Author: Priyasha Purkayastha, Global Content Manager, TJC Group
Time and again, we have emphasised on the importance of data security. Today, data has become one of the most invaluable assets that an organisation runs on. Yet, even with many policies in place, it is a tedious task to protect this data from unauthorised access or breaches. Then comes the legacy systems that many organisations are still operating, leading to more cybersecurity risks. At times, it becomes difficult to even know where and how to start for protecting data. All these combined together can also lead to severe infringements due to misconceptions and confusions. With this ISO27001 guide, the aim is to guide you in the right direction. So, dive in to learn more!
Table of contents
1. ISO27001 | What do you need to know about it?
ISO27001 is defined as a standard for regulating information security, guiding organisations to build, implement, maintain, and continuously enhance their information security management systems (ISMS), thereby ensuring protection of the invaluable information assets. It is an internationally recognised standard, published by the International Organisation for Standardisation (ISO), in partnership with the International Electrotechnical Commission (IEC). The ISO27001 comes with a framework that helps improve the operations of the ISMS; the ISO security framework defines a purpose – which is to protect the information of the organisation is a streamlined, systematic, and most importantly, cost-effective manner – irrespective of their size or industry.
Organisations must keep in mind that the ISO27001 certification is achieved through an external audit process. A certification body will evaluate the information security management systems (ISMS) of the organisation as per the standard’s requisites. Attaining this certification will help demonstrate your commitment to maintaining high information security standards to your stakeholders and customers.
1.1 The importance of ISO27001 for organisations
At its very core, the ISO27001 standard helps organisations with the necessary information and knowledge that further enables them to protect their invaluable information. Having said that, the standard also allows organisations to obtain an ISO27001 certification, furthermore, proving to its customers and partners that their data is safeguarded. What’s more interesting about this standard is that even individuals can obtain the ISO27001 certification by attending a course and passing the exam. As it is an international standard, the certification is recognised and renowned across the world, increasing opportunities of business relations for organisations.
1.2 The key aspects of ISO27001 standard
There are several key aspects of the ISO27001 standard that you must know about; some of the most important ones are mentioned below –
Information Security Management System (ISMS): One of the most significant factors of the security standard – it helps ensure a systematic approach to further assist the management of sensitive information of an organisation. ISMS comes with a comprehensive circle of people, processes, and IT systems through the application of the risk management processes to make sure that the information remain secured at all times.
Risk assessment and treatment: Another key aspect of the internationally recognised ISO27001 standard is risk assessment and treatment. It quintessentially helps identify potential threats to the information security of the organisations while implementing controls to mitigate risks.
Management commitment: With ISO27001, management commitment becomes crucial. The people at decision making capacities (read: leaders) must wholeheartedly dedicate and commit to the ISMS, which includes establishing policies and procedures, objectives, and more for information security.
Resource and incident management: Two of the most important factors of ISO27001 standard are resource management and incident management. While incident management helps establish procedures for handling security incidents, resource management helps ensure the availability of necessary resources that includes training and awareness programs as well.
Compliance: With the ISO27001 standard, ensuring compliance with legal and regulatory requirements becomes pivotal. Additionally, regular monitoring, reviewing, and improvement of the ISMS and maintaining appropriate documentation (the scope, policies, procedures, records of actions taken, etc) to showcase during audits are also necessary.
1.3 The three guiding principles of the ISO27001 standard
There are primarily three main guiding principles of the ISO27001 standard that helps in securing people, processes, and technology. They are – confidentiality, integrity, and availability, which is commonly referred to as the C-I-A triad. Here’s more about them –
Confidentiality of data: It basically refers to the data and systems, which must be protected against unofficial or unwanted access from those who aren’t authorised like people, processes or even applications. The principle of confidentiality includes the use of technological controls such as security tokens, multifactor authentication, data encryption, and so on.
Integrity of data: The second guiding principle of the ISO27001 standard is integrity. It means that one needs to verify the accuracy, trustworthiness, and completeness of the data. As a matter of fact, integrity involves the use of processes, which helps ensure error-free data while asserting access of confidential data to only authorised people. This guiding principle also means that the data used by the organisation is stored reliably without any damage.
Availability of data: Lastly, availability of data is the third guiding principle of the ISO27001 standard. This principle means authorised and accurate access to information whenever deemed necessary for business purposes. At times, because of server problems and insufficient backups, enterprise database may go offline – leading to chaos in the business operations. With this guiding principle, it becomes necessary for organisations to keep their data available, but through authorised access only.
