The big issue with ISO27001: Qscan Group’s Ivar van den Berge

Radiological imaging and clinical group QScan Manager of Information Security, Ivar van den Berge, shares approaches to adequate cybersecurity governance

Originally from the Netherlands, Ivar van den Berge was always interested in STEM classes. When he went through university and completed a Master’s in Chemical Engineering and Computer Science, he found his passion in computer science. He rolled this into SAP security in one of his first jobs, and later into LAN administration.

“This experience helped me land a job with one of the big consulting firms as an IT Auditor. Though auditing was not my favourite, it has taught me a lot of about risk management, controls, supporting evidence and so on,” van den Berge says.

“I still apply those learnings in my day to day. These days I focus mostly on the GRC side of cybersecurity, establishing and leading cybersecurity teams, and maturing the capabilities and service delivery. Working with a team of likeminded professionals gives me energy and drive.”

Give Clarity to the Board and Get Support

The lack of alignment and consistency across different jurisdictions and sectors is a big issue when it comes to cyber security standards and regulations. This creates challenges for boards of large companies that must deal with multiple and sometimes conflicting requirements, as well as increased costs and complexity.

“Boards need to have a clear understanding of their cyber risk exposure and the applicable standards and regulations, as well as the ability to communicate and collaborate with relevant stakeholders,” van den Berge says.

“Boards also need to ensure that they have adequate cyber security governance, oversight, and accountability mechanisms in place, as well as the necessary skills and expertise to oversee cyber security strategy and performance.”

We asked van den Berge to share his perspective on implementing an Information Security Management System (ISMS) based on ISO27001, and the ability to get certification. He thinks that is a good practice for any organisation that is serious about protecting its information assets.

“ISO27001 is a globally recognised standard and helps to identify and manage the risks associated with information security. The controls found in the ISO27001 standard create the foundations to comply with local regulations or pave the way to comply with other standards like SOC2 and GDPR more easily,” he says.

“Getting ISO27001 certified, demonstrates to the board and other stakeholders that the organisation has implemented best practices for information security management, which in turn may result in better business opportunities, providing a competitive advantage compared to organisations who do not have a certified ISMS.”

But that doesn’t come without challenges. Implementing an ISMS based on ISO27001 is not a trivial task. It requires a lot of commitment, resources, and expertise from top management and all levels of the organisation. It involves a cultural change and a shift in mindset toward information security as a strategic objective and a business enabler.

“Quite often organisations do not have the internal experience nor expertise to manage an ISMS implementation, with one of the biggest challenges for executive leadership and company boards is to understand the value and benefits of information security and to allocate a sufficient budget and support for the ISMS implementation project,” van den Berge says

“Another challenge is to ensure that the ISMS is aligned with the business goals and objectives, and that it covers all the relevant processes, activities, and functions of the organisation.

“A third challenge is to monitor and measure the performance and effectiveness of the ISMS and to review and update it regularly to keep up with the changing threats and requirements.

“There are multiple ways to overcome these challenges. I suggest starting by training internal staff who play a vital role in the implementation, combined with the knowledge, experience and expertise of a security expert like a CISO. When more capacity or guidance is desired, bring in external expertise. Consultants or a compliance tool based guided implementation, or a combination of both.”

Speaking the Right Language

There seems to be a large gap between cybersecurity leaders and company boards. This gap could have various reasons, like the inability of the CISO to translate technical jargon into business language, or CISOs and board members not spending enough time together outside board meetings.

Van den Berge thinks in some organisations, security leadership is shielded from the board.

“Whatever the reason, I believe things must change. With ever increasing responsibilities of board directors, and an increasing focus on personal liability when it comes to cyber security breaches, cybersecurity should become a permanent item on the agenda in the board meetings,” he says.

“Board directors should realise that a cyber-attack and/or breach is not only a risk, but an eventuality waiting to happen. No matter the protections put in place, the question the board directors should ask is, how do we respond and recover from a cyber-attack or breach. The focus should be on organisational resilience, and quick recovery.”

Van den Berge is moderating a panel discussion on Board Communication at CISO Brisbane 2023, taking place on 29 & 30 August at Hilton Hotel Brisbane.

“I hope the panel discussion will highlight some of the ways in which the challenges with company boards have been overcome. These insights will hopefully give our audience some guidance on how to initiate or change the conversations with board members and in board meetings.”

Don’t miss your chance to attend CISO Brisbane this August. Register to attend today!