a
.

    News & Commentary on ISO Management System Standards

    ISO 27001 in Manufacturing & Service Industries - 12 FAQs
    ISO 27001 in Manufacturing & Service Industries - 12 FAQs
    19:09

    Ransomware demand flashing on a screen

    Have you considered this possibility?

    If you wait until this message greets you at work, a Notebook PC is stolen from a company vehicle, or staff members are working on their own PCs from home, it will be too late.  It's not a question of whether your business will be targeted. You're already a target but have been lucky to date.

     

    Table of Contents

    • Information Security for the Manufacturing and Service Industry
    • 1. Is having an ISO 9001 Certified Quality Management System Enough?
    • 2. When does a Manufacturer or Service Provider Need ISO 27001?
      • Are you using confidential information supplied by your customers?
      • Is your computer system in constant or regular contact with those of your customers and/or suppliers?
      • Do you provide a service requiring access to customers’ personal details?
      • Do you have control over the devices being brought to your site or the information being downloaded by those with legitimate access?
      • What controls do you have to prevent those outside your premises from downloading your confidential data?
      • What controls do you have around or within your premises to prevent prying eyes from seeing something to your disadvantage?
    • 3. Risks Posed by Security Breaches and Data Theft
    • 4. Companies Especially Vulnerable to Security Breaches and Data Theft
    • 5. How to Ensure Information Security
    • 6. Why Having an Information Security Management System (ISMS) is Important
    • 7. How to Implement an Information Security Management System
    • 8. Information Security Application in the Supply Chain
    • 9. Why your Supplier Audits must include Information Security
    • 10. Risk Assessment and Supplier Evaluation
    • 11. Useful Sources on Cybersecurity
    • 12. Is ISO 27001 Certification Mandatory?

    Information Security for the Manufacturing and Service Industry

    With more and more data sharing between customers and suppliers, your customers may be nervous about sharing data with you.  And especially so, if you are an SME. Indeed, SMEs are a favorite target of cyber attacks as they are considered to be an easier route to major companies' data than targeting them directly.

    We're not talking credit card information here; what's at stake is technical data (including new product development), sales data (including marketing plans), and financial data (including future investment plans). And remember, it's not your data that they likely want but the data of your major customers.

    It is best to address the issue before approaching new customers. You'll find that potential customers are more likely to seriously negotiate with you when they know you are aware of cyber security threats and have already done something about it.

    1. Is having an ISO 9001 Certified Quality Management System Enough?  

    Many companies say, "We already have ISO 9001. Isn't that enough to keep our customers happy?"

    If this is what you think, I respectfully suggest you remove the blinkers and protect your business before it is destroyed. 

    It’s obvious that companies or organizations like banks or other financial institutions need information security to protect themselves from fraudulent transactions and customers' confidential details and bank card data. It’s not so obvious that in the manufacturing and service industry, information security also matters - really matters!

     

    New call-to-action

     

    2. When Does a Manufacturer or Service Provider Need ISO 27001?

    If you are a manufacturer or service provider and you're wondering whether your company needs ISO 27001 or not, there are six questions you might want to consider ...

    Are you using confidential information supplied by your customers?

    Think for a moment about the information supplied by your customers and how valuable that information might be to a competitor of theirs.  Some examples of confidential information from customers that you would want to protect include:

    • Prototype information for a new product
    • Listings of their customers (to facilitate direct shipment)
    • Supply contract details
    • Process Validation Reports identifying optimum conditions for operating new/confidential technology
    • Information on new technologies/processes/products.
    • Formulations and test methods
    • And so on.

    How difficult would it be for a determined person to lay their hands on that information?

    And the point is: it’s not only your information but also that of your customers and suppliers that may be vulnerable to a cyberattack. While your information may not be of great interest or value, the same may not be true of your customers/suppliers.

    Is your computer system in constant or regular contact with those of your customers and/or suppliers?

    Many organizations have access to customers' systems in order, for example, to effectively manage sales order processing and to facilitate timely deliveries.  

    Ask yourself, is that data protected?  

    Similarly, your own system may be connected periodically or continuously with your suppliers, And a stream of emails counts here.

    What information security controls are in place to protect all the data concerned?  Once a hacker has broken into your server, it may be easy to proceed to download or monitor the servers of your customers/suppliers.

    Do you provide a service requiring access to customers’ personal details?

    If you sell directly to the public, your organization will likely have much personal information, including banking data and credit/debit card details.

    This kind of information is not only subject to abuse to steal from bank accounts but also used to set up false identities, get false passports, set up bogus bank accounts, and other abuses for purposes of money laundering, tax evasion, and even facilitating terrorism.

    How do you prevent the leaking of these data? Do your information security arrangements comply with GDPR requirements?

