How has ISO 27001 matched up to the remote working challenge?

Certified businesses will have been better equipped to cope with the new normal

The onset of lockdown sent workers scurrying home to set up precarious workstations in spare rooms, on dining tables and in children's bedrooms. This switch to remote working, which happened almost overnight, piled the pressure on IT teams and managers and presented them with a unique challenge - to maintain a semblance of normality and functionality without compromising information security.

With redirected phishing scams, hacking attempts, new virtual private networks (VPNs) and vulnerable video conferencing software, cyber security was pushed to the max for many businesses. But did ISO 27001, the international Standard for information security management, help businesses roll with the punches and keep their information secure?

The right remote working policies

Working from home throws up some very specific problems for information security. Equipment such as laptops needs to be removed from the secure office environment, servers have to be accessed remotely via a VPN, and there is an increased possibility of staff using less secure personal devices to access work information.

To govern and control these features of remote working, businesses need to have comprehensive remote working policies in place. However, many businesses found themselves ill-equipped and lacking the right documented processes when lockdown began. One survey by Centrify, for instance, revealed that 48 per cent of decision makers felt their cyber security policies were not fit for purpose for mass remote working.

ISO 27001-certified businesses are unlikely to fall into this category, as they will have already mapped out the physical security needs of work equipment, the access controls needed to protect confidential information and stipulations regarding the use of work devices over personal equipment. With these policies ratified and ready to go, all the company needed to do was re-issue them to staff and seek their acknowledgement.

QMS International consultant Wayne Thorpe saw first-hand how these pre-prepared policies smoothed the way to successful remote working.

"During lockdown, I worked with a number of clients who had ISO 27001 in place," he said. "It has been reassuring to see that the vast majority of these clients have been able to move seamlessly into remote working arrangements with the minimum of disruption to business. Thanks to ISO 27001, these businesses had policies in place covering remote working, access controls, and so on."

Risk awareness

A new working environment also means new risks. Remote working meant that more people than ever before would be relying on Wi-Fi, cloud services and VPNs to access work servers and do their job. Work teams also turned to video conferencing software, many for the first time, in order to stay in contact.

All of these changes presented additional risk to businesses. Home Wi-Fi doesn't offer the same protections as a network within a business premises and VPN can open up new gaps for exploitation, including false requests to reset VPNs or instructions sent via fake corporate messaging systems. With a greater reliance on cloud platforms, businesses also needed to ensure that any third-party suppliers would be able to continue working and providing their essential service.

Video conferencing brought its own problems. For instance, before Zoom offered end-to-end encryption to all users, many businesses reported breaches which resulted in graphic imagery being shown during meetings.

Home workers also became the target of cyber criminals. According to data supplied by Darktrace to the Guardian, the proportion of attacks targeting home workers rose from 12 per cent of malicious email traffic before the start of lockdown in March to more than 60 per cent six weeks later.

ISO 27001 is all about managing risk, with every aspect of the Standard based on the individual business' risk profile. This enables a business to develop an appropriate plan for mitigating or removing relevant risks, which gave those with the Standard a distinct advantage when it came to tackling the new threats brought about by remote working. Organisations without the framework of ISO 27001 had to firefight the problem; those with ISO 27001 already had a plan.

To meet the requirements of ISO 27001, businesses must regularly identify potential threats and find solutions to minimise or remove them. This means they already had the expertise to analyse the risk of video conferencing, for example, and find the most secure solution.

The Standard also ensures that the risk of cyber-attack is identified and mitigated by the requirement to have effective malware, putting businesses in a stronger position to tackle redirected hacking and phishing attacks in the wake of the coronavirus crisis. This helped to make businesses more resilient and better able to safely adapt to the new situation.

To stay on top of remote working risks, training also became a key component in lockdown survival. Cyber security training is another key requirement of ISO 27001, which again helped certified businesses to stay ahead and stay secure during the crisis.

A case of continuity

Before considering policies, training and risk, business continuity plans came into action.

Every business certified to ISO 27001 must have a viable business continuity plan, enabling it to be proactive during disruption and maintain ‘business as usual' in situations that are anything but.

Another key requirement of the Standard is a robust back-up protocol. It was vital to ensure against data loss during the transition to remote working and also to ease the transition back to office working.

Was ISO 27001 up to the challenge?

The international Standard for information security management gives businesses a robust structure to ensure that information is protected and handled correctly. By including requirements to create a business continuity plan, policies to control remote working and processes for identifying and mitigating risk, businesses were given a solid foundation to ensure that they could confidently continue working during lockdown.

ISO 27001 is all about connectivity and functionality without compromising security. As a result, certified businesses were more equipped to cope with the unprecedented situation and keep their businesses going.

Anecdotally, we have found that ISO 27001 was clearly up to the challenge of lockdown, and it can continue to support businesses beyond it. To stay on top of cyber security in the new normal, businesses can use the guidance of the Standard to adapt permanently to a ‘hybrid' way of working, make the big switch from physical servers to the cloud, and review their network infrastructure.

Claire Price is an executive at QMS International