ISO 27001 and human vulnerabilities

Ian Kerr’s Computer Weekly article on the human dimension to infosecurity has good and bad points. He correctly highlights how critical it is to address employee behaviour within a security strategy – the smartest technological defences are of little help if your staff leave the front door wide open, whether by accident or design. However, he significantly misstates the way in which ISO 27001 tackles this in its specification for a best practice ISMS.

In fact, one out of 11 control sections (containing nine controls) of ISO 27001’s list of controls deals specifically with HR, and many of the others – such as password management and user access controls – also deal explicitly with the human component of threats. I would say that ISO 27001, when properly implemented, provides an extremely strong safeguard against ‘human weakness’ and insider/outsider attacks.