How to get ahead of compliance while being secure

One of the most asked questions from everyone I have met thanks to my previous post (here) has been. What gives the most ‘bang for buck’ if you are at the beginning of your journey to meet standards like ISO 27000 or the ISM ect.

 I would like to start by defining ‘bang for buck’. This would be something you can implement that gives the highest compliance AND security gain.

 When you start out, before you worry about statements of applicability and so on. You should first think about the following:

 1.      Create a security committee, this committee should ALWAYS comprise of technology professionals AND members of the ‘business’. They will deliberate and approve all security matters from policy to technology. This will help with transparency, as well as keep the security decisions on point with company strategy and direction.

2.      Build a patching regime and standard which is audit-able. This is the LARGEST single security control you can put into place. Almost all breaches these days are an exploit with a patch out (greater than 6 months old) or social engineering.

3.      Create an ‘architecture on a page’ of the technology that supports your business outcomes. Showing all the services on the public/private cloud. This will allow you to build a scope for all or any standards you will comply with and allow you to build a map of technology supporting individual customer outcomes.

Even if you are well on your journey to comply with international standards, if you don’t have any of these things, you would be quite surprised how they will decrease complexity and friction with your peers inside the business.

If you would like help on this journey, contact me for more details.