    Do you have control over the devices being brought to your site or of the information being downloaded by those with legitimate access?

    Of necessity, you and your colleagues likely have access to your organization's confidential data.  That access will be through various devices - conventional workstations, laptop PCs, tablets and hand-held devices, smartphones, etc. 

    These days, staff members using their own PCs from home is common. Much of the data will be on the devices themselves.  

    Are there policies and procedures in place to reduce the risk of a security breach? And what about flash drives?  Are they banned? Have USB drives on all your computer equipment been disabled?

    And then there are delivery vehicles.

    What handheld or in-cabin devices are in use, and what security is in place for them?  If someone stole a device from a vehicle, how difficult would it be to access the information on the device or, via the device, to access your servers?

    What about the laptops and other devices brought on-site by visitors?

    What controls do you have to prevent those outside your premises from downloading your confidential data?

    Handheld devices used, for example, for stock control in warehouses, depend on Wi-Fi.  Is your IT security for Wi-Fi robust enough to prevent a hacker sitting in their car outside your premises from breaking into your system?

    What controls do you have around or within your premises to prevent prying eyes from seeing something to your disadvantage?

    Could a stranger look into your premises using, say, a telephoto lens and see something they shouldn't?

    Could they walk onto the premises through an open gate, over a low fence, or through a damaged fence?  When was the last time you checked the security of the perimeter of your premises?

    Do you have access control within your buildings to restrict access to places where highly confidential activity occurs?

    3. Risks Posed by Security Breaches and Data Theft

    But of course, this is all theoretical, isn’t it?

    No way!  

    The Symantec Internet Security Report (Feb 2019) stated that 1 in 10 URLs is malicious,

    Supply Chain attacks are up 78% year-on-year, and 48% of malicious emails are Office files. Spear-phishing attacks (via e-mail attachments) were mainly targeted at the Manufacturing industry (20.6%) and Service industry (11.7%) and ahead of Finance, Insurance, and Real Estate organizations (11.6% combined).

    Some cyber attack examples for 2020 include:

    • January 2020: The Berlin car rental Buchbinder was breached when customer data were made accessible on the Internet.  The approximately five million files with extensive company correspondence included scanned invoices, contracts, e-mails, and damaged images from cars. The rental agreements included names, addresses, dates of birth, and driver's license information.
    • Apr 2020: Over 500,000 Zoom accounts were offered on hacker forums hosted on the dark web. Some are going for less than a US cent apiece, while others are given away for free.

    • May 2020: The details of 44 million Pakistani mobile subscribers have leaked online this monthThe leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in Bitcoin.


    Note: For information on the latest and largest data breaches worldwide, visit.information beautiful.net

     

    CTA button showing a preview of what learners can learn from deGRANDSON's EU GDPR Advanced Course for Data Protection Officers

    Click on the image on the left to see the table in full size or click the button on the right to see the full GDPR Advanced course

    4. Companies Especially Vulnerable to Security Breaches and Data Theft

    Some companies think that because they are relatively small, no one would be interested in launching a cyber attack against them. If you are one of them, you are treading dangerous waters.

    If you have been keeping up, there are continuing stories in the media of a multi-story office block in Beijing, operated by the Chinese Military, whose sole function is electronic industrial espionage.

    Reputedly, they target small and medium-sized enterprise (SME) suppliers of multinational companies (their actual target) as they expect SMEs to have less secure information security systems in place. 

    Theft of technical information rarely gets publicity because of management embarrassment and the lack of a legal obligation to publicize the loss (unlike with personal information).

    5. How to Ensure Information Security

    You don’t wait for the attack to occur.

    You probably wouldn’t recognize it when it happens, anyway. Chances are, you would only become aware of it after it seriously impacted your business, your customer’s business, or your supplier’s business.  In any case, when the damage has already been done and, likely, is not reversible.

    You need to evaluate the threats your business faces.  Then, sufficient controls and precautions should be put in place to reduce the risk overall to an acceptable level.

    CTA ISO 27001 Infographic

    6. Why Having an Information Security Management System (ISMS) is Important

    The problem usually with projects tackling amorphous subjects like 'risk' is knowing where to start. This is where ISO 27001:2013 comes in. ISO 27001 sorts this out for you by providing a logical framework to tackle information-related risk.

    With an Information Security Management System in place, you’ll be able to sleep easily at night. And so will your customers and suppliers.

    You’d never know, but with ISO 27001 Certification in place, they might put more business your way, confident that you’ll protect confidences.

    7.  How to Implement an Information Security Management System

    You will need the help of a good ISMS consultant.  Make sure of their expertise and check out their previous work.  

    ISO 27001 is not a simple variation of ISO 9001. It has very different requirements, with many mandatory controls required and many subsidiary standards that may apply. An expert will be well worth the investment.

    And remember, just because you're paranoid doesn’t mean they’re not out to get you.

     

    8. Information Security Application in the Supply Chain

    It's not just in-house that you need to take steps to prevent information loss or compromise.  It's your entire Supply Chain. 

    Many of you reading this will be routinely involved in Supplier Audits (and usually against the requirements of ISO 9001).

    But is the vulnerability created by sharing information and other assets evaluated? Do you consider the damage that misuse of your data could trigger?

    9. Why your Supplier Audits must include Information Security

    ‘Property belonging to external providers’ is a heading that will be included in all of your supplier evaluations, not least because your organization owns that property as the external provider.  But does consideration go beyond protecting that property and preserving its identity and traceability? 

    10. Risk Assessment and Supplier Evaluation

    Does the question of protecting the data and information associated with that property get discussed?

    The commercial value of data and the value of intellectual property will vary considerably from case to case.  However, there will be situations where the loss of data/information or actions preventing its use may have severe consequences for your business.  Your preparation for a Supplier Evaluation should include a risk assessment regarding information security.

    Here are some points for you to ponder:

    • Intellectual Property:  How do your suppliers protect the drawings and specifications you have provided? Are they always kept under ‘lock and key’ when not in use? Is access to computers storing such information controlled?

    • Commercial information: How is access to contract documents, supplier agreements, and other information that could be of use to a competitor protected?  What documented confidentiality agreements are in place?

    • Physical property: Customer-supplied inventory is what we normally consider here. In addition to preservation and maintaining identity and traceability, who has access to the storage area? Is it possible for a sample of the material to be taken unnoticed?   

    Could prototype products be photographed or be interfered with?  How secure are the buildings? Would you happen to know if access is controlled? How secure is the perimeter of the premises?

    • Information Storage and Security:  How and where is data/information stored?  How do your suppliers protect your property if stored on local cloud servers or hybrid systems?  What documentation and records are there to support their claims?  Who has access to the system? Is it suitably restricted?  Is their password control system credible?  Is it implemented and checked regularly?

    • The Human Factor:  Wittingly or otherwise, the root cause of most security breaches is something someone has done.  How do your suppliers ensure that contractual requirements regarding confidentiality and security of information are implemented?  

    Are new staff members trained on what to do/not to do as part of induction training?  Is there a tidy desk policy that’s implemented? Is there a B-Y-O-D (bring your own device) policy that’s implemented? Do audits take place regularly to confirm the maintenance of these arrangements?  When talking to staff, is their awareness of the importance of information security apparent?

    I’ll stop now, hoping I’ve got you thinking about all the valuable data and products you share with your Suppliers and how you ask relevant questions when you visit them.

    View ISO 27001 Internal Auditor

    11. Useful Sources on Cybersecurity

    For a comprehensive list of potential information security vulnerabilities to aid you in constructing a list relevant to our organization, see ISO 27001:2022, Annex A:  Reference control objects and controls.

    To get an insight into cybersecurity, there are two sites we’d recommend …

    • Microsoft Virtual Academy: Windows Security & Forensics, and
    • Microsoft Office Resources: Five questions executives should be asking their security teams.

    12. Is ISO 27001 Certification Mandatory?

    Certification to ISO 27001 -- the Information Security Management System standard -- or other security standards is not required. However, it is strongly recommended that you take information security seriously.

    If your business uses formal Working Papers for Supplier Evaluations/Re-evaluations, you should ensure that information security is adequately addressed therein. 

    You should not allow the carelessness or failure of your suppliers to protect your interests or hinder or prevent your organization from satisfactorily safeguarding your information assets. 

    Get started with an ISO 27001 Course

    This is where you should start on your ISMS Project. Take our ISO 27001 Lead Implementer Course to get the skills and knowledge necessary to, for example, understand whether you will need outside consultancy help (and if so h, how much), be able to pitch the project to senior management, get buy-in, and so on. So, check out the link below, and let's get started! By the way, we also provide 24/7 Tutor Support.

    Available ISO 27001 Training Courses Image Map

    Click on the course you are interested in to learn more about it or see our ISO 27001 overview page to see the full suite.

    Related Articles

    • ISO 27001 Implementation in 31 Steps
    • Free ISO 27001 Implementation Handbook (100+ pages)
    • ISO 27001:2022 - facts about the new version
    • Navigating the fifty-six ISO 27000 Series of Standards

    deGRANDSON Global is an ISO Certified Educational Organization

    In October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because it is based on independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised).  It is a ‘university grade’ standard for schools, colleges, and universities to demonstrate competence.

    We provide courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection and more.


     

    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:
     

    Subscribe to Email Updates

    Recent Posts