Adopt ISO ISMS certification to test your information security practices

Federal Government and industry, specifically ASX-listed businesses, must urgently install a requirement that ensures all agencies and contractors engaged to provide services that involve accessing customer/consumer data, hold ISO27001 or SOC2 accreditation – (the international standards for information security) or prove to undertake equivalent practices.

Most Australians would be horrified to know that some government and corporate entities, including ASX listed companies, engage agencies and contractors to undertake work involving customer information without requiring them to hold ISO27001. According to VPN provider Surfshark, in Q4 2022 Australia was the most frequently hacked nation in the world.

Why the accreditation is a timely necessity

Australia recorded 7,387 user accounts hacked per 100,000, while second on the list Russia recorded 2,568 per 100,000. Since 2004 there have been 132.4 million accounts breached in Australia. Also, according to Gartner, in 2022 there was a significant rise in cyberattacks originating from third-party services. Congratulations Australia, the no worries attitude towards the data security of third-party agencies has made us an easy target for hackers.

Government departments and corporates need to specify ISO27001 or equivalent in their RFPs/contracts and seriously question why they would work with a firm that doesn’t comply. A firm that has gone through the process of gaining ISO27001 is one that can be trusted to be doing everything possible to minimise the chances of a data breach. They are showing that data security is part of their culture and not something they mention in a pitch process.

Even if a business says they have robust data security and information security practices, have they taken the additional step of being audited by an independent body to test the strength of its practices. This is a crucial question that needs to be asked of service providers.

Achieving ISO27001 took our firm over 12 months of intensive reviews to ensure every part of our organisation and systems met the world class standard and we started from a high baseline. We must lift our standards in Australia; there are no excuses for complacency and Aussies will no longer accept weak data security. Personal data theft can cause irreparable brand damage. The protocols are there; government and corporates must enforce them.

What is ISO27001

ISO27001 is the international standard for information security that sets requirements for an Information Security Management System (ISMS). The standard outlines a framework of policies, procedures and controls that help companies manage information.

ISO27001 covers three main areas:

  • How to set up your ISMS to significantly reduce the risk of a data breach by managing information security risks – that is identifying and mitigating potential vulnerabilities in your ISMS
  • What to do in the event of a data breach or a ransomware demand
  • What governance and management structures are in place to oversee data security practices and to hold people to account

I am sure there are many firms that do not have ISO27001 that have strong data security practices in place. I encourage them to pursue ISO27001 certification as it shows a clear commitment to ensuring data security. Sadly there are companies that do not have strong data security that might be using cheap data collection systems that store data on servers outside Australia, send sensitive data over email and have no secure testing environments.

They probably think they are too small a company to have to worry about being hacked or that it may be too expensive to implement best practice security protection measures. Well, this thinking is flawed because no client wants their data to be compromised due to sheer negligence. The cost of being responsible for a breach outweighs the cost of implementation.

I urge organisations to ask your agencies that collect or handle any personally identifiable information on your behalf for the documentation of their ISMS and how it complies with the international data security standards. Regardless of what industry we all work in, many of us are involved in accessing and working with customer data. Data should be our greatest asset, but right now data security is one of our greatest weaknesses.

We can minimise and even stop data breaches if we all embrace international standards.  Governments and ASX-listed businesses should not be engaging providers that do not hold the highest level of certification. To do so, is stupid and quite frankly, negligent.

Fifth Dimension’s Globally Recognised Trust Model

Fifth Dimension’s groundbreaking trust model typically centres on the premise that trust in brands has its foundations laid in two traits – the capability of the brand to do what it promises and the character of the brand to operate in an honest and ethical manner.

Fail on both trust traits and brands risk losing a customer they have let down for life and weakening brand growth due to the legacy of a proven poor reputation.

Lyndall Spooner is the founder and CEO of Fifth Dimension Consulting.

Lyndall Spooner, Chief Executive Officer, Fifth Dimension Consulting
Lyndall Spooner, Chief Executive Officer, Fifth Dimension Consulting