Featured Product
This Week in Quality Digest Live
Risk Management Features
Gleb Tsipursky
Returning to the office harms diversity
Gene Kaschak
Lean supply is not just about the size of inventory
Dwayne Duncum
Understanding and implementing effective controls of workplace hazards is every employer’s responsibility
Etienne Nichols
Even if it’s not required, it’s critical

More Features

Risk Management News
Demonstrating a commitment to keeping people safe and organizations running
Aug. 25, 2022, at 3:00 p.m. Eastern
Now is not the time to skip critical factory audits and supply chain assessments
Extends focus on data-driven explainability and adds customizability
Google Docs collaboration, more efficient management of quality deviations
Major ERP projects take six months longer than companies were told
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks

More News

Chad Kymal

Risk Management

Information Security: To Hack, or Not to Be Hacked

Addressing risks from inadequate information security and cybersecurity starts with leadership

Published: Tuesday, March 26, 2019 - 12:03

When we think about IT security, we typically think about the large hacks that were reported in the press. When viewed as a whole, we can understand the magnitude of lost data. It’s no surprise that these hacks are what come to mind when we think about information security.

The table below shows some of the largest hacks that occurred this century. The number of accounts affected range in the millions.

Greatest Security Breaches, 2003–2018, Ranked


Accounts Hacked

Date of Hack


3 billion

Aug. 2013


500 million



500 million

Late 2014

Adult FriendFinder

412 million

Oct. 2016


360 million

May 2016

Under Armor

150 million

Feb. 2018


145.5 million

July 2017


145 million

May 2014


110 million

Nov. 2013

Heartland Payment Systems

100+ million

May 2008


100 million

June 2012


98 million

Feb. 2012


94 million


Sony PlayStation Network

77 million

April 2011

JP Morgan Chase

83 million

July 2014


65 million

Feb. 2013


57 million

Late 2016

Home Depot

53 million

April 2014


50 million

July 2017

U.S. Office of Personnel Management (OPM)

22 million



78.8 million

Feb. 2015

RSA Security

40 million

March 2011


38 million


“The 18 biggest data breaches of the 21st century,” by Taylor Armerding, CSO
The biggest data breaches of all time, ranked, by Nicolas Rivero, Quartz

The largest hack happened to Yahoo in 2013; can you imagine the effects of 3 billion accounts being hacked? That is approximately 10 times the current U.S. population. The second biggest hack is the attack against Marriot, which affected 500 million accounts. The Marriott hack hits especially close to home for me because I use the hotel often and am a top-status traveler. The hackers not only have the personal information of 500 million accounts, but also several credit card numbers. Marriott has yet to acknowledge the issue or provide warning to customers to change their credit card numbers.

If you review this list of hacks, you’ll likely agree that the issue is something we should all be concerned about. Take Yahoo, for example. The company first had 3 billion accounts hacked and then another 500 million a year later. It appears that Yahoo’s IT security team couldn’t measure up to the hackers, or that top management didn’t provide the impetus and focus inside the organization. We believe there are numerous other hacks that aren’t making the news because they have happened to manufacturing and design organizations and aren’t affecting the general public.

These external hacks are cybersecurity issues, defined as attacks from the internet, or as ISO standards call it, cyberspace. It is worth looking at the term as it’s defined in the guidance standard ISO 27032 “Information technology—Security techniques—Guidelines for cybersecurity.” ISO 27032 defines cybersecurity as “Cyberspace security: Preservation of confidentiality, integrity, and availability of information in the Cyberspace.”

Cyberspace is defined as the “complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form.”

Cybersecurity is important, but organizations need to implement information security as well. Information security is the larger issue that contains cybersecurity as one of its elements. See the diagram below, displaying information security and its relationship to cybersecurity.

Information security standards are the most important standards of our time. Many CEOs have left the topic of cybersecurity to the CIOs and haven’t gotten involved themselves. The U.S. Securities and Exchange Commission issued an interpretive guidance last year to companies that trade on the stock exchange. According to the guidance, ”Cybersecurity risks pose grave threats to investors, our capital markets, and our country. Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the U.S. economy depend on the security and reliability of information and communications technology, systems, and networks.... Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.... First, this release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities laws.”

This guidance makes it clear that implementing an IT guidance standard such as ISO 27001 is really not an option but a requirement for publicly traded companies.

