August 9, 2016

Last Updated on January 18, 2024

The other day I spoke with the frazzled IT security person for a small hospital system. They had just been hammered by ransomware that impacted protected health information (PHI). The conversation started with this question: “If we had been ISO 27001 certified at the time of the attack, would that have prevented us from becoming infected?”
My answer was this: “An ISO 27001-compliant information security management system (ISMS) might very well have prevented or blocked the ransomware attack. But implemented properly, it certainly would have minimized the impact.”
Here is how ISO 27001 addresses ransomware:
ISO 27001 requires that you formally document the scope of your ISMS. Think of it this way: What information are you protecting, when, where, and why?
During the ISMS scoping phase, you identify the data that the ISO 27001 ISMS is intended to protect. For a hospital system, I would expect that PHI and credit card information would minimally form the basis of the information in scope. During scoping, it is critical to understand the processes that act on the data (e.g., patient intake, financial screening, vitals, patient history, pharmacy, etc.) and the assets that support those processes (e.g., tablets, medical equipment, applications, networks, etc.).
Understanding scoping is critically important to understanding risk. If you don’t know what information you are protecting and in what contexts, you can’t understand risk (e.g., the threats to the data and the vulnerabilities that those threats would attempt exploit.)
Performing a comprehensive Risk Assessment is the basis of ISO 27001 certification. During the risk assessment, malware (including ransomware) would have been identified as a threat.  Ransomware exploits vulnerabilities in user knowledge of the threats, improperly configured/updated systems (e.g., operating systems, browsers). The impact of ransomware is exacerbated by a lack of recent, unaffected data backups for the encrypted data.
During the development of the Risk Treatment Plan (the definitive list of controls that need to put in place to reduce all risks to an acceptable level), the proper extent/rigor of ISO 27001 controls necessary to mitigate ransomware attacks would have been identified. They likely would have included:

  • Security Awareness Training (addressed under A.7: Human Resource Security)
  • Admin access on desktops (addressed under A.9.2: User Access Provisioning)
  • Anti-Virus/IPS (addressed under A.12.2: Protection from Malware
  • Vulnerability/configuration management (addressed under A.12.6:Technical Vulnerability Management)
  • Data backups (addressed under A.17.1 Information Security Continuity)

A key component of ISO 27001 is the requirement for management to govern the ISMS and confirm its effectiveness via both internal and external audits. So the effectiveness of the controls would have been validated.
Does ISO 27001 compliance make you 100% immune to ransomware? No—there is no such thing as 100% secure. What ISO 27001 will do is significantly reduce the risk of a ransomware attack occurring. And if a ransomware attack does occur, ISO 27001 should reduce the impact to a negligible level.