Construction industry organisations generate and utilise vast amounts of highly sensitive commercial and personal data. Whether it be employee, project, or company information, organisations stand to lose a lot should this information fall into the wrong hands due to a security breach. As businesses grow, their reliance on data and information increases, and so do the potential consequences of a cyber-attack.

Therefore, today more than ever, construction industry organisations recognise the need for mitigating vulnerabilities to protect the confidentiality and integrity of their information assets. To do so, they are turning to the international standard for information security ISO/IEC 27001:2013 (ISO 27001) which has become today, the fastest growing management standard in the world. ISO 27001 sets out the requirements for an information security management system (ISMS). It is divided into two sections; the first and main section contains 11 clauses and the second one, Annex A, consists of 114 control objectives and control guidelines.

Clauses 0 to 3 are introductory clauses consisting of: Introduction, Scope, Normative references, and Terms and definitions of the ISO 27001 standard. The subsequent clauses (4 to 10) consist of the mandatory requirements which constitute compliance when fulfilled. In ISO 27001 requirements article we had gone over the requirements one by one, and in great detail. Although all the requirements are mandatory and of equal importance, in this article we will focus more on those that require special attention for organisations in the construction industry.

Clause 4: Context of the organisation

The context of the organisation clause requires an organisation to identify and consider potential external and internal information security issues that could impact its strategic objectives, and use them as a foundation to define the scope of the Information Security Management System (ISMS). The clause also requires organisations to identify who their interested parties are. Successfully identifying internal and external issues, as well as interested parties will enable them to devise better strategies, allocate resources more efficiently and delimit the extent of the ISMS’ application to the organisation to ensure an effective implementation.

The context of construction organisations is very complex in nature and involves various activities including but not limited to communication, procurement, design, scheduling, and planning, all of which are managed through intelligent information technology systems. Additionally, construction project management is increasingly reliant on the use of mobile information and communication technologies. This reliance will continue to grow as these technologies become more and more advanced and adapted for the job.

Although these technologies have tremendous benefits on the industry, they can also be at the origin of its downfall should their security become compromised. This is why, it is of extreme importance that all the intricacies of construction activities that constitute the context of a construction organisation must be seriously considered when building an ISMS.

Clause 6: Planning

The planning clause requires the organisation to conduct a risk assessment, where the issues and requirements referenced in clause 4 are considered, to establish the risks and opportunities that need to be tackled to attain continual improvement, lower undesired effects, and ensure that the ISMS is able to fulfill its intended outcomes. A thorough information security risk assessment centred around Annex A controls constitutes a solid foundation to build an ISMS on.

Once the risks and opportunities are identified the organisation must plan and make the necessary arrangements to address these risks and opportunities and integrate them into the processes of the ISMS. After that, the effectiveness of these arrangements needs to be evaluated. In the construction industry, planning is a critical element in the management and execution of construction projects.

Without planning, it would be impossible to effectively determine project requirements in terms of materials, resources, costs, time etc. In fact, it is effective planning that allows construction projects to be profitable. Information security is no different, the more you apply yourself in the planning phase of your information security strategy, the more secure your information assets will be.

Clause 8: Operation

The operation clause consists of executing the plans and processes outlined in all preceding clauses. The clause sets the basic requirements for the operation of the ISMS. It also concerns the execution of any actions identified and the realisation of information security objectives. The processes in place need to be applied throughout the entire supply chain to ensure risk is controlled both internally and externally.

The clause dictates that the repercussions of any changes, deliberate or unplanned, need to be carefully assessed. Additionally, the operation clause dictates that documentation of periodic information security risk assessments should be kept, to ensure performance data is available for future use. Lastly, the outcomes of the implementation of the risk treatment plan must also be documented and retained along with the rest of the documentation.

In the construction industry, the operation of construction projects involves a great number of moving parts consisting of sub-contractors, suppliers, and several other entities, all falling under the responsibility of the head contractor. It is therefore of critical importance to ensure that the ISMS applies to the entire operation.