operational systems, often used across different geographic areas. This raises legal and regulatory concerns about data ownership, protection, and processing, particularly as various entities, some connected by contract and others not, may access this data.
In a time of data monetization and theft, proper protection measures are essential. This includes handling data stored across various platforms like SaaS/IaaS/PaaS, where partnerships become a common theme. Such partnerships require trust and coordination, but critical questions arise:
These challenges underscore the need for vigilance in managing and protecting data in today's interconnected world.
A crucial aspect of building trust in information security is the ability to communicate using the “same language” and thereby understand each other's strategy, commitment, and controls. Therefore, a robust solution may be found in a normalized, standardized framework, ideally recognized as a reference across various sectors. Thomas Viguier, Cyber Security Consultant at BNC explains:
"At BNC, we firmly believe in establishing trust in security posture through ISO/IEC 27001:2022, leveraging expertise from our professionals, and incorporating other frameworks like nDSG/nLPD or GDPR. This approach allows us to establish a common language at the top management level, addressing topics such as strategy, decision-making, prioritization, resource allocation, and process definition. As a result, we guide our clients towards a mature understanding of complex requirements related to regulatory and contractual obligations."
However, this is not the end of the story, as the central question highlights:
The assurance of having an engaged counterpart that will respect minimum criteria may be easily verifiable with an ISO/IEC 27001 certification. But what if the organization applies higher, stricter standards? How is it possible to ensure that such standards will be applied?
In such cases, the standard comes into play with a set of specific measures in addition to
As it can be noted, there are 2 different groups of measures: Clauses and Annex controls. Clauses form an integral part of the framework, defining the core of the ISMS (Information Security Management System) and laying the foundation for key principles, such as the risk-based approach through a risk management process. On the other hand, controls are designed to guide the organization in addressing specific topics. This two-step approach allows for the implementation of minimum information security controls that are tailored to the organization's unique context, reality, and requirements.
However, as the standard is open to interpretation and does not provide specific solutions, guidance and support in the implementation is required.
"In this sense, BNC provides a methodology based on risk management, business requirements and financial relevance. Although some guidelines or principles are laid down in the standard, BNC assists with advice, analysis and perspective to build the tools and thus implement suitable and compliant solutions, such as information security strategy, organization of resources, incident response policy and processes, business continuity management policy and requirements, risk management criteria and requirements, among others", explains Thomas.
The ISO/IEC 27001:2022 Clause 4.2 outlines the requirement for an organization to identify its "interested parties" and address related legal, regulatory, and contractual obligations. For example, if a SaaS provider seeks certification, they must view customers not only as a source of revenue but also as potential cyber-attack targets, demanding specific attention to prevent legal, financial, or regulatory fallout. Consequently, this leads to targeted information security actions in project development, contract management, and incident response. BNC plays a key role in identifying stakeholders and aligning management's visions with security practices. Furthermore, the standard prompts questions about trustworthiness and security standards, affirming its role in building trust through a third-party-approved risk management process, verified by independent audit and certification.
The solution to trust-building leverages evidence gathering, risk management, and key strategic alignment. Using BNC's approach with ISO/IEC 27001:2022 offers a unique benefit: the certification attests to the organization's quality and adherence to robust information security standards. This not only validates the strategies but enhances reputation.
Moreover, even if there are uncertainties regarding security aspects, having both parties ISO/IEC 27001 certified ensures a serious approach to information security, with adherence to common methodology.
By employing BNC's methodology with ISO/IEC 27001:2022, the organization garners benefits that extend beyond being recognized as a secure partner. These advantages include:
In summary, the two key fields highlighted by the benefits are awareness and an established maturity level.
For organizations, especially small and medium enterprises (SMEs), this portrays trustworthiness and security. Awareness informs risk discussions, while maturity ensures effective implementation and monitoring of controls.
Adopting this approach enhances an SME's image of trust, signaling to stakeholders and potential partners that the organization is prepared to operate securely. Certification demonstrates business maturity and readiness for partnerships, establishing credibility as a reliable provider.
Thomas Viguier, Cyber Security Consultant at BNC sums up:
"In conclusion, the need for trust-building due to increased cyber-attacks has made ISO/IEC 27001:2022 vital. It's recognized for defining needs, promoting control, and enhancing security awareness.Though obtaining certification requires effort, it leads to increased reputation, collaboration with stakeholders, and offers organizations, especially SMEs, a chance to elevate their security and business performance.
Adopting ISO/IEC 27001:2022 represents a pathway toward success, trust, and growth in today's data-driven world."
A conversation with Reto Fallegger, Solutions Architect Data Management, BNC AG Why Unified Data Management is more important than ever efore
The Integration of IoT, Telemedicine, AI, and Interoperability How Wireless Technology and Artificial Intelligence are Revolutionizing Healthcare
SASE DECRYPTED, PART 1 LEARN MORE ABOUT THE ADVANTAGES AND DISADVANTAGES OF SASE (SECURE ACCESS SERVICE EDGE) AND HOW COMPANIES CAN DEAL WITH THE...