IT Governance E-Book

IT Governance

An international guide to data security and ISO 27001/ISO 27002

Eighth edition

IT Governance

An international guide to data security and ISO 27001/ISO 27002

Eighth edition

ALAN CALDERANDSTEVE WATKINS

Every possible effort has been made to ensure that the information in this book is accurate at the time of going to press, and the publishers and the authors cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the authors, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the authors.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address:

IT Governance Publishing Ltd

Unit 3, Clive Court

Bartholomew’s Walk

Cambridgeshire Business Park

Ely, Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernancepublishing.co.uk

© Alan Calder and Steve Watkins 2002, 2003, 2005, 2008, 2012, 2015, 2020, 2024.

The authors have asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the authors of this work.

Editions one, two, three, four, five, six and seven published by Kogan Page.

This edition published in the United Kingdom in 2024 by IT Governance Publishing.

ISBN 978-1-78778-410-9

Cover image originally sourced from Shutterstock®.

ABOUT THE AUTHORS

Alan Calder

Alan Calder founded IT Governance Ltd in 2002 and began working full time for the company in 2007. He is now Group CEO of GRC International Group PLC, the AIM-listed company that owns IT Governance Ltd. Before this, Alan had a number of roles including CEO of Business Link London City Partners (a government agency focused on helping growing businesses to develop) from 1995 to 1998, CEO of Focus Central London (a training and enterprise council) from 1998 to 2001, and CEO of Wide Learning (a supplier of elearning) from 2001 to 2003 and the Outsourced Training Company (2005). He was also chairman of CEME (a public–private-sector skills partnership) from 2006 to 2011.

Alan is an acknowledged international cybersecurity guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by the International Board for IT Governance Qualifications (IBITGQ). Alan has consulted for clients in the UK and abroad, and is a regular media commentator and speaker.

Steve Watkins

Steve is a Director of Kinsnall Consulting Ltd (https://kinsnall.com) providing strategic and tactical advice and training on cybersecurity, information security, and privacy standards and certification schemes.

He is a contracted technical assessor for UKAS, conducting assessments of certification bodies offering ISO 27001, ISO 27701 and ISO 20000-1 accredited certification. He also undertakes information security assessments of forensic science laboratories seeking accreditation to the Forensic Science Regulator’s codes of practice and conduct.

He is a member of ISO/IEC JTC 1/SC 27, the international technical committee responsible for information security, cybersecurity and privacy protection standards, where he is a co-editor of ISO/IEC 27006-1. He chairs IST 33, the UK National Standards Body’s technical committee that mirrors SC 27, and is a member of the European Commission’s Stakeholder Cybersecurity Certification Group (SCCG).

Steve first started working with information security management system (ISMS) standards in 1997. He has since supported a wide range of training and consultancy clients working with ISO 27001, including globally recognized brands, public-sector organisations and a wide selection of SMEs. He was a director of IT Governance Limited from 2008 and on the board of GRC International Group PLC through to May 2021.

CONTENTS

About the Authors

Introduction

The information economy

What is IT governance?

Information security

Chapter 1: Why is information security necessary?

The nature of information security threats

Information insecurity

Impacts of information security threats

Cyber crime

Cyber war

Advanced persistent threat

Future risks

Legislation

Benefits of an information security management system

Chapter 2: The corporate governance code, the FRC guidance on risk management, and Sarbanes–Oxley

The Combined Code

The Turnbull Report

The Corporate Governance Code

Sarbanes–Oxley

Enterprise risk management

Regulatory compliance

IT governance

Chapter 3: ISO 27001

Benefits of certification

The history of ISO 27001 and ISO 27002

The ISO/IEC 27000 series of standards

Use of the Standard

ISO/IEC 27002

Continual improvement, Plan–Do–Check–Act, and process approach

Structured approach to implementation

Management system integration

Documentation

Continual improvement and metrics

Chapter 4: Organizing information security

Internal organization

Management review

The information security manager

The cross-functional management forum

The ISO 27001 project group

Specialist information security advice

Segregation of duties

Contact with authorities

Contact with special interest groups

Information security in project management

Independent review of information security

Summary

Chapter 5: Information security policy and scope

Context of the organization

Information security policy

A policy statement

Costs and the monitoring of progress

Chapter 6: The risk assessment and Statement of Applicability

Establishing security requirements

Risks, impacts, and risk management

Threat intelligence

Cyber Essentials

Selection of controls and Statement of Applicability

Statement of Applicability example

Gap analysis

Risk assessment tools

Risk treatment plan

Measures of effectiveness

Chapter 7: Mobile and remote working

Mobile devices and remote working

Remote working

Chapter 8: Human resources security

Job descriptions and competency requirements

Screening

Terms and conditions of employment

During employment

Disciplinary process

Termination or change of employment

Chapter 9: Asset management

Asset owners

Inventory of information assets

Acceptable use of information and other assets

Classification of information

Unified classification markings

Government classification markings

Information lifecycle

Labeling of information

Non-disclosure agreements and trusted partners

Chapter 10: Exchanges of information

Information transfer policies and procedures

Agreements on information transfers

Management of removable media

Email and social media

Security risks in email

Spam

Misuse of the Internet and web filtering

Internet acceptable use policy

Social media

Chapter 11: Access control

Hackers

Hacker techniques

Access control

Chapter 12: User access management

Identity management

Access rights

Password management system

Chapter 13: Supplier relationships

Information security policy for supplier relationships

Addressing security within supplier agreements

Managing information security in the ICT supply chain

Monitoring, review, and change management of supplier services

Managing changes to supplier services

Information security for Cloud services

Chapter 14: Physical and environmental security

Physical security perimeters

Delivery and loading areas

Physical security monitoring

Protecting against external and environmental threats

Chapter 15: Equipment security

Equipment siting and protection

Supporting utilities

Cabling security

Equipment maintenance

Security of equipment and assets off-premises

Secure disposal or reuse of equipment

Unattended user equipment

Clear desk and clear screen policy

Chapter 16: System and application access control

Information access restriction

Dynamic access control

Access control to source code

Secure authentication

Use of privileged utility programs

Installation of software on operational systems

Chapter 17: Cryptography

Encryption

Public key infrastructure

Digital signatures

Non-repudiation services

Key management

Chapter 18: Operations security

Documented operating procedures

Change management

Separation of development, testing and operational environments

Information backup

Chapter 19: Controls against malicious software (malware)