How ISO 27001 works

For those familiar with ISO standards, it is good to know that ISO 27001 follows the high-level structure of ISO standards. Also, it features the plan-do-check-act cycle also known as the Deming Cycle. There are key differences in the controls of this standard vs. other ISO standards as one would expect. ISO 27001 features two requirements: clause 6.1.2, which requires that an information security risk assessment be performed; and clause 6.1.3, which requires an information security risk treatment. So clause 6.1 in Risk and Planning will identify the information security and cybersecurity objectives and also the risk associated with information security threats, both external and internal. The risk treatment section requires organizations to consider 132 risk controls in Annex A of the standard. (More on this later.)

In clause 6.2, ISO 27001 requires organizations to identify the information security objectives and develop plans to achieve them. Under clause 8.0—Operations, the standard requires the organization to implement the plans developed in clauses 6.1 and 6.2, conduct regular information security assessments (clause 8.2), and implement the information security risk treatment plan created, as required by clause 6.1.3.

Annex A: Information Security Controls

Annex A of ISO 27001 is broken down into 14 areas of control categories, which collectively present 132 individual controls. The expectation is that each of the areas are considered and covered. If it is not, the reason why must be justified. The assessment, the risk treatment plan, and then the implementation must cover each of these areas. This is also where the National Institute of Standards and Technology (NIST) programs can integrate with ISO 27001. NIST is a nonregulatory agency of the U.S. Dept. of Commerce.

NIST’s Special Publication 800-53 provides a catalog of security controls for all U.S. federal information systems except those related to national security. The NIST standards are quickly becoming mandatory requirements in order for manufacturers to supply to the federal government. U.S. law specifies a minimum for information security requirements for information systems used by the federal government. This in turn refers to Special Publication 800-53 as the mandatory minimum controls that federal agencies must implement.

Role of top management

Clause 5.0 of ISO 27001 explains that top management is accountable for information security, and that the information security processes must be integrated into the organization’s business processes—in other words, the “process approach or the process map.” As expected, the objectives, the progress toward objectives, the effectiveness of the controls, and other metrics are reviewed during the management or business reviews that are led by top management. It is crucial that top management understand its important role in governing information security and cybersecurity.

Where do we go from here?

An organization’s understanding of the risks related to information security and cybersecurity must start with company leadership. The U.S. Securities and Exchange Commission has made it very clear that if you are a publicly traded company, then you will need to develop policies and procedures that deal with cybersecurity risk. A good place to start is ISO 27001 with its well-defined requirements and process methodology. Additionally, ISO 27001 integrates well with the organization’s quality management system.

The company board needs to get involved and provide oversight and responsibilities to this effort. The U.S. Securities and Exchange Commission guidance has asked for a description of how the board administers the risk oversight. ISO 27001 requires both internal and external audits. Like the Sarbanes-Oxley Act, the system should be regularly tested by the assessors who test the process. Also, vulnerability and penetrating tests with hired external parties need to become regular practices for organizations. Organizations should not only be focusing on external parties but also focus on internal attacks and the general availability of information. That’s where ISO 27001 management systems can play a critical role.

Implementing ISO 27001 and getting a third-party certificate isn’t enough. Cybersecurity and information security require continual monitoring and upgrades of the organization’s defense. Technology is constantly changing and requires IT security teams to constantly update processes and technologies.

As a place to start, Omnex recommends that top management, along with the company’s board of directors, be provided with an executive overview of this issue. Join Quality Digest and Chad Kymal, Omnex’s founder and CTO, in the webinar, “Cyber-Insecurity? How to Secure Your System Against a Hack Attack—ISO/IEC 27001” to learn how to implement a robust cybersecurity and information security program. Register here.


About The Author

Chad Kymal’s picture

Chad Kymal

Chad Kymal is the CTO and founder of Omnex Inc., an international consulting and training organization headquartered in the United States. He is also president of Omnex Systems, a software provider of ISO 9001, ISO 14001, and ISO 27001 management systems. He developed and teaches auditor training for ISO 9001, IATF 16949, ISO 14001, and ISO 45001, as well as an Integrated Management Systems Lead Auditor training course where all three standards are combined in a single audit.

Kymal is also on the ISO/TC 176, ISO/TC 207, and PC283 committees for ISO 9001:2015 (quality), ISO 14001:2015 (environmental), and ISO 45001 (health and safety) management system development.




Information Security

Insightful read on the why and what of Information Security.. and the lack of it..