12 Jul, 2017 | ISO 27001

Information technology drives business efficiency and productivity, and the digital economy is thriving as growing numbers of organisations are benefiting from the opportunities the Internet brings. However, cyber crime is increasingly easy to perpetrate, and the threats the modern organisation faces are intensifying.

Consequently, auditors are finding that they play an increasingly pivotal role in helping organisations manage cyber threats, both by providing an independent assessment of existing and necessary controls, and helping the auditee’s board understand and address the diverse risks of the digital world.

Cyber crimes hurting British business

According to a recent survey conducted by Opinium for Internet service provider Beaming, 52% of UK businesses – some 2.9 million firms – fell victim to some form of cyber crime in 2016, at a total cost of £29.1 billion.[i] And here are some further statistics to consider:

  • The average cost of the worst types of security breach is $4 million.[ii]
  • The median time it takes organisations to discover an attacker’s presence on a victim’s network is 146 days.[iii]
  • An unskilled attacker can spend as little as $200 to execute an attack.[iv]

SMEs and cyber attacks

It’s not just big businesses that are at risk: research from the Federation of Small Businesses published in 2016 found that 66% of small businesses had been a victim of cyber crime.[v] If this seems surprising, remember that every organisation holds data that has value to someone, such as employee payroll details, proprietary data or client information. Moreover, many attacks on larger companies have been perpetrated by exploiting smaller third-party suppliers.

The recent surge in cyber attacks has attracted a great deal of media attention and now, at last, cyber security is a mainstream concern. This, combined with the fact that the EU General Data Protection Regulation (GDPR) will bring huge administrative fines for breaches from May 2018, has prompted companies of all sizes to take a hard look at their information security controls.

Management disconnect

Yet there remains a disjunction between management teams claiming that cyber security is on their agenda, or under control, and the rapidly rising number of data breaches.

A recent report from Accenture, “Cyber Security: Facing the Cybersecurity Conundrum”, provides hard, current data that supports this view. Their key finding is this: ‘One in three focused breach attempts get through, yet most organisations are “confident” in their ability to protect the enterprise.’

Moving forward with cyber security and privacy

Today, companies recognise the need for a third line of cyber defence: independent review of security measures and performance by auditors. Auditors now play a pivotal role in assessing cyber security and privacy threats – wherever they occur – to help strengthen business security. To achieve this, auditors need to think broadly about cyber security and privacy as both protectors and enablers for their auditee’s business, third-party partners and customers.

IT Governance’s recommended steps for achieving an affective cyber security framework

Cyber health check: has the organisation you are auditing identified and considered its cyber risks? A good starting point for auditors is to explore whether the auditee organisation has had a cyber health check – a fast, top-to-bottom review of it’s cyber security and recovery posture – leading to a focused work programme aimed at improving cyber resilience. One key consideration when exploring this is the competence of the organisation and its individuals performing the health check!


ISO 27001: does your client have the necessary security controls to protect its information assets?


Auditors should consider the scope of the clients ISMS, if they have one, and whether the security stance is based on a valid risk assessment. Implementing and maintaining an information security management system (ISMS) certified to the internationally recognised information security standard, ISO 27001, can help to keep things in perspective.


Cyber Essentials: if the auditee is involved in government contracts that include the handling of certain sensitive and personal information then Cyber Essentials could be mandatory. The government requires all suppliers bidding for contracts that include the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme. Certification also puts the organisation in a strong position to gain new business, both in the public and private sectors.  What’s more, its relatively low-cost and is generally seen as an early stepping stone towards ISO 27001 accredited certification.


Contracts and Legislation: does your client comply with the Payment Card Industry Data Security Standard (PCI DSS) or the EU General Data Protection Regulation (GDPR)? With less than 12 months until the new PCI DSS v3.2 and the GDPR are enforced, auditors must consider how these far-reaching changes will affect the organisations they audit. Auditors should explore whether these changes have been identified (context), and how they have been reflected in risk arrangements and plans.  This will help the target organisation keep its clients’ valuable information safe and secure and avoid possible fines.


Penetration testing: has the organisation assessed its level of vulnerability to attack or the value and exploitability of critical assets?


A penetration test can help identify the vulnerabilities that leave an organisation’s infrastructure and applications exposed, and gives them the information they need to close gaps in their security stance. It’s another area to confirm the credentials of the testing company as well as scoping the footprint and frequency of testing, and that findings are acted upon. Read our complementary ‘Cyber testing playbook’ for a checklist of factors to consider when deciding to hire a cyber testing consulting partner.


Cyber incident response managent: does the organisation you are auditing have a recovery plan to support the resumption of business activities after an attack? Auditors need to assess whether a proper crisis management and communication plan is in place, and that it is clearly communicated and tested as appropriate. This should enable sufficient business continuity in the event of a cyber security breach.


Training: does the organisation you are auditing have the knowledge and means to address emerging security threats?  How do they ensure they are aware of them? Being aware of the latest vulnerabilities and threats is essential if the organisation is to remain secure.

Moreover, in the context of cyber security, the adage that you are only as strong as your weakest link is particularly pertinent. Employees need timely education and training to help combat the ever-changing cyber security threat. One-off/tick box exercises are not sufficient.

Our company

IT Governance is the world’s leading global provider of IT governance, risk management and compliance solutions. Our comprehensive range of products and services, combined with flexible and cost-effective delivery options, provide a unique, integrated alternative to the traditional consultancy firm, security testing or training provider.

Steve Watkins (Director, IT Governance)

[i] Beaming, Cyber Report: UK businesses targeted 230,000 times each by cybercriminals

[ii] IBM, 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute

[iii] Verizon, Verizon 2017 Data Breach Investigations Report

[iv] CSO Online, For less than the cost of a week’s groceries, you too can be a cybercriminal

[v] FSB, Cyber Resilience: How to protect small firms in the digital economy