Viruses, worms, Trojans, and rootkits

Spyware

Anti-malware software

Hoax messages and ransomware

Phishing and pharming

Anti-malware controls

Airborne viruses

Technical vulnerability management

System configuration

Information deletion

Data masking

Data leakage prevention

Chapter 20: Networks security

Network security management

Networks security

Access to networks and network services

Chapter 21: System acquisition, development, and maintenance

Security requirements analysis and specification

Application security requirements

E-commerce issues

Security technologies

Chapter 22: Development and support processes

Secure development policy

Secure systems architecture and engineering principles

Secure coding

Secure development environment

Security testing in development and acceptance

Chapter 23: Monitoring and information security incident management

Logging and monitoring

Information security events and incidents

Incident management – responsibilities and procedures

Reporting information security events

Reporting software malfunctions

Assessment of and decision on information security events

Response to information security incidents

Legal admissibility

Chapter 24: Business and information security continuity management

ISO 22301

The business continuity management process

Business continuity and risk assessment

Developing and implementing continuity plans

Business continuity planning framework

Testing, maintaining, and reassessing business continuity plans

Information security continuity

Chapter 25: Compliance

Identification of applicable legislation

Regulation of cryptographic controls

Intellectual property rights

Protection of organizational records

Privacy and protection of personally identifiable information

Compliance with security policies and standards

Chapter 26: The ISO 27001 audit

Selection of auditors

Initial audit

Preparation for audit

Terminology

Information systems audit considerations

Appendix 1: Useful websites

Appendix 2: Further reading

Index

INTRODUCTION

This book on IT governance is a key resource for forward-looking executives and managers in 21st-century organizations of all sizes. There are six reasons for this:

1. The development of IT governance, which recognizes the ‘information economy’-driven convergence between business management and IT management, makes it essential for executives and managers at all levels in organizations of all sizes to understand how decisions about IT in the organization should be made and monitored and, in particular, how information security risks are best dealt with.

2. Risk management is a big issue. In the UK, the FRC’s Risk Guidance (formerly the Turnbull Guidance on internal control) gives directors of Stock Exchange-listed companies a clear responsibility to act on IT governance, on the effective management of risk in IT projects, and on computer security. The US Sarbanes–Oxley Act – and more recent SEC regulations – places a similar expectation on directors of all US listed companies. Banks and financial-sector organizations are subject to the requirements of the Bank for International Settlements (BIS) and the Basel 3.1 frameworks, particularly around operational risk – which absolutely includes information and IT risk. Information security and the challenge of delivering IT projects on time, to specification, and to budget also affect private- and public-sector organizations throughout the world.

3. Particularly post-GDPR, information-related legislation and regulation are increasingly important to all organizations. Data protection, privacy and breach regulations, cyber resilience, computer misuse, and regulations around investigatory powers are part of a complex and often competing range of requirements to which directors must respond. There is, increasingly, the need for an overarching information security framework that can provide context and coherence to compliance activity worldwide.

4. As the intellectual capital value of ‘information economy’ organizations increases, their commercial viability and profitability – as well as their stock price – increasingly depend on the security, confidentiality, and integrity of their information and information assets.

5. The dramatic growth and scale of the information economy have created new, global threats and vulnerabilities for all organizations, particularly in cyberspace.

6. The world’s first, and only, globally-accepted standard for information security management systems is at the heart of a recognized framework for information security and assurance. As part of the series of ISO/IEC 27000 standards, the key standard, ISO/IEC 27001, has been updated to contain the latest international best practice, with which, increasingly, organizations are asking their suppliers to conform, and regulatory or licensing conditions rely on it. Compliance with the Standard should enable company directors to demonstrate a proper response – to customers as well as to regulatory and judicial authorities – to all the challenges identified above.

The information economy

Faced with the emergence and speed of growth in the information economy, organizations have an urgent need to adopt IT governance best practice. The main drivers of the information economy are:

• The ongoing globalization of markets, products, and resourcing (including ‘offshoring’ and ‘nearshoring’)

• Electronic information and knowledge intensity

• End-user device proliferation and the migration to the Cloud

• The geometric increase in the level of electronic networking and connectivity

The key characteristics of the global information economy, which affect all organizations, are as follows:

• Unlike the industrial economy, information and knowledge are not depleting resources that have to be rationed and protected

• Protecting knowledge is less obviously beneficial than previously: Sharing knowledge drives innovation, and innovation drives competitiveness

• The effect of geographic location is diminished; virtual and Cloud-based organizations operate around the clock in virtual marketplaces that have no geographic boundaries

• As knowledge shifts to low-tax, low-regulation environments, laws and taxes are increasingly difficult to apply on a solely national basis

• Knowledge-enhanced products command price premiums

• Captured, indexed, and accessible knowledge has greater intrinsic value than knowledge that goes home at the end of every day

• Intellectual capital is an increasingly significant part of stockholder value in every organization

The challenges, demands, and risks faced by organizations operating in this information-rich and technologically intensive environment require a proper response. In the corporate governance climate of the early 21st century, with its demand for stockholder rights, corporate transparency, and board accountability, this response must be a governance one.

What is IT governance?

The Organisation for Economic Co-operation and Development (OECD), in its Principles of Corporate Governance (1999), first formally defined ‘corporate governance’ as “the system by which business corporations are directed and controlled.” Every country in the OECD is evolving – at a different speed – its own corporate governance regime, reflecting its own culture and requirements. Within its overall approach to corporate governance, every organization has to determine how it will govern the information, information assets, and IT on which its business model and business strategy rely. This need has led to the emergence of IT governance as a specific – and pervasively important – component of an organization’s total governance posture.

