You may think that you have the right cyber security in place but are you confident that you are protecting your customers, employees and IP? Every business faces cyber security challenges, no matter their industry or size. To help you understand what you need to do, here’s cyber security explained by CyberSmart, cyber security specialists.
The cyber security sector is a heavily crowded space when it comes to the various standards, certifications, rules and regulations.
It can also cause a lot of confusion for those not familiar with the best practice. Founders and business owners often come to us and say they want to or have to get ISO 27001 certified. Hardly anyone knows when or how ISO 27001 makes sense for a small business and what other certifications can be achieved other than ISO 27001 or whether it can be used as a stepping stone towards achieving ISO 2700.
Here is a brief overview of the most common cyber security standards in the UK:
Cyber Essentials is a scheme that was designed by the UK government in 2014. It aims to get all UK businesses to be able to manage their IT security to a certain level. It helps companies to implement basic levels of protection against cyber attacks, demonstrating to their customers and suppliers that they take cyber security seriously.
Established in 2014, the purpose of this standard is to develop the necessary cyber security standards throughout an organisation. The standard is relatively technical and protects organisations from 80% of cyber-attacks. The most surprising factor we discovered was that most companies that had other standards, such as ISO 27001 or PCI-DSS implemented, would still fail under Cyber Essentials. The best use case for this standard is to implement it as a first defence and perimeter security before other standards are considered.
It is largely seen as a great first step towards data security, especially under GDPR. It serves as evidence that you have carried out basic steps towards protecting your business from internet-based cyber attacks.
Cyber Essentials Plus:
Cyber Essentials Plus is the audited standard of Cyber Essentials. Besides including some additional controls, the implementation needs to be assessed by a Cyber Essentials Plus auditor. This obligatory audit creates additional trust in the standard and it is safe to assume that once Cyber Essentials is well-established, Cyber Essentials Plus will increasingly become mandatory.
IASME- GDPR Readiness:
This standard goes further than Cyber Essentials and can be described as a “mini version of ISO 27001:2017”. IASME developed this standard with the government in order to create an affordable alternative to ISO 27001. The IASME standard is specially tailored towards SME’s and includes processes, people and technology. In May 2018, both IASME standards were expanded to include GDPR readiness. Both IASME standards require Cyber Essentials as part of the readiness as well. Similarly to Cyber Essentials, the IASME standard can serve as evidence to customers and suppliers that their information is being protected.
ISO 27001 is an international information security standard which includes more than 100 controls. The standard is often implemented by corporations or businesses dealing with the public sector. ISO27001 covers areas that include security policies, access control, operations security, human resources, cryptography and compliance. It does not cover GDPR, however, an organisation can voluntarily include GDPR in their ISMS (Information Security Management System) providing further security.
A note on GDPR: GDPR is NOT a standard, it is a law. Hence we have excluded it here. 🙂
If you have any questions about Information Security Standards or Cyber Security in general or just want to have a chat, drop us a line at firstname.lastname@example.org