Blogs

Read about challenges organizations face in today’s dynamic business environments

How the ISO 27001 standard can help combat the Ransomware

09 August 2017 Written by:  
Published in: Blog
Think of opening a word document or a PDF; Oops! you see a pop up of data encryption right on your screen! It is enough to give you a heart stroke if you have data worth a million US dollars right on the device that was infected with the malware called Ransomware. This nasty malicious software threatens to publish the confined data or perpetually block access to it until a ransom is paid. When a computer is infected, the ransomware contacts a central server for the information it requires for activation and later begins encrypting files on the infected computer with that information. Now once it is done encrypting all the files, it posts a message and asks for a payment to decrypt the files and threatens to destroy the data if the ransom is not paid.


Just as one can reduce the chances of a certain ailment with the right care, risks of infecting data with such malicious softwares can also be reduced using certain measures. The protection against this malware involves building a set of security layers. Companies shall not only focus on technology but also on people and process like solutions. Implementation of ISO 27001 can help fight these viral threats and save an organization from such disasters. As for the following security layers, implementation of ISO 27001 provides a comprehensive set of controls that covers all of these aspects.

Some of the ISO 27001 Annex A controls which can help in minimizing the occurrence of such ransomware incidents include:

A.6.1.1 Information security roles and responsibilities
All information security responsibilities shall be defined and allocated to ensure that required actions can be immediately taken when such incidents hit organization's network or to prevent such incidents from happening.

A.6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained to remain abreast with emerging threats & vulnerabilities particularly related to tools and technologies.

A.7.2.2 Information security awareness, education and training
Probably the most important control of all ensuring that all employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training against such threats and to restrict them from becoming a victim even a ransomware hits the network.

A.8.1.3 Acceptable use of assets
Rules for the acceptable use of information and of assets like internet, email, information processing facilities shall be defined so that staff uses such services "safely".

A.9.1.1 Access control policy
Only authorized Users shall be allowed to access a company's network and its services under formal monitoring & authorization mechanism.

A.12.2.1 Controls against malware
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.

A.12.3.1 Information backup
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy to ensure that even if the data is lost, the backup must be available with the Users.

A.12.6.1 (Management of technical vulnerabilities)
This area exemplifies the importance of being aware of exploits and vulnerabilities of the organizations’ operating system. This is crucial as being attentive to these vulnerabilities can direct attention towards finding best practices on how to protect and secure those flaws.

Implementing ISO27001 means that your information system is classified and organized in a way that makes it difficult for attacker to infect the organization. While implementing ISO27001, the part of implementation having highest efficacy of detecting and preventing malware is risk assessment. During the risk assessment process, organizations are able to identify vulnerabilities including ransomware that can harm their operating system. If the procedure of identifying malware is correctly performed, the process of their prevention becomes easier and efficient.

Hence organizations that implement ISO 27001 seek to protect the integrity and confidentiality of their key information. The ISO 27001 certification is so efficient because it not only focuses on IT controls but also on training of personnel to handle situations where they face suspicious threat attacks. Business Beam offers a range of services in Information Security Management System and provides end to end implementation of ISO 27001 standard Consultancy. Contact us now if you wish to add layers of security to your organization with ISO 27001.

Rate this item
(0 votes)
Business Beam

Ikram A. Khan is the Chief Executive and co-founder of Business Beam (Pvt.) Limited. In addition to his executive role, Ikram remains an active corporate advisor, writer, speaker, and workshop leader. He has successfully delivered 25+ consulting assignments and 180+ training sessions internationally. Ikram is an accredited trainer for ITIL, PRINCE2, ISO 27001 and PMP.

Login to post comments
Get the latest news