We define IT governance as “the framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s information systems support and enable the achievement of its strategies and objectives.”

There are five specific drivers for organizations to adopt IT governance strategies:

1. The requirements (in the UK) of the Corporate Governance Code and the Risk Guidance; for US-listed companies, Sarbanes–Oxley and more recent SEC regulations; for banks and financial institutions, Basel 3.1, and, in the EU, DORA; and for businesses everywhere, the requirements of their national corporate governance regimes.

2. The increasing intellectual capital value that the organization has at risk.

3. The need to align technology projects with strategic organizational goals and to ensure that they deliver planned value.

4. The proliferation of (increasingly complex) threats to information and information security, particularly in cyberspace, with consequent potential impacts on corporate reputation, revenue, and profitability.

5. The increase in the compliance requirements of (increasingly conflicting and punitive) information- and privacy-related regulation, particularly the EU GDPR and regulations around the world that are inspired by it.

There are two fundamental components of effective management of risk in information and IT. The first relates to an organization’s strategic deployment of IT to achieve its business goals. IT projects often represent significant investments of financial and managerial resources. Stockholders’ interest in the effectiveness of such deployment should be reflected in the transparency with which they are planned, managed, and measured, and the way risks are assessed and controlled. The second component is the way the risks associated with information assets themselves are managed.

Clearly, well-managed IT is a business enabler. All directors, executives, and managers, at every level in any organization of any size, need to understand how to ensure that their investments in information and IT enable the business. Every deployment of IT brings with it immediate risks to the organization, and therefore every director or executive who deploys, or manager who uses, IT needs to understand these risks and the steps that should be taken to counter them. This book deals with IT governance from the perspective of the director or business manager, rather than from that of the IT specialist. It also deals primarily with the strategic and operational aspects of information security.

Information security

Cyber threats now have existential implications for organizations. Today’s information risk environment has four characteristics driving boards and senior managements to prioritize their strategies for managing information risk:

• An expanding attack surface, driven by the migration to the Cloud, the proliferation of end-user devices, and hybrid working

• A crowded threat horizon, in which increasingly complex global threats, from deep fakes and AI to technologically sophisticated cyber crime and nation-state activities, make daily headlines

• Increasingly punitive compliance requirements that mandate boards and senior managements to apply a governance, risk management, and compliance (GRC) strategy to the discharge of their information security obligations

• A flood of detailed, overlapping, competing, and enforced computer- and privacy-related regulation around the world, made more complex by demands around data sovereignty

It has become clear that hardware-, software-, and/or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate.

While most organizations believe that their information systems are secure, the reality that they are not is brutally exposed every day. Not only is it extremely difficult for an organization to operate in today’s world without effective information security but also poorly secured organizations have become risks to their more responsible customers and partners. The extent and value of electronic data are continuing to grow exponentially. The exposure of organizations and people to data misappropriation (particularly in the digital environment) or destruction is also increasing very quickly. Ultimately, consumer confidence in dealing across the web depends on how secure consumers believe their personal data is. Cybersecurity, for this reason, matters to any organization with any form of web strategy (and any organization without a web strategy is unlikely to be around in the long term), from simple business-to-consumer (B2C) or business-to-business (B2B) e-commerce propositions through enterprise resource planning (ERP) systems to the use of email, social media, mobile devices, Cloud applications, and web services. It matters, too, to any organization that depends on digital devices for its day-to-day existence or that may be subject (as are all organizations) to the provisions of data protection legislation.

Newspapers and business or sector magazines are full of stories about nation state cyber activity, criminal hackers, viruses, online fraud, cyber crime, and loss of personal data. These are just the public tip of the data insecurity iceberg. There is widespread evidence of substantial financial losses among inadequately secured organizations and instances where organizations have failed to survive a major disruption to their data and operating systems. All organizations now suffer low-level, daily disruption to normal operations as a result of inadequate security.

Many people also experience the frustration of trying to buy something online, only for the screen to give some variant of the message ‘server not available.’ Many more, working digitally in their daily lives, have experienced (once too) many times a local connectivity failure or disruption to their work. Digitization and device pervasiveness (including Internet of Things) mean that the opportunity for data and data systems to be compromised or corrupted (knowingly or otherwise) continues increasing.

Information security management systems (ISMSs) in the vast majority of organizations are, in real terms, non-existent, and even where systems have been designed and implemented, they are usually inadequate. In simple terms, larger organizations tend to operate their security functions in vertically segregated silos with little or no coordination. This structural weakness means that most organizations have significant vulnerabilities that can be exploited deliberately or that simply open them up to disaster.

For instance, while the corporate lawyers will tackle all the legal issues (non-disclosure agreements, patents, contracts, etc.), they will have little involvement with the data security issues faced on the organizational perimeter. On the organizational perimeter, those dealing with physical security concentrate almost exclusively on physical assets, such as gates or doors, security guards, and burglar alarms. They have little appreciation of, or impact on, the ‘cyber’ perimeter. The IT managers, responsible for the cyber perimeter, may be good at ensuring that everyone has a strong password and that there is Internet connectivity, that the organization is able to respond to malware threats, and that key partners, customers, and suppliers are able to deal digitally with the organization, but they almost universally lack the training, experience, or exposure to address the strategic threat to the information assets of the organization as a whole. There are many organizations in which the IT managers subjectively set and implement a security policy for the organization on the basis of their own risk assessment, past experiences, and interests, but with little regard for the real business needs or strategic objectives of the organization.

Information security is a complex issue that deals with the confidentiality, integrity, and availability of data. IT governance is even more complex, and in information security terms one must think in terms of the whole enterprise, the entire organization, which includes all the possible combinations of physical and cyber assets, all the possible combinations of intranets, extranets, and Internets, and which might include an extended network of business partners, vendors, customers, and others. This handbook guides the interested manager through this maze of issues, through the process of implementing internationally recognized best practice in information security, as captured in ISO/IEC 27002:2022, and, finally, achieving certification to ISO/IEC 27001:2022, the world’s formal, public, international standard for effective information security management.

