Preventing data breach with ISO/IEC 27001

computer monitor screen displaying padlock symbol in a circular light bubble binary code data bits background red and blue colour cyber security concept

The number of data breach alert received by Personal Data Protection Commission (PDPC) tripled this year in the February to March period compared with the previous two months. As a progressive smart nations and early adopters of digital technology and digital transformation, people would argue that better detection tools, those equipped with artificial intelligence and machine learning would be available to help to detect the unusual activities in data access and network activities. But not many companies are willing to spend and equip themselves with these tools nor have the expertise and people to manage it. How can organization adopt a holistic information security approach to prevent such data breach from happening?

There are 2 camps of thoughts when comes to information security, one is the process and people camp and the other the technology camp, while there is not right or wrong to the approach. In our view, a balance approach will be to apply people, process and technology coupled with a risk management appreciation approach to assess organizational information security measures. In view of this, ISO/IEC 27001:2013 Information Security Management System offers a comprehensive aspect to help organizations to adopt a preventive and holistic approach to look at their organization’s information security.

We would like to list down 8 steps for organization to consider to prevent data breach:

1. Identify your organization data assets and IT assets and its business value.

2. Limit and authorize access to your data assets and IT assets to those who need it only.

3. Identify all the risks that could breach your data assets and IT assets from step 1.

4. Apply controls to mitigate those risks identified and weight those mitigation measure against a cost/benefits and risk analysis.

5. Implement the necessary policies, measures, systems to support the controls.

6. Conduct regular audits, vulnerabilities assessment and monitoring to ensure controls are working as intended.

7. Provide Information Security awareness training for your staff.

8. Review, report and update your plans regularly.

“Enhanced PDPA take effect from 1 Feb 2021”

With the new enhanced PDPA it is mandatory for organization to report any data breach data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale (i.e., involves personal data of 500 or more individuals). Affected individuals must be notified if the data breach is likely to result in significant harm to them. Organization must report to PDPC as soon as practicable and not later than 3 calendar days

We are information security consultant that can help your organization to implement Information Security Framework based on ISO/IEC 27001:2022, do reach out to us via email at [email protected]