By Scott Neas
Last year’s WannaCry cyber-attack provided the world with a glimpse of just how great an impact a full-scale attack could have. WannaCry crippled more than 200,000 computers running Microsoft Windows in 150 countries in May 2017, bringing to a halt business for organizations around the globe, like Britain’s National Health Service, Germany’s Deutsche Bahn, Denmark’s Maersk and FedEx in the United States. And while the aerospace industry was largely spared in the initial attack, in March of this year, Boeing was hit by WannaCry at its plant in Charleston, SC. While the company insists the impact was limited, it certainly serves as a warning that the aerospace industry a whole needs to be steadfast in its commitment to ensuring that systems are updated and information is protected.
Typically the aerospace sector plans for the long-term, with production cycles spanning decades, but the industry needs to be more agile than ever in the face of changing technology, including increased connectivity for planes and parts, up and down the supply chain. For companies across the industry, safeguarding information is more important now than it ever has been.
In order to avoid business interruption and loss of credibility in the face of a cyber attack or other breach, aerospace companies need to become more flexible and adaptable in the management of their information—physical, digital and intellectual property—throughout their lifecycles. One such way to do this is by implementing information security management standards like ISO/IEC 27001. This internationally recognized standard is an excellent framework that helps organizations manage and protect their information assets so that they remain safe and secure.
ISO/IEC 27001 not only helps protect business in the face of an attack, it also sends a clear signal to customers, suppliers and the marketplace that an organization can handle information—from credit card details to intellectual property to private customer data—securely.
Taking the First Step
The first step on the road to ISO/IEC 27001 certification is to evaluate your current practices to get a better sense of how the standard can benefit your particular business. Starting out, companies generally should:
Assess the Current Situation
A business may already do a lot of what’s included in the standard, so when setting out, the organization should review systems, policies, procedures and processes that are already place. In this way, companies can adapt the standard so that it works best for them and adds value overall.
Implementing a standard like ISO/IEC 27001 requires commitment from across the organization, but engaging top management commitment is critical to the success of implementation. They will need to be actively involved and approve the resources required. Additionally, implementation requires departments across the organization to work together. In avoiding silos, the company can ensure that it is implementing and adhering to the standard to the benefit of its customers and the organization overall.
Evaluate Current Performance
By determining how the organization currently evaluates performance of any existing security management programs, it can determine what is working well and where there is room for improvement. In this way, it will know where to focus efforts as it works toward certification in the standard.
Establish Partnerships for Success
Getting started on the road to information security may seem like a daunting task, but standards like ISO/IEC 27001 are customizable and flexible to the organization. Additionally, companies can work with organizations like BSI, which has been helping entities the world over implement and maintain standards for more than a century. Regardless of whether a company has a full-scale information security management program, or is just toying with the idea of one, a standard is a good way to ensure that security becomes and remains central to a company’s operations.
Scott Neas, BSI Service Delivery Director, is responsible for maintaining Aerospace and QMS certification under the ANAB accredited scheme for AS9100, AS9110, and AS9120 as well as ISO 9001. Scott’s team delivers over 6500 audit days per year for 1400 certifications. Scott was previously the Aerospace Technical Manager and Client Manager for BSI delivering certification audits as a Lead Auditor for all AQMS standards. With a background in engineering and quality, Scott began his career working for Lockheed Martin Aeronautics with positions in Manufacturing, Engineering, and Quality. Scott holds an MBA and BS in Mechanical Engineer, is a Certified Quality Engineer and maintains his AS9100, AS9110, and AS9120 Lead Auditor qualifications.