The ISMS standard is not geographically limited (e.g. to the UK, Japan, or the US), nor is it restricted to a specific sector (e.g. the Department of Defense or the software industry) or a specific product (such as an ERP system, or Software as a Service). This book covers many aspects of data security, providing sufficient information for the reader to understand the major data security issues and what to do about them – and, above all, what steps and systems are necessary to achieve independent certification of the organization’s ISMS to ISO 27001.

This book is of particular benefit to board members, directors, executives, owners, and managers of any organization that depends on information, that uses computers on a regular basis, that is responsible for personal data, or that has an Internet aspect to its strategy. It can equally apply to any organization that relies on the confidentiality, integrity, and availability of its data. It is directed at readers who either have no prior understanding of data security or whose understanding is limited in interest, scope, or depth. It is not written for technology or security specialists, whose knowledge of specific issues should always be sought by the concerned owner, director, or manager. While it deals with technology issues, it is not a technological handbook.

Information security is a key component of IT governance. As IT and information itself become more and more the strategic enablers of organizational activity, so the effective management of both and information assets becomes a critical strategic concern for boards of directors. This book will enable directors and business managers in organizations and enterprises of all sizes to ensure that their IT security strategies are coordinated, coherent, comprehensive, and cost-effective, and meet their specific organizational or business needs. While the book is written initially for UK organizations, its lessons are relevant internationally, as computers and data threats are internationally similar. Again, while the book is written primarily with a Microsoft environment in mind (reflecting the penetration of the Microsoft suite of products into corporate environments), its principles apply to all hardware and software environments. ISO/IEC 27001 is, itself, system agnostic.

This book provides detailed advice and guidance on the development and implementation of an ISMS that will meet the ISO 27001 specification. The CyberComply platform1 contains ISO 27001 documentation toolkits. Use of the templates within these toolkits, which are not industry or jurisdiction specific but which integrate absolutely with the advice in this book, can speed knowledge acquisition and ensure that your process development is comprehensive and systematic.

Organizations should always ensure that any processes they implement are appropriate and tailored for their own environment. There are four reasons for this:

1. Policies, processes, and procedures should always reflect the style, and the culture, of the organization that is going to use them. This will help them become accepted.

2. The processes and procedures that are adopted should reflect the risk assessment carried out by the organization’s specialist security adviser. While some risks are common to many organizations, the approach to managing them should be appropriate to, and cost-effective for, the individual organization and its own objectives and operating environment.

3. It is important that the organization understands, in detail, its policies, processes, and procedures. It will need to review them after any significant security incident, when changes occur and at least once a year. The best way to understand them thoroughly is through the detailed drafting process.

4. Most importantly, the threats to an organization’s information security are evolving as fast as the IT that supports it. It is essential that security processes and procedures are completely up to date, that they reflect current risks, and that, in particular, current technological advice is taken to build on the substantial groundwork laid in this book.

This book will certainly provide enough information to make the drafting of detailed procedures straightforward. Where it is useful (particularly in generic areas like email controls, data protection, etc.), there are pointers as to how procedures should be drafted. Information is the very lifeblood of most organizations today and its security ought to be approached professionally and thoroughly.

Finally, it should be noted that ISO 27001 is a service assurance scheme, not a product badge or cast-iron guarantee. Achieving ISO 27001 certification does not of itself prove that the organization has a completely secure information system; it is merely an indicator, particularly to third parties, that the objective of achieving appropriate security is being effectively pursued. Information security is, in the terms of the cliché, a journey, not a destination.

____________________

1www.itgovernance.co.uk/shop/product/cybercomply.

CHAPTER 1: WHY IS INFORMATION SECURITY NECESSARY?

An information security management system (ISMS) is necessary because the threats to the confidentiality, integrity, and availability of the organization’s information are great – and always increasing. Any prudent householder whose home was built on the shores of a tidal river would, when facing the risk of floods, take urgent steps to improve the defenses against the water. It would clearly be insufficient just to block up the front gate, because the water would get in everywhere and anywhere it could. In fact, the only prudent action would be to block every single possible channel through which floodwaters might enter and then to try to build the walls even higher, in case the floods were worse than expected.

So it is with the threats to organizational information, which are now reaching tidal proportions. All organizations possess information, or data, that is either critical or sensitive. Information is widely regarded as the life-blood of modern business. Advanced persistent threat (APT) is the description applied to the cyber activities of sophisticated criminals and state-level entities, targeting larger corporations and foreign governments, with the objective of stealing information or compromising information systems. Cyber attacks are, initially, automated and indiscriminate – any organization with an Internet presence will be scanned and potentially targeted.

Back in 2018, the PricewaterhouseCoopers (PwC) Global State of Information Security Survey observed that “most organizations realize that cybersecurity has become a persistent, all-encompassing business risk.” Matters have deteriorated since then. The business use of technology is continuing to evolve rapidly, as organizations migrate to the Cloud and exploit social networks. Wireless networking, Voice over Internet Protocol (VoIP), and Software as a Service (SaaS) have become mainstream. The primarily digital and interconnected supply chain increases the pressure on organizations to manage information and its security and confirms the growing dependence of businesses on information and IT.

While it is clearly banal to state that today’s organization depends for its very existence on its use of information and communications technology, it is apparently not yet self-evident to the vast majority of boards and business owners that their information is valuable to both competitors and criminals and that how well they protect their systems and information is existentially important.

There is no doubt that organizations are facing a flood of threats to their intellectual assets and to their critical and sensitive information. High-profile cyber attacks and data protection compliance failures have led to significant embarrassment and brand damage for organizations – in both the public and private sectors – all over the world.

In parallel with the evolution of information security threats, there has – across the world – been a thickening web of legislation and regulation that makes organizations criminally liable, and in some instances makes directors personally accountable, for failing to implement and maintain appropriate risk control and information security measures. It is now blindingly obvious that organizations must act to secure and protect their information assets.

