What does ISO 27001 mean in terms of cybersecurity?

 

Since no one asks today why cybersecurity is so important, let us start with what ISO 27001 is in this context and why we applied for certification:

 

ISO 27001 is an international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Issued by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), its primary aim is to protect sensitive information through a risk management process. To help us with the ISO 27001 standardization we reached out to BSI Group.

 

The BSI Group can look back on more than a century of tradition in its services, as well as an extremely high attention to detail in relation to ISO 27001 certification requirements. Their merits in this field have been recognised on several occasions, as well as by the award of the British Royal Charter.

 

We mentioned this last year in an interview with Paweł Szmagaj, Leon's CTO: ISO certification is an element that enforces a company's existence and adherence to procedures governing key security issues, Paweł said. 


The ISO 27001 standard describes potential security risks in areas such as confidentiality, integrity, and availability. The standard also provides specifications for a range of controls to address potential risks, helping organizations protect assets such as financial data, intellectual property, and employee information. Basically, it helps us identify and organize the key issues that need to be addressed.

 

Security isn't about tools, it's about how we work

As you can read in our blog, there is no such thing as a "fully secure corporate system". As users and developers, we're exposed to new threats every day from cybercriminals using new tactics. In this environment, it's not possible to create effective protection tools, which is why cybersecurity today is not about tools, but about the way we work on a daily basis. 


"We need to keep in mind security standards all the time" – said Paweł Szmagaj. That's kind of our philosophy. In Leon, we reach out to the latest security standards. We don't just implement secure solutions, we also test them, look for potential vulnerabilities, fix them and check recovery scenarios. We're working on all elements of Leon's Information Security Management System. .

Core Components of an Effective ISMS

ISO 27001 is aimed at establishing and maintaining an ISMS (Information Security Management System) and outlines all the elements that need to be included:

 

  1. Information security policies: How policies are written and reviewed.
  2. Organization of information security: The governance structure of information security in the organization.
  3. Human resource security: Addressing security before, during, and after employment.
  4. Asset management: Identifying information assets and defining protection responsibilities.
  5. Access control: Restricting access to assets based on the need-to-know principle and ensuring users are authenticated.
  6. Cryptography: Protecting the confidentiality, authenticity, or integrity of information via encryption and related techniques.
  7. Physical and environmental security: Securing physical locations and environments where information is processed or stored.
  8. Operations security: Ensuring information processing is secure, including malware protection, backups, and logging.
  9. Communications security: Protecting information in networks.
  10. System acquisition, development, and maintenance: Ensuring information security is a key part of the organization's processes in acquiring and developing new systems.
  11. Supplier relationships: Addressing security in the supply chain and with external partners.
  12. Information security incident management: Anticipating and responding to information security breaches.
  13. Information security aspects of business continuity management: Ensuring the organization can continue to operate even if severe incidents occur.
  14. Compliance: Ensuring the organization meets its external legal, regulatory, and contractual obligations, as well as internal policies and standards.

 

Each of these areas consists of several specific controls and recommendations. In total, there are 114 controls in these 14 areas, although not all may be applicable to every organization. Organizations use a risk-based approach to determine which controls to implement based on the specific threats and vulnerabilities they have identified.


How Leon helps clients improve cybersecurity?

In today's world, where companies are constantly sharing data, cybersecurity is not just an issue for one company, but for the entire network of partners, suppliers, and customers. At Leon, we take this into account. Especially when it comes to the three elements of data protection: confidentiality, integrity, and availability.

 

For example, we are introducing solutions that ensure the secure flow of data through highly numerical integrations with other aviation solution providers. This reduces the potential cyberattack surface, helps control the flow of data, and ensures that only authorized people have access to it. 

 

However, some attacks cannot be prevented, so you need to be prepared for data recovery. At Leon, customer data is very well protected. Each data resource has two backups in addition to storage on the server to ensure resource redundancy. In the event of a failure or cyber-attack, our DevOps team can get a second server up and running in up to 30 minutes. 


It is also important for us to keep track of security incidents. Among other things, this helps us assess the likelihood of future incidents. Our priority is always that the customer is not left without access to key data, and we make sure of that.

Are we just perfect? Assessing Potential Risks

 

By adhering to strict ISO standards, we can easily meet the safety expectations of our customers. But this does not mean that we can forget about risks. 

 

One of the purposes of the audit is to identify nonconformities. These are also the ones that indicate potential risks. Nonconformities can be described with a specific scale and assigned a level of compliance.

 

When determining the level of compliance for a particular nonconformity, it is important to consider: 

  • what consequences the nonconformity will have on the information security management system if it is not corrected, 
  • what the likelihood of those consequences is, 
  • how quickly and with what effort the nonconformity can be corrected.

 

Going through an audit on a regular basis helps detect and deal with nonconformities, starting with the potentially most dangerous ones. There's no such thing as a completely secure enterprise system, but keeping track of potential risks still helps prevent incidents.

 

Basics you should always keep in mind

In summary, it's worth remembering a few cybersecurity basics that we recommend. 

 

  1. Start with security verification to ensure robust authentication processes. With the rise of mobile favorites and remote working, it's important to strengthen defenses against potential vulnerabilities stemming from different devices and networks.
  2. Adhere to the principle of minimum access possible, granting only necessary permissions to users. This limits potential breach points.
  3. Ensure that access to network devices is tightly controlled. Implement WiFi network segregation, with separate networks for guests and employees, to further protect sensitive corporate data and resources. 


We also recommend: Most popular cyber threats you can encounter.


Not yet a member of Leon community? Contact our Sales team to find out more or jump straight into the 30-day free trial.