All in all, with an information security management system (ISMS) that meets the requirements and guiding principles of ISO27001, organisations can seamlessly ensure data security. In fact, it gives confidence and establishes credibility amongst shareholders, clients, and interested parties that their data is secured and maintained adequately.
2. Legacy systems and cybersecurity: What’s the catch?
Like we always say, cybersecurity is at the heart of every organisation. However, it is unfortunate that organisations with legacy systems often miss this notion. Especially, if the obsolete systems are left unchecked, they can be vulnerable to attacks from cybercriminals through various cyberthreats.
Legacy systems are, sometimes, the entry point of vulnerabilities, because these obsolete systems sink into oblivion and are, often, neglected. Obsolete systems are more prone to receive vulnerabilities if left unchecked. But keeping them updated and up to date with the latest security check is expensive and unproductive. Having these outdated systems come with their share of challenges like systems may not be encrypted or protected by access controls, leaving them at-risk from internal or external attacks that are offline.
Secondly, staying on par with patches and system updates happens to be another challenge for the IT teams of organisations. The list of cyber vulnerabilities is a long one, and with legacy systems, it becomes even more essential to keep a close eye.
All these combined together always points towards the fact that decommissioning legacy systems is the way forward. However, some organisations are still using outdated systems, at least, till they migrate to the much necessary S/4HANA. That said, sometimes, keeping obsolete systems, even though not in use, becomes necessary due to factors such as audits, accessibility to historical data, and so on. Therefore, whether your organisation uses a legacy system or have kept it for decommissioning later, implementing cybersecurity measures is crucial. But can ISO27001 be applied to these systems?
3. Integrating ISO27001 to legacy systems: Is it a possible strategy?
Organisations wanting to obtain such praised badge must put in place and maintain certain standards (as described above), which also concern legacy systems. It can be a challenging task, but it is definitely a possibility. In fact, it helps ensure holistic information security across your organisation. We have discussed some key considerations and strategies on how legacy systems can be maintained under ISO27001.
3.1 Assessment of your inventory
3.1.1 Identify legacy systems: The first step is to assess your inventory and create an inventory of all the legacy systems, including their purpose, the data they handle, and the current security measures. It is a journey from system sunset to system decommissioning : https://www.tjc-group.com/blogs/legacy-systems-a-journey-from-sunsetting-to-decommissioning/
3.1.2 Risk assessment: After assessing your inventory, you must perform a detailed risk assessment of each legacy system. This will help you identify vulnerabilities and potential threats.
As an example, legacy system on VM may put your entire hypervisor at risk: https://www.tjc-group.com/blogs/virtual-machines-to-maintain-legacy-systems-a-good-or-a-bad-idea/
3.2 Gap analysis
3.2.1 Compliance gaps: Probably one of the most important aspects to consider, ensure to check for the compliance gaps. But how do you do that? It is pretty simple. All you need to do is compare the current state of your legacy systems as per the requisites of the ISO27001 standards. This way, you will be able to identify the compliance gaps.
3.2.2 Security gaps: Yet another pivotal consideration, like we have mentioned before, legacy systems have high risks of security lapse.
Therefore, you must identify where your existing obsolete systems fall short of modern security practices and controls. Attached is an example on how SAP system need ongoing work to close security gaps: https://www.tjc-group.com/blogs/is-it-safe-to-keep-legacy-data-in-an-old-sap-system/
3.3 Strategies for mitigation
3.3.1 Patch management: While encrypting new patches can be a challenge, it is still necessary to ensure that the legacy systems are on par with the latest updates and security patches.
3.3.2 Network segmentation: It is quintessential for organisations to isolate the outdated systems from the rest of the network. This way, you can minimise the potential damages in case of a security breach.
3.3.3 Access controls: Another consideration to keep in mind is to implement strict access controls to your legacy systems. With this, organisations can not only monitor access but also ensure that the systems don’t fall in the wrong hands.
3.3.4 Encryption: Again, a tedious process in obsolete systems, but quite an important one – ensure to use encryption to protect sensitive data that are processed or stored in the system.
3.3.4 Data privacy: Today applications need to include ‘privacy by design’. However, this is not the case for legacy systems. Since 2018 and European data privacy regulations, you can’t just keep your legacy system up and running. Decommissioning your system with a data privacy compliant framework is important., and this is not limited to Europe.
