Cybersecurity is a growing need for SMEs, particularly because of the regulatory demands that enforce information protection. Regardless of their size or industry, SMEs face similar risks. Governments and regulating bodies come up with various standards such as Cyber Essentials to make sure that everyone has access to the same resources and knowledge.
Organizations often get confused between the various standards that exist for information security. Which one should you get certified for? To help you understand, this article presents a comparison between the standards Cyber Essentials, ISO 27001, and PCI DSS.
Cyber Essentials (CE) is a government program in the UK for information assurance that was launched in 2014. CE is the minimum certification that is required for a government supplier responsible for handling personal information in the UK.
For SMEs, a CE certification demonstrates its good security practices and shows that these organizations take security seriously to both customers and regulating bodies.
The Five Requirements of Cyber Essentials:
The primary requirements of the Cyber Essentials Certification are as follows:
Configure and deploy a firewall:
A firewall is a secure buffer zone between your organization’s network and an external network such as the Internet. Making use of a firewall ensures that malicious traffic is not allowed to enter your network.
Cyber Essentials requires organizations to configure and deploy a firewall that protects all devices, especially devices that are connected to a public or untrusted network.
Make use of secure configurations for devices and software:
Most devices and software come with the manufacturer’s default settings which aim to make them as open and available as possible. However, this is not often the most secure configuration for these devices and software which makes them vulnerable to cyber-attacks.
Cyber Essentials requires organizations to reconfigure these settings to maximize the level of security, make use of strong (and not default) passwords, and introduce extra layers of security such as two-factor authentication, where possible.
Make use of access control to prevent unauthorized access to data and services:
Employees within an organization should only have just enough access to be able to perform their role. Providing extra permissions to settings, software, or online services can be a potential threat for the organization if the account gets stolen or misused.
Standard accounts vs. administrative accounts:
Standard accounts are made for general work purposes and have limited access. On the other hand, administrative accounts have greater privileges and permissions since these are used to perform administrative tasks such as installing software.
In the case of a breach, unauthorized access to an administrative account can cause much more damage than access to a standard account. Therefore, it is important to provide administrative accounts to only qualified and authorized personnel.
Cyber Essentials requires organizations to control the access to data by making use of user accounts with different privileges with administrative privileges granted to only those who need them. It further requires that the actions that an administrator can take should be controlled.
Protect yourself against malware such as viruses:
Malware, an acronym for malicious software, is any computer program that causes harm to a computer or its user. Viruses are a well-known type of malware that infects software to corrupt your files and data. The sources of malware include email attachments, malicious websites, and files from a removable device such as a USB.
Defence mechanisms against malware:
Cyber Essentials requires organizations to implement at least one of the following approaches to protect themselves against malware:
- Anti-malware measures: For desktops and laptops, this includes installing and enabling antivirus solutions such as Windows Defender or Mac OS XProtect. For smartphones, this includes keeping the software up to date, enabling features to track and erase devices when lost, and password protection.
- Sandboxing: A sandbox is an environment that has very restricted access to the rest of your files and network. Whenever possible, you should make use of applications that support sandboxing to keep your data far from malware.
- Whitelisting: A whitelist is a list of software that is allowed to be installed and run on a device. This prevents users from running software that can be potentially harmful. Administrators create whitelists and implement them on devices including laptops, desktops, and smartphones.
Keep devices and software updated:
All devices, software, and operating systems used within an organization should be kept updated. Other than adding new features, device manufacturers and software developers release updates (or patches) to fix known security vulnerabilities as well.
Cyber Essentials requires you to keep all your devices, software, and operating systems up to do, and upgrade them once they are no longer supported by the manufacturers or developers.
The ISO 27001 is an international standard for information security that was first introduced in 2005. ISO 27001 defines what is required for establishing, implementing, maintaining, and improving an Information Security System.
ISO 27001 is much more comprehensive than Cyber Essentials for information protection. However, unlike Cyber Essentials, it is not a requirement for SMEs to operate within the UK.
The 14 Controls of ISO 27001:
Unlike Cyber Essentials and PCI DSS, ISO 27001 does not have specific requirements for compliance. Instead, the ISO 27001 provides guidelines through a set of ‘controls’. The controls for the ISO 27001 Certification are as follows:
Develop an information security policy:
An information security policy provides direction and support to the management for information security in accordance to laws, regulations, and business requirements. This policy needs to be reviewed regularly to ensure its effectiveness and suitability.
