Having access to reliable information is crucial for businesses and government entities. However, with the widespread use of technology in handling data, there are significant risks associated with information security that organisations must be aware of and address proactively. These risks can range from internal threats and human error to data breaches and cyber-attacks. New legislation such as the Data Protection Act of 2021 has introduced an interesting twist by mandating organizations and government bodies alike to protect personal information or any data that can identify an individual. This has accelerated the need for the implementation of stringent security measures to safeguard sensitive information owned by organisations. One way to enhance human information security within the organisation is by implementing people controls based on ISO 27001.
ISO 27001 is an internationally accepted standard for implementing a robust Information Security Management System (ISMS) that presents a comprehensive structure for efficiently managing information security. The ISO Standard acknowledges the vital role played by people in distorting or guaranteeing information security. Organisations can enhance their people security posture by adopting ISO 27001 People Controls which have full coverage of the entire lifecycle of employee security. Human Resource functions can adopt these processes and support the overall enterprise information security management systems and strategy.
Implementing a comprehensive screening process is a crucial step in mitigating potential security risks and ensuring human resource security. Organizations must be vigilant against criminal organizations seeking to infiltrate them and have insiders with access to information and systems. By conducting thorough background checks, verifying references, and implementing structured vetting processes, insider risk can be reduced, and organisations can prevent individuals with questionable intentions from accessing sensitive information. Pre-employment and ongoing screening are key controls for evaluating the trustworthiness and integrity of prospective employees.
It is crucial for businesses to have well-defined terms and conditions of employment that include information security requirements. By incorporating responsibilities for information security in employment contracts, companies can establish expectations for employee behaviour and responsibilities regarding data protection and maintaining the security of information. This helps to ensure a strong foundation for maintaining the security of information. Additionally, organisations must develop and implement access control policies to regulate the access rights of individuals within the organisation. These policies should clearly define the roles and responsibilities of employees regarding information security and establish appropriate access levels based on job functions and requirements.
ISO 27001 places great importance on continuous education and training to empower employees with the expertise to effectively safeguard sensitive information. It is crucial to automate awareness training that educates employees about the best practices in information security. Awareness and training should be role-based to be effective and should include the key competencies required for each employee to make the right decision when faced with a challenge. Automating awareness ensures ongoing education initiatives are in place to play a vital role in fostering an environment where employees are knowledgeable about their roles and responsibilities in upholding information security standards.
An effective disciplinary process is an essential element of human security controls. ISO 27001 promotes the establishment of comprehensive guidelines for addressing security breaches and violations of information security policies. By consistently and fairly enforcing these policies, organizations can demonstrate their strong dedication to maintaining a secure environment. To further emphasize the significance of confidentiality, it is advisable for businesses to implement the practice of having employees sign confidentiality or non-disclosure agreements. These legally binding documents serve as a constant reminder to each employee about their responsibility in safeguarding sensitive information, even beyond their tenure with the organization. To ensure the proper management of access to information systems when employees leave the organization or change roles, it is important to promptly revoke their access rights and retrieve any company-owned assets they may have (such as laptops or access cards).
The increase in remote working has posed new information security challenges. ISO 27001 People Controls encourages organizations to implement secure remote working policies and equip employees with essential tools like VPNs and secure communication channels. This ensures the protection of data even outside the office environment. When incidents occur, the organisation should have a culture that encourages timely reporting of information security incidents regardless of magnitude and type of incident. Awareness training must proactively include processes and tools for employees to report any security concerns, breaches, or suspicious activities promptly. When reported incidents must be properly investigated and feedback given to key stakeholders and the person that reported the security incidents.
When they start with the company, new hires should receive comprehensive welcome packets containing valuable information about the organization’s information security culture and values. The onboarding process should include guided tours of the office premises highlighting the physical security protocols, such as clear desk policy and access to the office and restricted areas. The onboarding security training should be done preferably within three working days to outline all the information security protocols of the organisations. This training is preferred to be instructor-based online or physical training. Streamlined access provisioning by ensuring that access to the system is on a need-to-know basis and done after the mandatory security training for all new hires is important to enshrine the information security culture of the organisation.
Implementing a strong information security culture within an organization requires careful attention to several key factors including management commitment, communication with employees, courses for all members, and employee commitment. When it comes to managing information security culture in an organization, there are several stages of implementation that should be considered. Schlienger and Teufel formulated a model for the management of information security culture by identifying four stages of implementation, namely, management commitment, communication with the employees, courses for all members, and employee commitment. Martins and Eloff’s study on information security culture in an organization highlights the importance of addressing nine key issues. These issues are policies and procedures, risk analysis, benchmarking, trust, management support, change management, ethical conduct, budget, and awareness.
ISO 27001 people controls serve as a critical foundation for enhancing human security within an organization. By implementing these controls and integrating them into the onboarding process, businesses can significantly reduce the risk of data breaches and ensure a stronger defence against information security threats. ISO 27001, the international standard for information security management systems, can serve as a useful reference point when implementing and maintaining an information security culture within an organization. By adhering to the guidelines set forth in ISO 27001, organizations can establish robust processes and controls to protect their information assets.
1. Chidukwani, A., Zander, S. and Koutsakis, P. (2022) A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and Recommendations. Available at: https://scite.ai/reports/10.1109/access.2022.3197899.
2. Information security culture – da Veiga, N. Martins & J.H. Eloff A … (no date). Available at: https://www.studocu.com/en-us/document/the-university-of-texas-health-science-center-at-houston/organizational-and-management-theory/information-security-culture/55686228.
3. Information security culture – from analysis to change – Semantic Scholar (no date). Available at: https://www.semanticscholar.org/paper/Information-security-culture-from-analysis-to-Schlienger-Teufel/0ae6a37940971c1dd0b9e462ea0598aebc087cbb.
4. ISO/IEC 27001 Standard – Information Security Management Systems (no date). Available at: https://www.iso.org/standard/27001
About the author
Andrew M. Kampolo – MBA | CISA | ISO 27001 Lead Implementer
To unlocking the future of cybersecurity and information risk with a proven track record, Andrew is your go-to expert in Cyber and Information Risk Management. With an arsenal of qualifications including an MBA in Management and a BSc. in Computer Science, Andrew’s prowess is underpinned by a wealth of knowledge.
A Versatile Skill Set: As a Certified Information Systems Auditor (CISA), Certified COBIT 5 Assessor, ISO 27001 Senior Lead Implementer, PECB Accredited Trainer, and Certified Computer Hacking Forensic Investigator, Andrew’s skill set is a strategic blend of technical prowess and forward-thinking leadership.
Information Security Industry Pioneer: Andrew has left an indelible mark on the financial services and telecommunications sectors, reshaping the landscape of cyber and information security risk management. His hands-on guidance has empowered organizations to craft robust management systems, fortified by PCI DSS and ISO 27001 standards.
Inspiring Through Engagement: Not content with just personal success, Andrew channels his expertise through his affiliation with ISACA-Lusaka Chapter. A true thought leader, he actively contributes to the chapter’s growth, sharing insights as a speaker at high-profile events. Andrew’s commitment to community service is a testament to his dedication to the greater good.
From Theory to Action: Andrew doesn’t just preach cybersecurity; he lives it. His holistic approach marries theory and real-world implementation, ensuring that every strategy he devises is as effective in the field as it is on paper.