‘Information security,’ however, means different things to different people. To vendors of security products, it tends to be limited to the product(s) they sell. To many directors and managers, it tends to mean something they don’t understand and that the CIO, CISO, or IT manager has to put in place. To many users of IT equipment, it tends to mean unwanted restrictions on what they can do on their corporate devices. These are all dangerously narrow views.

The nature of information security threats

Data or information is right at the heart of the modern organization. Its confidentiality, integrity, and availability are fundamental to the long-term survival of any 21st-century organization. Unless the organization takes a comprehensive and systematic approach to protecting the confidentiality, integrity, and availability of its information, it will be vulnerable to a wide range of possible threats. These threats are not restricted to Internet companies, e-commerce businesses, organizations that use technology, financial organizations, or organizations that have secret or confidential information. As we saw earlier, they affect all organizations, in all sectors of the economy, both public and private. They are a ‘clear and present danger,’ and strategic responsibility for ensuring that the organization has appropriately defended its information assets cannot be abdicated or palmed off on the CIO, CISO, or head of IT.

In spite of surveys and reports that claim that boards and managers are paying more attention to security, the truth is that the risk to information is growing more quickly than boards are recognizing. Annually, the Verizon Data Breach Investigations Report (which gathers data from all the reported data breaches in a 12-month period across the world) concludes that hundreds of millions of compromised records cause financial losses in the billions.

Information security threats come from both within and without an organization. The situation worsens every year, and cyber threats are likely to become more serious. Cyber activism is now a less serious danger than cyber crime, but cyber war and cyber terrorism have become category 1 threats. Unprovoked external attacks and internal threats are equally serious. It is impossible to predict what attack might be made on any given information asset, or when, or how. The speed with which methods of attack evolve, and knowledge about them proliferates, makes it completely pointless to take action only against specific, identified threats. Only a comprehensive, systematic approach will deliver the level of information security that any organization really needs.

It is worth understanding the risks to which an organization with an inadequate ISMS exposes itself. These risks fall into three categories:

1. Damage to operations

2. Damage to reputation

3. Legal damage

Damage in any one of these three categories can be measured by its impact on the organization’s bottom line, both short and long term. While there is no single, comprehensive, global study of information risks or threats on which all countries and authorities rely, there are surveys, reports, and studies, in and across different countries and often with slightly differing objectives, that, between them, demonstrate the nature, scale, complexity, and significance of these information security risks and the extent to which organizations, through their own complacency or through the vulnerabilities in their hardware, software, and management systems, are vulnerable to these threats.

Information insecurity

Annual surveys point to a steadily worsening situation. The Verizon Data Breach Investigations Report, conducted with the US Secret Service, and which draws data from both the US and internationally, regularly reports that:

• Data breaches occur within all sorts of organizations

• Hundreds of millions of records are compromised every year

• Most breaches originate externally, a significant percentage internally, and more than a quarter are carried out by multiple agents

IT Governance publishes a monthly report on data breaches and cyber attacks together with a dashboard with key incident metrics and data. It can be accessed at https://www.itgovernance.co.uk/resources/data-breach-and-cyber-attack-reports.

Surveys and data from other OECD economies suggest that a similar situation can be found across the world. Criminal hackers, crackers, virus writers, spammers, phishers, pharmers, fraudsters, and the whole menagerie of cyber criminals are increasingly adept at exploiting the vulnerabilities in organizations’ software, hardware, networks, and processes. As fraudsters, spam and virus writers, criminal hackers, and cyber criminals band together to mount integrated attacks on businesses and public-sector organizations everywhere, the need for appropriate cybersecurity defenses increases.

Often – but not always – information security is in reality seen only as an issue for the IT department, which it clearly isn’t. Good information security management is about organizations understanding the risks and threats they face and the vulnerabilities in their current computer processing facilities. It is about putting in place common-sense procedures to minimize the risks and about educating all employees about their responsibilities. Most importantly, it is about ensuring that the policy on information security management has the commitment of senior managers. It is only when these procedural and management issues are addressed that organizations can decide on what security technologies they need.

The average organization is spending around 12 per cent of its IT budget on information security. That less than half of all organizations ever estimate the return on their information security investment may be part of the problem; certainly, until business takes its IT governance responsibilities seriously, the information security situation will continue to worsen.

Impacts of information security threats

As indicated above, information security breaches affect business operations, reputation, and legal standing. Business disruption is the most serious impact, with roughly one third of UK breaches leading to disruption of operations, with consequent impacts on customer service and business efficiency. As well as business disruption, organizations face incident response costs that include response and remediation costs (responding to, fixing, and cleaning up after a security breach), direct financial loss (loss of assets, regulatory fines, compensation payments), indirect financial loss (through leakage of confidential information or intellectual property, revenue leakage), and reputation damage, with successful hack attacks and data losses both attracting increasing media attention.

No industry is immune from data breaches. In the majority of cases, attackers are able to compromise targets within minutes and it takes longer to detect the compromise than it does to complete the attack.

The various components of financial loss include discovery, investigation, response, remediation, customer notification costs, legal fees, regulatory breach notification costs, and increased operational, marketing, and PR costs.

As the Marriott hotel chain breach in 2020 proved, damage to corporate reputation, stockholder class actions, and straightforward loss of customers and the fall in net revenue arising from a successful breach can have a far more significant impact on the future performance of the organization – and, increasingly, on the continued employment and careers of the directors at the helm of the organization when the breach occurred.

Cyber crime

The 2018 US State of Cybercrime Survey (conducted by CSO Magazine, the US Secret Service, the CERT Division of the Software Engineering Institute, and PricewaterhouseCoopers) spoke to 515 organizations about their experience in the previous 12 months. Only 39 per cent of respondents said that damage from outsider attacks was more severe than that from insiders; 61 per cent of respondents suffered incidents involving theft or compromise of customer records and 56 per cent experienced compromised trade secrets or intellectual property.

In reality, many information security incidents are crimes. The UK Computer Misuse Act, for instance, makes it an offense for anyone to access a computer without authorization, to modify the contents of a computer without authorization, or to facilitate (allow) such activity to take place. It identified sanctions for such activity, including fines and imprisonment. Other countries have taken similar action to identify and create offenses that should enable law enforcement bodies to act to deal with computer misuse. This type of illegal activity is known as ‘cyber crime.’