The information security policy document should be approved by an organization’s management and communicated to all employees and external parties.
Implement and manage information security within the organization:
The primary goal of this control is to provide a mechanism for managing information security with an organization. This includes coordinating responsibilities to employees and maintaining appropriate contact with authorities, third-parties, and security providers.
The ISO 27001 provides the framework for managing information security in organizational aspects such as teleworking and project management.
Provide training and awareness to human resource:
An organization needs to ensure that employees are well aware of their responsibilities towards information security. Employees that can control or affect information security should not be trained for their roles. Any changes in the employment conditions of such employees should not affect the information security of the organization.
Make sure that organizational assets are secure:
Information security assets can be defined as the devices used for information storage and processing. As per the ISO 27001, organizations should be able to identify and classify information security assets according to the sensitivity of the information they handle. Organizations also need to assign responsibilities to handle the security of such assets.
Make use of access control to protect information:
Employees and third-parties should have restricted access (physical and logical) to the organization’s information, as required by their role. The ISO 27001 guides organizations to make use of formal processes to grant and revoke rights to users.
Protect the confidentiality and integrity of information through cryptography:
Cryptography solutions such as encryption should be properly used within an organization for protecting the confidentiality, authenticity, and integrity of data. Even in the case of a breach, this helps keep the information confidential by making it unusable for the hackers.
Prevent unauthorized physical access to the organization’s premises:
The physical areas where an organization’s information security assets are kept should be protected from unauthorized access and natural disasters. If these facilities are compromised, it could adversely affect business operations and information security of the organization.
Make use of secure configurations for operational infrastructure:
Operational infrastructure can be defined as the devices, software, and operating systems that manage information security. According to the ISO 27001, secure configurations for this infrastructure include:
- Protection against malware and loss of data through appropriate measures such as antivirus software.
- Ensuring that default settings and passwords from manufacturers are changed according to the business’ requirements.
- Recording and generating evidence for security vulnerabilities that exist in the organization’s infrastructure.
Make use of secure configurations for network infrastructure:
Network infrastructure can be defined as devices such as routers and switches, services, and software that make up an organization’s network. The ISO 27001 guides organizations to:
- Monitor and control network traffic.
- Ensure security of applications and systems making use of the network through the use of appropriate measures (such as firewalls).
- Produce a network services agreement that identifies security features and management requirements for the network.
Prioritize security when acquiring, developing, and maintaining information systems:
According to ISO 27001, security should be considered during all stages of an information system. From the onset of information systems, security controls should be a part of business requirements to prevent loss or misuse of information.
Ensure information security for activities by suppliers:
The ISO 27001 guides organizations to make sure that all outsourced activities are monitored for information security controls. Suppliers should be required to comply with information security requirements that are established and managed by the organization.
Develop an effective approach for managing information security incidents:
As per the ISO 27001, organizations should ensure the following in case an information security incident occurs:
- Properly communicate the details of the security incident and event in a timely manner.
- Gather and preserve evidence for further analysis of the security incident.
- Develop processes for improving information security and preventing incidents from reoccurring.
Prevent information security failures from interrupting business activities and processes:
Business continuity is defined as the ability of an organization to maintain business functions during and after a disaster has occurred. The ISO 27001 guides organizations to ensure business continuity, in particular, information security continuity, when adverse situations such as a data breach occur. Information systems should be available during and after security incidents occur.
Ensure compliance with information security policies and standards:
An organization needs to ensure that it does not breach any law or standard for security requirements. The ISO 27001 guides organizations to comply with not just law and standards, but the organization’s own security policies as well.
The Payment Card Industry (PCI) Data Security Standard (DSS) is an international information security standard that was launched in 2004. This standard directly affects organizations that handle branded credit cards from leading card companies that include Visa, MasterCard, American Express, Discover, and JCB.
Which organizations need to comply with PCI DSS?
Any organization that accepts, stores, or transmits cardholder information is required to comply with the PCI DSS. The cardholder information includes the Primary Account Number (PAN), cardholder name, service code, and expiration date.
The Four Levels of PCI DSS:
Each organization falls into one of four levels of the PCI DSS. These levels are determined by the number of VISA transactions performed by your organization annually. The 4 levels of the PCI DSS are as follows:
- Level 1: Organizations that process over 6 million transactions per annum, regardless of the channel of the transaction.
- Level 2: Organizations that process between 1 million to 6 million transactions per annum, regardless of the channel of the transaction.
