To change the appearance of the page, edit the styles of the corresponding elements (in most cases by using the "Main Frame" Style Zone).  
To change the menu’s links: edit, copy-paste, or delete the Link Elements within. 
To hide an element without deleting it, use its property Visible.
To "activate" displaying of an arrow, use its property "Visible"
ISO/IEC 27001:2013
Information Security Management
ISO/IEC 27001 is one of a family of standards in the 27000 series published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27. It describes what is required to build and run an Information Security Management System (ISMS). In effect it is a checklist of areas of security that an organization should address in order to keep it safe. There are two main documents, ISO/IEC 27001 that explains what the security management system should contain and ISO/IEC 27002 that explains how the controls identified in the annex of 27001 should be applied. These are the main two but there are a total of 44 documents in the ISO/IEC 27000 series.

However, the standard is based on the risk appetite of the organization and, therfore, does not necessarily makes the organization secure. If there is an acceptance of high risks in the organization then its security could be quite low. The focus of the system is to put the onus on the leadership team to determine what they would accept and at what cost.

There is a balance to make between the value of an asset (or the cost of losing it) and the price to pay to protect it. If an asset costs £10,000 and £10 to protect then it would be worth applying that protection. If the asset costs £1000 and £10 to protect then the decision is not so clear. At this point the risk to the asset needs to be addressed, which is based on the Impact (if the asset is lost) and Likelihood (how likely is it to be lost). Clearly if there is a low Impact and a low Likelihood then the risk is small and so it is probably not worth the outlay to protect it. Conversely, if there is a high Impact and high Likelihood then the risk is high and the outlay is probably worth it. Then there are the grey areas in between.

And and asset doesn't have to be physical; it can be information or data. It could be Personally Identifiable Information (PII) which comes under the Data Protection Act (DPA) or the General Data Protection Regulation (GDPR) where the impact could be a hefty fine. Or it could be the intangible "edge" that makes your organization successful.

Then there are your clients and customers. Some of them have their own Information Security Management Systems (ISMS) and your revenue depends on compliance to their requirements. Can you afford to lose the contract because you are not compliant to ISO/IEC 27001? Should you just comply with ISO/IEC 27001 or do you need certification?

Finally, there is the human element of Information Security. You can put all the technicals controls in place and an employee can undo it all with an illconsidered click on a link in a phishing email. With 100 employees there are 100 points of failure but, with a bit of training there could be 100 points of control.

Is it any wonder, then, that the leadership team have difficulty understanding what risks to accept and what to address? At Clayton Security we take time to unravel the jargon and explain the reasoning behind it. We have a pragmatic approach to Information (or Cyber) Security and believe in value for your investment. We tailor our reports to the audience be it the board, the mangement, the staff or even the client.

Contact us