The Council of Europe Cybercrime Convention, the first multilateral instrument drafted to address the problems posed by the spread of criminal activity on computer networks, was signed in November 2001. The US finally ratified the Cybercrime Convention in 2006 and joined with effect from January 1, 2007. The Cybercrime Convention was designed to protect citizens against computer hacking and Internet fraud, and to deal with crimes involving electronic evidence, including child sexual exploitation, organized crime, and terrorism. Parties to the convention commit to effective and compatible laws and tools to fight cyber crime, and to cooperating to investigate and prosecute these crimes. They are not succeeding.

Europol, the European police agency that publishes an annual Internet Organised Crime Threat Assessment (IOCTA), regularly identifies increases in the scope, sophistication, number, and types of attacks; number of victims; and economic damage from organized crime on the Internet. The Crime-as-a-Service (CaaS) business model drives the digital underground economy by providing a wide range of commercial services that facilitate almost any type of cyber crime. Criminals are freely able to procure such services, such as the rental of botnets, denial-of-service (DoS) attacks, malware development, data theft, and password cracking, to commit crimes themselves. This has facilitated a move by traditional organized crime groups (OCGs) into cyber crime areas. The financial gain for cyber criminals from these services stimulates the commercialization of cyber crime as well as innovation and further sophistication. Legitimate privacy networks are also of primary interest to criminals who abuse such anonymity on a massive scale for illicit online trade in drugs, weapons, stolen goods, forged IDs, and child sexual exploitation.

The Internet is, in other words, digitally dangerous. Organizations must take appropriate steps to protect themselves against criminal activity – both internal and external – in just the same way as they take steps to protect themselves in the physical world.

Cyber war

Cyber crime is a serious issue but, in the longer run, may be a lesser danger to organizations than the effects of ‘cyber war.’ It is believed that every significant terrorist or criminal organization has cyber capabilities and has become very sophisticated in its ability to plan and execute digital attacks. More significantly, many nation states now see digital warfare as an alternative – and an essential precursor to – traditional kinetic warfare.

Eliza Manningham-Buller, the then director-general of the UK security service MI5, said this at the 2004 CBI annual conference:

A decade later, Sir Iain Lobban, the then director of the Government Communications Headquarters, said much the same thing in an open letter to CEOs and Chairs of FTSE 350 companies, encouraging them to undertake a ‘cyber health check’ after a KPMG security survey found that all of them were leaking data, such as employee usernames, email addresses, and sensitive internal file location information online.

The Russian digital offensive against Ukraine, the cyber activities of Iran, North Korea, and China, combined with the widespread abuse of social media to undermine targeted countries, organizations, and individuals, are all symptoms of a world in which digital violence is commonplace.

A growing number of countries are putting cybersecurity strategies in place. The UK government’s national security strategy recognizes “hostile attacks upon UK cyberspace” as a national security risk and its national cybersecurity strategy has the objective of making the UK one of the most secure places in the world to live and work online. The EU’s cybersecurity strategy (“an Open, Safe and Secure Cyberspace”) has similar objectives.

While organizations that are part of the critical national infrastructure (CNI) clearly have a significant role to play in preparing to defend their national cyberspace against cyber attack, all organizations should take appropriate steps to defend themselves from being caught in the digital crossfire.

Advanced persistent threat

The term advanced persistent threat (APT) usually refers to a national government or state-level entity that has the capacity and the intent to persistently and effectively target in cyberspace another entity that it wishes to disrupt or otherwise compromise. While cyberspace is the most common theater of attack, other vectors include social engineering, infected media and malware, and supply chain compromise. Attackers usually have the resources, competence, and time to focus on attacking one or more specific entities. The Stuxnet worm is an example of one such attack, but there are many others. For most large organizations, the critical consideration is not whether they have been targeted (they will have been), but whether they have been able to identify and neutralize the intrusion.

Future risks

There are a number of trends that lie behind these increases in threats to digital information security, which when taken together suggest that things will continue to get worse, not better:

• The use of distributed computing is increasing. Computing power has migrated from centralized mainframe computers and data processing centers to a distributed network of desktop computers, laptop computers, microcomputers, mobile devices, and Internet of Things (IoT), and this makes information security much more difficult to ensure.

• There is an unstoppable trend toward mobile computing and remote working. The use of laptop computers, personal digital assistants (PDAs), cell and smartphones, digital cameras, portable projectors, MP3 players, iPads, and IoT devices has made working from home and while traveling relatively straightforward, with the result (accelerated by the COVID-19 pandemic) that network perimeters have become increasingly porous. This means that the number of remote access points to networks, and the number of easily accessible endpoint devices, have increased dramatically, and this has increased the opportunities for those who wish to break into networks and steal or corrupt information.

• There has been a dramatic growth in the use of the Internet for business and social media communication, and the development of wireless, voice over IP (VoIP), and broadband technologies is driving this even further. The Internet provides an effective, immediate, and powerful method for organizations to communicate on all sorts of issues. This exposes all these organizations to the security risks that go with connection to the Internet:

o The Internet is really just a backbone connection that enables every digital device in the world to connect to every other device. This gives criminals a direct means of reaching any and every organization that is connected to the Internet.

o The Internet is inherently a public space. It is accessible by anyone from anywhere and consists of the millions of connections, some permanent and some temporary, that come about because of this. It has no built-in security and no built-in protection for confidential or private information.

o The Internet (together with mobile and satellite telephony) is also, in effect, a worldwide medium for criminals and hackers to communicate with one another, to share the latest tricks and techniques, and to work together on interesting projects.

o Better hacker tools are available every day, on hacker websites that, themselves, proliferate. These tools are improved regularly and, increasingly, less and less technologically proficient criminals – and computer-literate terrorists – can cause more and more damage to target networks and systems.

o Increasingly, criminal hackers, virus writers, and spam operators are cooperating to find ways of spreading more spam – not just because it’s fun, but because there’s a lot of money to be made out of the direct email marketing of dodgy products. Phishing, pharming, and other Internet fraud activity will continue evolving and are likely to become an ever bigger problem.

o Technology innovation, particularly in the field of machine learning (ML) and artificial intelligence (AI) as well as in the development of deep fake technology, makes incredibly effective social engineering attacks possible.

