In the first instalment of a three-part series, BIM Academy technologist Murillo Piazzi outlines why ISO 19650-5 and taking a security-minded approach to information matters to your business.
Many data security specialists would agree that BIM is one of the best hostile reconnaissance tools ever created – myself being one of them.
Despite that, it seems only a few organisations have picked up on the processes described by ISO 19650-5, which establishes a security-minded approach to the management of information in BIM-enabled organisations.
Perhaps the first thought people have when they come across clauses relating to part 5 is: “We don’t need to worry about that.” They couldn’t be further from the truth.
From a statutory compliance standpoint, the fact is that the Infrastructure & Projects Authority’s (IPA) 2030 Roadmap, which effectively renews the UK BIM mandate for another 10 years, now has a requirement for clients in the public sector to carry out a sensitivity assessment as set out in part 5 of ISO 19650. Organisations will now need to adapt to this new reality, as this was not previously a strict requirement in the IPA’s 2016-2020 roadmap.
However, it is not only achieving statutory compliance that organisations should be considering: incidents involving data are becoming increasingly frequent. Data breaches are now almost part of our daily lives. Have you ever received phishing emails or questionable SMS messages? They are probably the consequence of data about you being leaked by someone, somewhere. Obviously, ISO 19650-5 wasn’t conceived to get rid of phishing emails: there are other pressing concerns to tackle.
With great power comes great responsibility
The digitisation of information across all specialities in construction has represented a real change in the industry’s status quo. It is clear, across industry, how the implementation of BIM in projects has been vital to enable teams from different organisations with different cultures to collaborate. Let’s remember that our industry is renowned for its siloed, adversarial culture. So, anything that brings teams around a table to discuss how they are going to work together represents a real advance.
“A simple Ctrl+F could be enough for people to know where the Achilles’ heel of a project or facility is.”
Also, let’s remember that on many live projects, a specific piece of information may have to be found manually, in a stack of hundreds of drawings. This can be extremely time-consuming for anyone who has to retrieve information.
Think of someone who has to desperately find a phone number to call technical assistance to fix a boiler in the middle of winter, because all the showers are running cold. BIM has facilitated the retrieval of information, making all this information easier to access in well-structured information models.
All these improvements, however, do not come without a cost. Information on a project is now digitally searchable, interlinked and easier than ever to retrieve. A simple Ctrl+F could be enough for people to know where the Achilles’ heel of a project or facility is. On top of that, more people have access to the information as teams collaborate to develop this information together.
These factors have increased the risk that this information will be misused, leaked or stolen, and this is the issue that ISO 19650-5 seeks to address. How can we make sensitive information on projects more easily accessible for the people who need it to do their job but, at the same time, prevent this information from falling into the wrong hands?
ISO 19650-5 objectives and target audience
Putting this into context, ISO 19650-5 is part of a bigger landscape of standards used to manage information on building and civil engineering works. The ISO 19650 series of standards establishes the processes that should be used to manage project and asset information related to a construction or asset maintenance project.
The release of these international standards represented a big advance for the world of BIM, which until that point, could be a bit of a wild west of standards and best practices, with different organisations fighting to establish their own process as the rule to follow.
ISO 19650-5 is very clear about its goals. The standard supports organisations to achieve three main targets:
- To reduce the risk of loss, misuse or modification of sensitive information.
- To protect themselves against the loss, theft or disclosure of commercial information; personal information and intellectual property.
- To increase the safety, security and resilience of assets, products and the built environment.
But which are the organisations that should consider the implementation of this standard? Again, ISO 19650-5 makes clear that the implementation of a security-minded approach should be considered by:
- Organisations involved in the use of information management systems and technologies during the whole lifecycle of an asset.
- Organisations wishing to protect their commercial and personal information and intellectual property.
If your organisation fits into any of the categories above, you should start the detailed process of establishing a security-minded approach towards information as outlined in ISO 19650-5.
Altogether, the standard describes more than 100 potential actions to be taken to make the production, sharing and disposal of data secure. However, the whole process looks much simpler when we divide it into four stages:
- Stage 1: Sensitivity Assessment
- Stage 2: Security Strategy
- Stage 3: Security Management Plan
- Stage 4: Appointment
The first stage is the one being mandated in new the IPA 2030 Roadmap. Depending on the outcomes of the sensitivity assessment stage, organisations might have to go through the subsequent stages.
In my next two instalments, I will guide you through these four stages and what actions you need to take to protect your data.
In answer to my initial question, why do we need ISO 19650-5? the clear answer is that it provides a framework to assist organisations in understanding the key vulnerabilities and issues that security risks present, and the nature of the controls required to manage these risks. If there are simple steps to take to protect your data, why wait? Act now.
Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.