Last year, the Western Australian (WA) government issued an updated Digital Security Policy to bring the state’s IT security practices in line with international standards such as ISO 27001.
The initial version of the policy was released in May 2016 and is developed by the Office of the Government Chief Information Officer (CIO).
Organisations failing to take simple steps to protect systems
The Digital Security Policy was released in the same week as the annual Information Systems Audit Report from the WA Office of the Auditor General (OAG), which expressed “disappointment that agencies were still not taking simple steps to protect their IT systems”.
The Auditor General at the time said: “The report is important because it reveals common information system weaknesses […] that can seriously affect the operations of government and potentially compromise sensitive information held by agencies.”
The Digital Security Policy sets out four key requirements to keep systems and data safe:
- Implement an information security management system (ISMS).
- Establish governance and accountability.
- Assess and treat digital security risks.
- Include formal mechanisms for continuous improvement.
The WA Office of the Government CIO also released a supplementary guide to aid implementation.
The guide states that “agencies are strongly encouraged to utilise the ISO/IEC 27000 series, particularly ISO/IEC 27001 […] as the basis for their ISMS”.
Innovation and ICT minister, Dave Kelly, said: “For eight years, the previous Liberal National government failed to address damming Auditor General reports which demonstrated many government agencies had insufficient security governance and procedures.
Australian ISO 27001 certifications rose by more than 200% in 2016
The ISO Survey 2016 showed that ISO 27001 certification has grown rapidly worldwide, particularly in East Asia and Pacific, which in 2016 reached almost 15,000 certifications – the highest number across the world.
In Australia, there were 531 new certifications – an increase of more than 200%.
Following the release of the updated Digital Security Policy in 2017, these figures are likely to rise even more.
Benefits of adopting ISO 27001
Organisations, including the private sector, should be following the lead of the Australian government.
If the government require ISO 27001 certification, it will begin to flow down the supply chain, so private sector businesses should be implementing similar measures to meet the growing risks.
ISO 27001 is the international standard that describes best practice for an ISMS. Certification helps organisations to:
- Win new business and retain existing customers;
- Avoid the financial penalties and losses associated with data breaches;
- Protect and enhance their reputation;
- Comply with business legal, contractual and regulatory requirements, including the EU General Data Protection Regulation (GDPR); and
- Obtain an independent opinion about their security posture.
ISO 27001 is not as difficult to implement as you might think
In our recent blog, Podcast: ISO 27001 can be implemented on your current Windows system, we highlighted how many organisations believe that ISO 27001 is too complicated and difficult to implement.
However, many of the technical controls in ISO 27001 can be addressed with the inbuilt functionality and tools in Microsoft Windows.
June’s book of the month, ISO27001 in a Windows® Environment, gives essential guidance for anyone looking to implement ISO 27001 using Windows technology.