• This is leading, inevitably, to an increase in ‘blended’ threats, which can only be countered with a combination of technologies and processes.

• Increasingly sophisticated technology defenses, particularly around user authorization and authentication, will drive an increase in ‘social engineering’-derived criminal hacker attacks.

• Computer literacy is becoming more widespread. While most people today have computer skills, the next generation are growing up with a level of familiarity with computers that will enable them to develop and deploy an entirely new range of threats. Instant messaging is an example of a new technology that was better than email in that it was faster and more immediate, but has many more security vulnerabilities than email. We will see many more such technologies emerging.

• Wireless technology – whether Wi-Fi or Bluetooth – makes information and the Internet available cheaply and easily from virtually anywhere, thereby potentially reducing the perceived value and importance of information and certainly exposing confidential and sensitive information more and more to casual access.

• The falling price of computers and mobile devices has brought computing within most people’s reach. The result is that most people now have enough computer experience to pose a threat to an organization if they are prepared to apply themselves just a little to take advantage of the opportunities identified above.

What do these trends, and all these statistics from so many organizations in so many countries (and information security professionals would argue that, as most organizations don’t yet know that their defenses have already been breached, the statistics are only the tip of the iceberg), mean in real terms to individual organizations? In simple, brutal terms, they mean the following:

• No organization is immune.

• Every organization, at some time, will suffer one or more of the disruptions, abuses, or attacks identified in these pages.

• Organizations will be disrupted. Downtime in business-critical systems such as enterprise resource planning (ERP) systems can be catastrophic for an organization. However quickly service is restored, there will be an unwanted and unnecessary cost in doing so. At other times, lost data may have to be painstakingly reconstructed and sometimes will be lost forever.

• Privacy will be violated. Organizations have to protect the personal information of employees and customers. If this privacy is violated, there may be legal action and penalties.

• Organizations will continue suffering direct financial loss. Protection in particular of commercial information and customers’ credit card details is essential. Loss or theft of commercial information, ranging from business plans and customer contracts to intellectual property and product designs, and industrial know-how, can all cause long-term financial damage to the victim organization. Computer fraud, conducted by staff with or without third-party involvement, has an immediate direct financial impact. Inadequate information security strategies can make cyber insurance either difficult and/or expensive to obtain.

• Regulation and compliance requirements will increase. Regulators will increasingly legislate to force corporations to take appropriate information security action, which will drive up the cost and complexity of information security. Breaches also trigger reporting requirements, lead to significant fines, and, increasingly, lead to personal liability for directors who may have been negligent in handling their cybersecurity obligations.

• Reputations will be damaged. Organizations that are unable to protect the privacy of information about staff and customers, and which consequently attract penalties and fines, will find their corporate credibility and business relationships severely damaged and their expensively developed brand and brand image dented.

The statistics are compelling. The threats are evident. No organization can afford to ignore the need for information security. The fact that the risks are so widespread and the sources of danger so diverse means that it is insufficient simply to implement an antivirus policy, or a business continuity policy, or any other standalone solution. A conclusion of the CBI Cybercrime Survey 2001 was that “deployment of technologies such as firewalls may provide false levels of comfort unless organizations have performed a formal risk analysis and configured firewalls and security mechanisms to reflect their overall risk strategy.” Nothing has changed. It is clear that there is a correlation between security expenditure and risk assessments. On average, those respondents that carried out a risk assessment spend more of their IT budget on security than those that do not assess their risk. It seems likely, therefore, that those that have not assessed their information security risks are also under-investing in their security.

The only sensible option is to carry out a thorough assessment of the risks facing the organization and then to adopt a comprehensive and systematic approach to information security that cost-effectively tackles those risks.

Legislation

Certainly, organizations can legally no longer ignore the issue. There is a growing number of laws that are relevant to information security. In the UK, for instance, relevant laws include the Companies Act 2006; the Copyright, Designs and Patents Act 1988; the Computer Misuse Act 1990 (as updated by the Police and Justice Act 2006); the Data Protection Act 2018; and the Network and Information Security Regulations 2018.

The Data Protection Act (DPA) 2018 is perhaps the most high-profile of these recently passed laws; it implements the EU GDPR into UK legislation and requires organizations in both the public and the private sectors to implement data security measures to prevent unauthorized or unlawful processing (which includes storing) and accidental loss or damage to data pertaining to living individuals. Fines of up to 4 per cent of global turnover may be imposed by the Information Commissioner’s Office (ICO) for breaches of the DPA 2018.

While these acts apply to all UK-based organizations, Stock Exchange-listed companies are also expected to comply with the recommendations of the UK Corporate Governance Code and the Risk Guidance on effective controls. Crucially, these require directors to take a risk assessment-based approach to their management of the organization and to consider all aspects of the business in doing so.

While the US still has no federal data protection legislation, all states now have data breach reporting laws and a growing number have enacted GDPR-like data protection laws. Sectoral regulation such as HIPAA, GLBA, FISMA, and others impose strict requirements on organizations. SEC regulations require company directors to report data breaches and, on an annual basis, to identify how they discharge their cybersecurity obligations. Canada (PIPEDA), Australia, and other members of the Commonwealth have their own data protection legislation. In the EU, all countries are subject to the EU GDPR, the core of which is the same in all member states. Emerging economies are also passing data protection and cybersecurity laws, recognizing that improved security is a prerequisite for competing in the data-rich developed world.

The EU is continuing to set the standard in terms of wide-ranging cybersecurity-related legislation. The Digital Operational Resilience Act (DORA) imposes wide-ranging requirements on financial-sector organizations and their critical third-party ICT suppliers. New legislation on AI and product certification will set standards that the rest of the world will scramble to follow.

