22 Apr, 2017 | Auditing, ISO 27001, ISO 9001

David Cole, director at Bywater, explains why data security has become a key requirement when designing or auditing management systems and processes

A recent article on techworld.com reminded me of the number and severity of information security breaches that take place in the UK. According to the article, the UK is second only to the US on the number of breaches and in 2016 alone there were many household names on the front pages of our newspapers for all the wrong reasons.

Sports Direct had to tell its workforce that their personal credentials may have been stolen, including their names, email addresses and phone numbers.

The mobile phone operator 3 allowed access to the personal details of millions of customers. Tesco Bank had 40,000 customer accounts ‘compromised’, with money stolen from almost half of them. And TalkTalk, at the end of 2015, was unsure about the implications of a hack into the records of 4,000,000 of its customers.

This isn’t new. Probably the most infamous data security breach of all was from HM Revenue & Customs in 2007, with a huge furore over two missing computer discs containing personal details of 25 million people.

These disasters provide learning opportunities for auditors and quality professionals on the importance of managing information security as part of organisational processes and management systems. In today’s world, we deal with vast amounts of data, so we need to ensure that processes are designed to give access to only those that need it.

As quality professionals designing or auditing our systems, we also have to understand the value of data. Continuing to use the HMRC example, according to commentators at the time, this data could have been worth up to £1.5bn to criminals. The scale of the risk should therefore instruct our process design and management control efforts.

It is easy to look at the HMRC data disaster with perfect hindsight and apply lessons learned in the form of changes to the way processes are designed and risk controls implemented, to prevent recurrence. But even for this disaster, a lot of the causes are disputed and we will never know the full story. Instead, we should apply the principles of what we do know into a review of our current systems, including processes for acquiring, storing, accessing and transferring data across functions and departments, authority and accountability for releasing data, and management of organisational change.

There are many standards that outline best practice for how information security and access should be controlled as part of a management system, from general quality management requirements in ISO 9001, to requirements and codes of practice for information security management systems in ISO 27001 and ISO 27002, to business continuity planning standards such as ISO 22301.

All auditors, particularly quality auditors of companies who deal with customer data, should have a good awareness of the risks associated with breaches of information security and the types of controls that effectively manage those risks.

David Cole

Bywater Director