- Level 3: Organizations that process between 20,000 to 1 million eCommerce transactions per annum.
- Level 4: Organizations that process less than 20,000 eCommerce transactions or up to 1 million transactions, regardless of the channel of the transaction.
The Six Goals of PCI DSS:
The goals and requirements of the PCI DSS are as follows:
Build and maintain a network that is secure:
To comply with the PCI DSS, it is essential that an organization should have a secure system and network. As part of this goal, the PCI DSS requires organizations to:
- Install and configure a firewall for protecting its network.
- Make use of secure configurations for their devices and software instead of manufacturer default settings for passwords and other security settings.
Protect the information of cardholders:
Protecting cardholder information is not just about preventing access and breaches to networks, but also about preventing stolen records from being used.
The PCI DSS requires organizations to make use of encryption when transmitting cardholder information across public networks. Encrypting the information guarantees that it is inaccessible and unreadable, even if a breach occurs.
Maintain a vulnerability management program:
A vulnerability management program is implemented to ensure that malware and other security vulnerabilities are adequately taken care of.
Protection against malware:
The use of antimalware measures, whitelisting, and sandboxing should be used to protect a system against malware. The antivirus software being used should be kept up to date and monitored regularly. As per the PCI DSS, all devices and software must be protected against malware of all types.
Secure systems and applications:
The PCI DSS requires organizations to ensure the following when securing their systems:
- Keep all devices and software updated by installing the latest manufacturer-provided security patches.
- Establish a process for identifying and reporting newly discovered security vulnerabilities.
- Make use of industry best practices for information security when developing or changing software applications and system components.
Implement strong access control measures:
Access control is all about restricting users to a need-to-know basis. Cardholder information is highly sensitive and access to it should be restricted, even for employees of the organization.
The PCI DSS requires organizations to ensure that access to system components is authorized and authenticated through user accounts. It further requires that physical access to cardholder information should be restricted. This means that all system components should be kept in a location where they are inaccessible or unreachable by unauthorized users.
Monitor and test networks regularly:
Monitoring and testing networks involve identifying any suspicious activities or security vulnerabilities that exist in a network. All access to network resources, particularly cardholder data, should be tracked and monitored. This allows organizations to know the who, when, and how of the access to cardholder information.
The PCI DSS requires organizations to monitor their network traffic, run scans for detecting internal and external network vulnerabilities, and implement an intrusion-detection system for preventing access to intruders.
Maintain a policy for information security:
A policy that provides comprehensive guidelines on how to handle information security within an organization is necessary for compliance.
As per the PCI DSS requirements, an information security policy for all personnel should be established and maintained by organizations. This policy should include (but not be limited to) a risk-assessment process, usage policies for technologies, information security requirements for personnel, and a formal awareness program.
The Comparison Summarized:
The comparison between Cyber Essentials vs. ISO 27001 vs. PCI DSS is summed up in the table below.
|Parameter||Cyber Essentials||ISO 27001||PCI DSS|
|Creator||Government of UK||International Organization of Standard (ISO)||PCI Council consisting of VISA, MasterCard, American Express, Discover, and JCB.|
|Scope||Depends on the business. Limited to the UK only.||Depends on the business and is international.||Applies to cardholders’ information only and is international|
|Number of Domains||5 requirements||14 controls||6 goals|
|Auditing||None.||Maintenance audits each year and recertification audits every 3 years.||Network-scanning audits and onsite audits depending on the level of compliance needed.|
|Certification||Must have for government suppliers handling personal information.||Given to all organizations.||Required by organizations that involve payment through credit cards.|
|Time to Compliance||1 – 2 days||6 – 9 months||1 – 2 weeks|
Cyber Essentials, ISO 27001, and PCI DSS are all different standards in terms of their requirements but share the same goal i.e. information security. Choosing which one is the best for your organization can be a tough choice.
The ISO 27001 seems to be an all-encompassing standard, but it is not a silver bullet for information security compliance. For instance, government departments in the UK prefer and often even require CE over both ISO 27001 and PCI DSS. The certification that you should opt for depends on the requirements, size, and network infrastructure of your organization.
CyberSmart – Your Information Security Partner:
CyberSmart is a cyber security consultant that helps you understand which information protection standard is most suitable for you. We partner with you to simplify your journey toward compliance. If you have any other questions about these information security standards, feel free to get in touch with us over chat or via email at firstname.lastname@example.org.