In parallel, the Payment Card Industry Data Security Standard (PCI DSS), a private-sector security standard, is a contractual requirement for organizations that accept payment cards and, interestingly, compliance with the PCI DSS has been enshrined in law in some US states; the ICO, in the UK, has recognized its importance.

Directors of listed businesses, of public-sector organizations, and of companies throughout their supply chains must be able to identify the steps that they have taken to protect the confidentiality, integrity, and availability of the organization’s information assets. In all these instances, a risk-based information security policy, implemented through an ISMS, is clear evidence that the organization has taken the necessary and appropriate steps.

Benefits of an information security management system

The benefits of adopting an externally certifiable ISMS are, therefore, clear:

• The directors of the organization will be able to demonstrate that they are complying with the relevant requirements of Sarbanes–Oxley, Basel 3.1, the FRC’s Guidance on Risk Management, or with current international best practice in risk management with regard to information assets and security.

• The organization will be able to demonstrate, in the context of the array of relevant legislation, that it has taken appropriate compliance action, particularly with data protection legislation such as the GDPR.

• The organization will be able systematically to protect itself from the dangers and potential costs of computer misuse and cyber crime, and the impacts of cyber war.

• The organization will be able to improve its credibility with staff, customers, and partner organizations. This can have direct financial benefits through, for instance, improved sales. This competitive requirement is increasingly becoming a critical factor for organizations in winning new business from clients that are aware of the need for their suppliers to demonstrate they have implemented effective information security management measures.

• The organization will be able to make informed, practical decisions about what security technologies and solutions to deploy and thus to increase the value for money it gets from information security, to manage and control the costs of information security, and to measure and improve its return on its information security investments.

CHAPTER 2: THE CORPORATE GOVERNANCE CODE, THE FRC GUIDANCE ON RISK MANAGEMENT, AND SARBANES–OXLEY

The Combined Code

The first version of the UK Combined Code, issued in 1998, replaced, combined, and refined the earlier requirements of the Cadbury and Greenbury reports on corporate governance and directors’ remuneration. It came into force for all listed companies for year-ends after December 1998. Since then, UK corporate governance has been on a ‘comply or explain’ basis; in other words, listed companies are expected to comply but are not statutorily required to do so. Simplistically, if they have good reason, they can choose not to comply with a particular provision of the Combined Code as long as they then explain, in their annual report, why that decision was made. However, as the market nowadays punishes organizations that choose not to comply, any decision about non-compliance is not expected to be made lightly. (In fact, the requirements are a bit more complex than this.)

The Combined Code requirements were broadly similar to those of the earlier reports, but in one important respect – reporting on controls – there was a major and significant development in 1999, before the May 2010 revision of what is now formally the UK Corporate Governance Code. While the Cadbury Report had envisaged organizations reporting on controls generally, the original guidance that was issued at that time to clarify those requirements permitted, and indeed encouraged, organizations to restrict their review of controls, and the disclosures relating to that review, to financial controls.

This meant that potentially more important issues relating to operational control were left outside the reporting framework. The current version of the Corporate Governance Code was published in September 2014, updated in 2016, 2017, and 2024, and applies to premium companies listed on the main UK stock exchange (but not to AIM-listed companies). Principle O of the Code says: “The board should establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.”

The Turnbull Report

The Turnbull Report – “Internal Control: Guidance for directors on the Combined Code,” published by the Internal Control Working Party of the Institute of Chartered Accountants in England and Wales – provided further guidance in 1999 as to how directors of listed companies should tackle this issue. After multiple revisions, it is now an FRC (published January 2024) publication dedicated to providing guidance on the implementation of the Code. It provides specific guidance on how to apply section O of the Code, which deals with risk management and internal control and establishes the principle that: “The risk management and internal control framework should […] be embedded in the operations of the company and form part of its culture” And “not be seen as a periodic compliance exercise, but instead as an integral part of the company’s day-to-day business and governance processes.”

Paragraph 218 of the guidance states that an organization’s “internal control framework encompasses the policies, culture, organisation, behaviours, processes, systems and other aspects of a company” that, taken together, do the following:

•“Support the company in achieving its strategic objectives.

•Facilitate its effective and efficient operation by enabling it to assess current and emerging risks, and to safeguard its assets from inappropriate use or loss and fraud.

•Help ensure the quality of internal and external reporting including maintenance of appropriate records and processes that generate a flow of timely, relevant and reliableinformation from within and outside the organisation, and

•Help ensure compliance with applicable laws and regulations, and with internal policies with respect to the conduct of business.”

In short, the risk guidance makes it clear to directors of public companies that their internal control systems must address all forms of information as well as the systems on which it resides.

The Corporate Governance Code

Following the work of the Smith and Higgs committees, the Combined Code was revised and reissued on a regular basis, each time replacing the earlier versions.

Section 4 of the UK Corporate Governance Code deals with risk management and internal control. Principle O states: “The board should establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.” Risk management, in other words, is a key responsibility of the board. An audit or risk committee of non-executive directors is required to review the organization’s risk management and internal control framework.

The board is required to maintain a sound system of internal control to safeguard stockholders’ investments and the organization’s assets. In practice, directors are required at least annually to conduct a review of the effectiveness of the group’s system of internal controls and should report to stockholders that they have done so. “The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls [emphasis added].” The Code refers the reader to the Risk Guidance for details on how to apply this provision.

Paragraphs 24, 26, and 27 of the Risk Guidance provide an admirably brief and clear description of the principles of risk management and of the board’s responsibility to set the policy around risk treatment, the executives to implement it, and that of all staff to comply with the system of internal control. This sort of framework is often known as an enterprise risk management (ERM) framework, and it will reflect the overlap between regulatory risk management requirements as well as the organization’s specific internal control and information security management needs.

While listed companies are not legally required to comply with the provisions of the UK Corporate Governance Code, the FCA Listing Rules require every Stock Exchange-listed (i.e. not Alternative Investment Market (AIM)-listed) company to include the following items in its annual report and accounts: