As globalisation brings the world closer, data security obligations of a business are no longer confined to its geographical location. The General Data Protection Regulation (GDPR) has already transformed how European residents can control their data. Singapore is taking the security of its business data seriously and has been working on the Personal Data Protection Act (PDPA) since 2013. The PDPA works with sector-specific data protection acts such as the Banking Act and Insurance Act.[1]
In Fiscal Year 2021 alone, a staggering 178 data breaches were reported, marking a significant escalation from the 108 incidents documented in the previous year. This represents a daunting 66% increase in the overall number of reported data breaches. Market researches show that cybercrime could cost victims more than $8 globally in 2023 and that criminals can breach 93% of business networks.[2]
In this article, we discuss in greater detail the ISO/IEC 27001 cybersecurity standard.
Types of Cybersecurity Risks
Cybersecurity threats continue to increase in size, risk, and complexity. The risk is a sum of the likelihood of the threat and its impact. Common cybersecurity threats are:
Businesses need to safeguard themselves against such cyberattacks. The attacks could be state-sponsored or from terrorists, industrial spies, crime groups, hacktivists, black hat hackers, or malicious insiders. You can take the following steps to meet the cybersecurity regulations in line with the IEC and ISO standards:
Establish an Information Security Management System (ISMS)
The ISMS requirements in ISO/IEC 27001 define how you manage the risk to people, processes, services, and technology. Using the ISMS, businesses can manage their threats, vulnerabilities, and impacts and design controls to protect the confidentiality, integrity, and availability of data.
You can regulate and restrict access to critical systems and networks and meet the legal, regulatory, and contractual requirements.
Conduct Independent Audits
An independent ISMS certification audit ensures your business complies with the ISO/IEC 27001 standard. Through audits, you can demonstrate your cyber-risk approach to local, national, and international cyber security laws and regulations such as GDPR in the European Union, CCPA in California, and PDPA in Singapore.
Implement a Privacy Information Management System (PIMS)
ISO/IEC 27701, an extension of ISO/IEC 27001, gives a comprehensive set of operational controls which help businesses implement, maintain, and improve the PIMS. It maps its recommendations to the EU GDPR, the data privacy and cybersecurity law for appropriate technical and organisational measures.
Have an Incident Response Plan
The incident response plan helps you avoid litigation risk. It ensures that your business complies with the breach notification requirements of the data security law applicable in your country. ISO 22301 provides principles to manage incidents and prepare for a response.
Ensure Suppliers Are a Part of Your Cybersecurity Strategy
Suppliers are an integral part of your operations, and your legal risk mitigation strategy must consider that. Your risk management strategy should include the risk profile of the suppliers also.
Get a Cyber-Insurance
Businesses must have cyber insurance to cover any legal costs or penalties due to settlement claims or class action lawsuits.
Proactive cybersecurity measures prevent your business from lawsuits, damage to reputation, and business operations disruption. While the chances of a business never experiencing a cyberattack are less, you can greatly reduce the risk by having a strategic plan that complies with the ISO/IEC 27001 standard.
It is best to have a trusted ISO/IEC 27001 certification body to meet the demands of PDPA regulations and cyber security law in Singapore.
TÜV SÜD provides training for:
Site Selector
Global
Americas
Asia
Europe
Middle East and Africa