There are plenty of opportunities for people to disclose, steal or sell sensitive company data. After all, anyone who really wants to swipe information needs only the intent and a USB stick. Admittedly, truly nefarious types are in fairly short supply. But the every day threat to any company’s data comes from the unintentional …
27001 is about security* management not technology. That's why (unlike, say, PCI-DSS) it doesn't need to change every 6 months to reflect changes in hardware and software.
Of course, just because an organisation has 27001 certification doesn't mean it's necessarily secure. What it does mean is that they must have in place the mechanisms to deliver the level of security appropriate for their needs. Top tip - check the scope of the 27001 registration to ensure that it doesn't just cover one server in a cupboard; better still, check the Statement of Applicability.
* I know it's been said before, but it bears repeating: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Bruce Schneier
You can always test things for yourself....
Turn up at almost any office wearing a suit and carrying a 'laptop bag' or similar, walk along the road looking out for someone who is probably heading into the office, time your walk so you arrive just after them. Almost certainly, without having a clue who you are, they will hold the nicely secure door open for you if you look like you know where you are going (which you do - you're following them).
Now inside you will find a plethora of machines around which can be nicked, or interesting conversations to over hear in the canteen.
One company I worked for lost a pile of blade servers to a 'tail gater'
Another (earlier) lost a pile of brand new monitors because the 'worker' was moving 21" monitors to te back door and replacing with old 14" because the 21" needed a 'repair' - they were loaded onto a lorry and driven away.... all of this in broad daylight in a fully manned office!
Many other companies have poor physical security - worked for one where the ashtray was used to smash through the glass door, they got away with 30 or so laptops, a pile of prototype devices and associated goodies, including some 'secret security' code... they were gone long before the police turned up 10 minutes after the alarm. No on-site security.
Anyone giving away personal info should be aware they might as well publish it on the internet.
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- OnePlus One cut-price Android phone on sale to all... for 1 HOUR
- UNIX greybeards threaten Debian fork over systemd plan
- MARS NEEDS WOMEN, claims NASA lady: They eat less