18/03/2024
Enhancing Business Continuity through ISO27001 Compliance
Any organisation operating IT infrastructure and processing data must establish robust measures to safeguard the confidentiality, integrity, and availability of the information being processed. This principle lies at the core of ISO27001, the information security management system developed by the International Organization for Standardization (ISO). Unlike Cyber Essentials, a UK government-based certificationg, focused solely on an organisation’s information technology network, ISO27001 provides a more comprehensive framework, addressing all information, both internal and external, requiring security measures.
What is ISO27001?
ISO27001:2022 is the current version of the standard and those with the previous version (2013) will have to transition to the 2022 version by 31st October 2025. The standard provides a provides a framework and guidelines for establishing, implementing and managing an information security management system (ISMS).
If you have an Integrated Management System (IMS) then ISO27001 sits well alongside the other most commonly implemented ISO standards in the UK covering quality, health & safety at work, and environmental management, namely ISO9001, ISO45001 and ISO14001. other ISO standards may also be relevant to your organisation or business. Examples include ISO5001 (Energy Management), ISO22301 (Business Continuity) or even ISO/IEC 22237-1, which defines the general concepts for the design and operation of datacentres.
Having a robust onformation security management system in place, certified to ISO27001:2013 or ISO27001:2022, helps an organisation to classify, preventand mitigate risks to their data and infrastructure systems. These can include physical breaches, environmental hazards, and cyber threats. In this way, ISO27001 also helps to improve business continuity planning, putting in place controls and measures for a potential incident.
For more information on ISO/IEC 27001 see:
https://www.bsigroup.com/en-GB/capabilities/digital-risk-management/iso-iec-27001-information-security-management-system/
Security Considerations for ISO27001
A fundamental part of ISO27001 is section 6 covering Risks and Opportunities, and in particular a document known as the Statement of Applicability (SoA). The SoA lists each section of the standard, the objective/control required, current controls, a justification for inclusion or exclusion of the section, selected controls, an overview of implementation, control types, InfoSec properties, cybersecurity controls, operational capabilities, and security domains.
Server Rooms and ISO27001
For an onsite server room what needs to be considered for ISO27001?
Here we provide a general overview which can vary for each facility, dependent upon whether they are running an onsite, hybrid or a cloud-based datacentre solution. Even for a cloud-based approach to IT, there will be some on-site processing including connections to the cloud (via cabled Ethernet or Wi-Fi) and potentially a CCTV system for example.
Whilst we focus here on data being processed, it is also important to note that ISO27001 also covers other information assets – anything valuable to an organisation that should be protected from unauthorised access, use, disclosure, modification, destruction or even compromise.
The 6 key areas for server room and data centre managers to consider for ISO27001 include:
- Physical Security Measures
- Access Control Mechanisms
- Environmental Considerations
- Backup and Recovery Strategies
- Incident Response and Management
- Compliance and Auditing
1. Physical Security Measures
ISO 27001 mandates stringent physical security controls to safeguard onsite server rooms. Access to these facilities should be restricted to authorised personnel only. Implementing measures such as biometric authentication, access cards, and camera surveillance systems enhances security and mitigates the risk of unauthorised access or tampering. Additionally, physical barriers such as reinforced doors and locks further fortify the server room against intrusions.
2. Access Control Mechanisms
Controlling access to onsite server rooms is essential for maintaining data confidentiality and integrity. ISO 27001 emphasises the need for robust access control mechanisms, including role-based access permissions and multi-factor authentication. By limiting access to authorised individuals based on their roles and responsibilities, organisations can minimise the risk of unauthorised modifications or breaches within the server environment.
3. Environmental Considerations
Environmental factors can significantly impact the reliability and performance of onsite server rooms. ISO 27001 requires organisations to address environmental risks such as temperature fluctuations, humidity levels, and potential hazards like fire or flooding. Implementing measures such as a climate control system, fire suppression solution, environmental monitoring system and a UPS power protection plan helps mitigate these risks and ensures the uninterrupted operation of servers, storage and their associated networking infrastructure.
The power protection plan should be appropriate to the level of resilience required for the IT facilities. An uninterruptible power supply will be required to provide protection for power outages with a battery capable of either running for long enough to cover most power cuts to provide a shorter runtime to allow a local standby power generator to start-up. As part of this plan, refuelling supplies and maintenance contract cover, including emergency callouts should also be considered.
4. Backup and Recovery Strategies
Effective backup and recovery strategies are essential components of business continuity planning. ISO 27001 advocates for regular backups of critical data stored in onsite server rooms, coupled with offsite storage to mitigate the risk of data loss due to unforeseen events. Organisations should also conduct periodic testing of backup systems and recovery procedures to verify their effectiveness and readiness to restore operations in the event of a disruption.
5. Incident Response and Management
ISO 27001 underscores the importance of having robust incident response and management processes in place to address security incidents promptly. Organisations should establish clear protocols for detecting, reporting, and responding to security breaches or anomalies within onsite server rooms. This includes maintaining incident response teams, conducting post-incident reviews, and implementing corrective actions to prevent recurrence.
6. Compliance and Auditing
Adherence to ISO 27001 standards requires organisations to undergo regular audits to assess their compliance and identify areas for improvement. Auditors evaluate the implementation of security controls within onsite server rooms to ensure alignment with ISO 27001 requirements. By demonstrating compliance through audits, organisations instil confidence among stakeholders and reinforce their commitment to information security and business continuity.
Summary
In conclusion, ISO 27001 compliance can play a pivotal role in enhancing business continuity, and especially for onsite server rooms. By adhering to the ISO 27001 standard, organisations can strengthen their physical security measures, implement robust access control mechanisms, address environmental risks, and establish resilient backup and recovery strategies, including how they respond to a power outage.
Moreover, ISO 27001 promotes a proactive approach to incident response and management, ensuring timely detection and mitigation of security threats. Through compliance and auditing processes, organisations can continuously improve their information security approach and safeguard critical assets against evolving risks, to ensure business continuity.