Here some regulations across the world https://www.tjc-group.com/blogs/data-privacy-your-absolute-guide-to-its-importance-regulations-and-more/
3.4 Policies and procedures
3.4.1 Document procedures: Ensure to create and maintain detailed documentation of all the policies and procedures that are in place to manage and secure legacy systems. This basically comes in handy with the second guiding principle of the ISO27001 standard, establishing the integrity and reliability of data.
3.4.2 Incident response: As vigilant team members of the organisation, you must develop specific incident response plans for the obsolete systems in use. Bear in mind that the incident responses must consider each system’s unique vulnerabilities and limitations.
3.5 Training and awareness about cybersecurity
3.5.1 Employee training: To be fair, whether you use legacy systems or not, employee training on cybersecurity is always an essential factor. However, specifically for outdated systems, ensure to train your employees on the specific risks associated with these systems. Additionally, make sure to train them on the best practices to follow to mitigate the risks.
3.5.2 Awareness programs: Apart from conducting training sessions, it is also important to identify and implement ongoing awareness programs. This will help ensure that your team members remain vigilant about the security issues related to obsolete systems.
3.6 Monitoring and reviewing the legacy systems
3.6.1 Continuous monitoring: Keeping the guiding principles of ISO27001 in mind, implementing continuous monitoring solutions comes in handy to detect and respond to security incidents in legacy systems.
3.6.2 Conducting regular audits: Regular audits of your obsolete systems help ensure compliance with the ISO27001 standards and guiding principles. Not just that, regular audits also help identify new risks and vulnerabilities.
3.7 Planning the decommissioning
3.7.1 Decommissioning: As mentioned before, organisations cannot stick to obsolete systems forever and decommissioning of these legacy systems are critical. However, for the migration process, you must have proper plans and strategies in place. Make sure that the plans for legacy system sunset & decommissioning are optimised and secured.
3.7.2 Phased approach: While planning the migration to upgraded systems like S/4HANA, it is equally important to implement a phased approach to minimise disruptions and mitigate risks effectively. You may decommission a single system, a landscape, or hundreds of diverse systems.
3.8 Vendor management
3.8.1 Third-party assessments: Decommissioning legacy systems isn’t a piece of cake; it takes proper planning and quite a lot of efforts for data management, step-by-step phasing out of the systems, and more. In such cases, having third-party decommissioning experts can come as a rescue. However, ensure to assess your vendor’s security procedures, and whether they comply with the ISO27001 standards.
3.8.2 Contracts and SLAs: It is important that you include specific security requirements in the contracts and service level agreements (SLAs) of the third-party vendors you join hands with for managing and decommissioning the legacy systems.
With the help of these considerations, organisations can implement, manage, and maintain the security of legacy systems under the ISO27001 framework, while ensuring a comprehensive and robust information security management system.
Not surprisingly, decommissioning program and vendor management also relate to value and return on investments. Some more details here: https://www.tjc-group.com/blogs/decommissioning-legacy-systems-exploring-the-hidden-costs-of-legacy-systems/
4. ISO27001, system decommissioning, and TJC Group: An effective trio
It is, with immense pride, we say that TJC Group is ISO27001 certified. Achieving this milestone showcases the organisation’s commitment to information security while meeting the highest standards of information security management. TJC Group’s journey for the ISO27001 certification started a year ago; to formalise and enhance our cybersecurity practices in order to build a robust Information Security Management System (ISMS).
Read: https://www.tjc-group.com/blogs/tjc-group-achieves-iso-27001-certification-for-information-security/
With our ISO27001 standards in place, organisations looking for decommissioning their legacy systems can join forces with us. Why? Our team of experts help organisations –
- Avoid non-compliance risks that comes with the non-enforcement of legal regulations and data privacy requirements in legacy systems.
- Avoid non-compliance during mergers and acquisitions while ensuring secured and continued access to data.
- With our decommissioning techniques, organisations can bid goodbye to the hight costs of maintaining obsolete systems, their substantial licensing costs, and more.
Apart from this, one of our key points is that TJC Group can decommission both SAP and non-SAP legacy systems. As a matter of fact, besides using SAP ILM for decommissioning, we offer our very own cloud-based solution – the Enterprise Legacy System Application (ELSA) for decommissioning. To learn more about how we decommission legacy systems, reach out to our experts here!
ISO27001 and legacy systems working together require careful risk management, documentation, security management, and more as per the considerations mentioned above. Adding to that are the guiding principles of the ISO27001 standards that organisations need to adhere to. While legacy systems pose challenges, all in all, they can be managed effectively with a well-structured and robust ISMS.
For more such interesting reads on cybersecurity, data privacy, and more, stay tuned with us!
