Businesses of all sizes are feeling the strain caused by the COVID-19 pandemic sweeping the world today. For most businesses this means a significant disruption to your business operations where customers, partners and employees are either hard to reach, not available or having to significantly change their approaches.
To help address these issues, businesses are having to rely more on electronic means of communication such as having meetings using VOIP tools or employees working from home. However, by making these changes, companies face several challenges such in how they operate and maintain continuity, how employees access company data from home and how data is processed – all of which can provide significant security challenges.
But there is some good news; ISO standards can help you address these, especially ISO 27001 and 22301.
ISO 22301 is the standard that describes how to develop the Business Continuity Management System. It defines that you have to assess the risks that might disrupt your operations and your supply chain, analyse how quickly you need to recover to avoid high damage, and which resources you need for a recovery. Based on this information, you need to look for solutions that will enable you to recover and to develop a business continuity plan for a pandemic. Therefore, to successfully continue your operations, you would need to analyse which people, equipment, data, raw materials, and third parties, you need and how quickly you need them, define how to obtain them, and describe the steps to start using them. For that purpose, you need to perform risk assessment and business impact analysis, develop the business continuity strategy, and write the pandemic plan for your business.
ISO 27001 is the standard that describes how to develop the Information Security Management System. It defines that, first, you have to find out which potential incidents might happen, and then define which kinds of safeguards you need to implement in order to prevent data breaches. Therefore, for employees who are working from home, you need to analyse which kinds of incidents can happen to the data stored on their computers and communicated over the Internet. Once you know this, only then can you decide whether your employees will be required to use VPN, complex passwords, encrypt data, use only pre-approved cloud services, regularly back up the data, etc. Finally, you should document those rules through policies and procedures.
For help with either standard, please contact us using our contact form.