Although each organization’s own strategy, target and goals are different, ultimately the common goals are profitability and sustainability. Each of these issues may be exposed to different risks. Organizations need to address risk and opportunity management in parallel with carrying out their main activities. Institutional risk factors vary from time to time. The current pandemic has had different effects on business continuity, financial and so on in organizations.
But there are some risk factors that continue to increase and grow. Information security risks are the best example of this. Every day we hear of a new “Crypto Attack” and businesses have to pay huge ransoms to recover their encrypted data. It is seen that cyber-attacks (especially phishing attacks) increased by 600% during the Covid-19 period. According to statistics, the amount of ransom paid due to cyber-attacks in 2020 is 406.3 million dollars, and this figure has reached 80 million dollars in the first 5 months of 2021. However, the cost of the actions to be taken for the assessment of potential risks and the management of risks will always be less than the damage that would arise in the event of the realization of the risk.
“Risk Based Approach”
If a “Risk-based approach” is adopted while evaluating business processes, risks can be easily managed in parallel with business processes. The risk-based approach is widely applied in sectors (Defence, Communication, Banking, etc.) where the level of institutional maturity is high and the importance of issues such as information security and business continuity is known. However, the same sensitivity is unfortunately not seen in other sectors. It would not be wrong to say that it is essential to adopt a process-based approach and a risk-based approach as the first step for “Institutionalization”, especially in SME-sized organizations.
The risk-based approach is very important not only for internal processes, but also for outsourced processes. Especially in supplier management, a compliance problem in the supplier can be annoying for the organization. For this reason, we can say that supplier security is an integral part of information security management.
“Regulations and Compliance”
One of the factors that have kept the information security issue in mind for the last few years is the GDPR – General Data Protection Regulation. After the regulation expired, all businesses, big or small, rolled up their sleeves for “GDPR Compliance”. It would not be wrong to say that GDPR has changed the perception of information security in all industries. Competent and Non-Competent consultants, salespeople who say “get this, be GDPR compliant”, products such as firewall and DLP are the main actors of this process.
Managers who see compliance with the general data protection regulation (GDPR) as a plug-and-play, install-and-play product have learned over time that this is not the case, or they will learn through worse experience. We can say that “Risk-based approach” and “Process-based approach” are at the core of compliance with data protection legislation such as GDPR. For example, when you want to mapping data, it is necessary to analyse the points such as data entry areas, processing areas and transfer areas to the relevant business process. The risks to the personal data processed in these processes will also need to be handled and managed in detail. For this reason, GDPR compliance processes should be handled with a holistic approach.
“Sustainability in Compliance with Regulations”
It is quite clear that organizations need to manage their risks in information security, business continuity and compliance. However, another important point that should not be overlooked here is the sustainability of compliance activities. Risk assessment done once, personal data mapping done once and all other processes done once… It’s almost the same as not doing it at all. Because neither your risks will remain the same, neither processes nor compliance factors. For this reason, we have to deal with risk and compliance management processes with a systematic approach.
Many organizations have provided compliance by consulting in the GDPR compliance processes. At this stage, considerable expenditures were made and investment requirements were met. But are these organizations still GDPR compliant today? I think most of them are not compatible. Because since the day the regulation was published, many legislative changes and many board decisions have been published. According to these changing conditions, organizations should keep themselves up to date and adapt to the changes. The solution we come across here is the PDCA cycle. The only way for organizations to keep themselves up to date and ensure sustainability is to apply PDCA systematics.
“Sustainability in Four Steps”
So, what is this PDCA? PDCA, short for Plan, Do, Check, Action steps, is the keyword of sustainability in the management of business processes of organizations. If these four steps are implemented, your risk management and compliance with regulations will always be up to date.
Plan : You plan the information security and compliance processes mentioned above in the “Plan” step. You determine your risk management method. Many issues are planned in this step, from defining the roles and responsibilities of the people who will manage the processes, to how often the risks will be reviewed.
Do : The procedures determined in the planning step are performed in the “Do” step. Risk analysis, inventory preparation, implementation of legal texts (clarification, consent, etc.) are carried out at this stage.
Check : Businesses that think they have achieved GDPR compliance usually do the previous two steps and not this stage and beyond. For this reason, sustainability is not achieved. In the “Check” phase, the compliance of the activities performed in the Planning and Do steps with the conditions is audited. This control can be accomplished through an internal audit, external audit, routine checks, or review.
Action : In case a possible compliance problem is encountered during the control phase, it is ensured that the root cause of the relevant nonconformity is investigated and corrective actions are taken towards the nonconformity at the “Action” phase. If necessary, the planning step is taken and the studies there are reviewed and revised.
With these four steps, processes are always kept up to date in organizations operating the PDCA cycle. For example; Let’s say you have a Firewall on your system to manage the risks in the organization’s network traffic. You wrote firewall rules. All incoming and outgoing traffic passes through this device and ensures your safety. If you do not regularly check the rules, logs and firmware versions on the device, this firewall that you have planned will continue to exist like a simple router that will lose its functionality after a while. To avoid this, device logs are periodically monitored, firmware updates are made and the rules on it are reviewed.
Operation in processes is also similar to the firewall example. In your risk management and compliance processes, you plan and implement your processes, control the operation and make the necessary improvements when you detect a need for improvement.
So how?
You do not need to rediscover America to implement this systematic in your organization and ensure the sustainability of your harmony. There is an international organization that considers this for us and has adopted the principle of guiding it. The international standards organization ISO comes to our help in this regard. There is a published standard in every subject and these standards provide the operation of the PDCA cycle in organizations.
There are ISO 27001 Information Security Management System in information security management, ISO 27701 Privacy Information Management System in compliance management and ISO 31000 Risk management guideline in risk management. The sustainability of Information Security and Compliance managements, which are planned with reference to these and similar standards, is easily ensured.
If you want to integrate the relevant standards in your organization, you should start with the GAP analysis. In this type of assessment, you have the opportunity to determine in which areas your organization has weaknesses and deficiencies. Thus, the necessary business plan for compliance can be drawn up.
In short, there are many issues that are vital to an organisation. Two of them stand out today. Information Security and Legal Compliance. Although the sustainability of these two subjects is very difficult, it is as simple as if they are operated with standards. Like disassembled furniture assembly, if you have the right manual and the appropriate equipment, you can assemble it with pleasure and be proud of it. If there is no manual and equipment, you will have a nervous breakdown. Therefore, do not be intimidated by the Information security and Compliance processes, you can safely continue on your way with the right guide.
Be First to Comment