Practicing good cyber hygiene has never been more important for SMEs. In the last two years alone, small firms were subject to 10,000 cyberattacks daily and one in five reported suffering a breach. Regardless of their size or industry, all SMEs face similar risks. So, to counter, the UK government has developed various standards to ensure we all have access to the same resources and knowledge.
But it’s easy to get confused between the various standards for information security. Which one should you get certified for? To help you make a decision, let’s look at the differences between Cyber Essentials, ISO 27001, and PCI DSS.
Cyber Essentials
Cyber Essentials (CE) is a UK government program for protecting information, launched in 2014. CE is the minimum certification required for any government supplier responsible for handling personal information in the UK.
For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators.
The Five Requirements of Cyber Essentials
The key requirements of Cyber Essentials certification are as follows:
1. Configure and deploy a firewall
A firewall is a secure buffer zone between your organisation’s internal network and the Internet. Using a firewall ensures that malicious traffic is not allowed to enter your network.
The certification requires you to configure and deploy a firewall that protects all devices, especially those connected to a public or untrustworthy network.
2. Use secure configurations for devices and software
Most devices and software come with the manufacturer’s default settings. And these aim to make the device as open and available as possible. However, these aren’t usually the most secure settings, leaving you open to cyber attacks.
CE asks you to reconfigure these settings to maximise security. This includes using strong (and not default) passwords and introducing extra layers of security such as two-factor authentication.
3. Make use of access control to prevent unauthorized access to data and services
Your employees should only have the minimum access needed to perform their role. Providing extra permissions to settings, software, or online services can be a potential threat to your business if the account gets stolen or misused.
Standard accounts vs. administrative accounts
Standard accounts are made for general work purposes and have limited access. On the other hand, administrative accounts have greater privileges and are used for administrative tasks such as installing software.
In the case of a breach, unauthorised access to an administrative account can cause much more damage than access to a standard one. So it’s important to provide administrative accounts to only qualified and authorised staff.
To get certified, you have to control access to company data. In practice, this means making administrative accounts only available to those that need them. What’s more, the actions an administrator can take should also be tightly controlled.
4. Protect yourself against malware such as viruses
Malware, an acronym for malicious software, is any computer program that causes harm to a device or its user. Perhaps the most well known type of malware is viruses. Simply put, a virus infects the software on your device to corrupt files and data. Malware can come from anywhere, but the most common sources are email attachments, malicious websites, and files from a removable device such as a USB.
Defending your business against malware
CE requests that you implement at least one of the following approaches to malware protection:
- Anti-malware measures: For desktops and laptops, this means enabling anti-virus solutions such as Windows Defender or Mac OS XProtect. Meanwhile, for smartphones, you’ll need to keep software up to date, enable features to track and erase devices when lost, and password protection
- Sandboxing: A sandbox is an environment that has very restricted access to the rest of your files and network. Whenever possible, you should make use of applications that support sandboxing to keep your data far from malware
- Whitelisting: A whitelist is a list of software that is allowed to be installed and run on a device. This prevents users from running software that can be potentially harmful. Administrators create whitelists and implement them on devices including laptops, desktops, and smartphones
5. Keep devices and software updated
All devices, software, and operating systems you use should be kept updated. Alongside adding new features, device manufacturers and software developers also release updates (or patches). These are key to fixing known vulnerabilities in the software.
CE builds on this requirement. All devices, software, and operating systems must be kept up to date and upgraded once they are no longer supported by the manufacturer or developer.
ISO 27001
ISO 27001 is an international standard for information security that was first introduced in 2005. The standard defines what is required for establishing, implementing, maintaining, and improving an information security system.
ISO 27001 is much more comprehensive than CE. However, unlike CE, it’s not yet a requirement for SMEs operating in the UK.
The 14 Controls of ISO 27001
Contrasting with CE and PCI DSS, ISO 27001 doesn’t have specific requirements for compliance. Instead, ISO 27001 provides guidelines through a set of ‘controls’. Let’s run through them.
1. Develop an information security policy
An information security policy provides direction and support your people. It should clearly lay out how to manage information in accordance with laws, regulations and business requirements. It should also be an ever-changing document, with regular reviews to check it’s effective and everything in it is suitable.
The information security policy document should be approved by your management team and communicated to all employees and external parties.
2. Implement and manage information security within your organisation
This control’s primary goal is to provide a mechanism for managing information security within a business. This includes coordinating responsibilities to employees and maintaining appropriate contact with authorities, third-parties, and security providers.
The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example, teleworking or project management.
3. Provide training and awareness to HR
You need to ensure that employees are aware of their responsibilities towards information security. Employees that can control or affect information security should be trained for their roles. And any changes in the employment conditions of employees should not affect your business’s security standards.
4. Ensure organisational assets are secure
‘Information security assets’ are best defined as the devices used for information storage and processing. According to ISO 27001, you should be able to identify and classify information security assets based on the sensitivity of the information they handle. On top of this, you’ll also need to assign staff responsibility for keeping each of these devices secure.
5. Make use of access control to protect information
Employees and third-parties should have restricted access to your information. ISO 27001 shows you how to use formal processes to grant and revoke user rights.
6. Protect the confidentiality and integrity of information through cryptography
Use cryptography tools such as encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to get in.
7. Prevent unauthorised physical access to your workplace
The physical areas where your information security assets are kept should be protected from unauthorised access and natural disasters. If these areas are breached, say by a break in or winter storm, it could stop your business functioning properly or expose your data.
8. Deploy secure configurations for operational infrastructure
‘Operational infrastructure’ is the devices, software, and operating systems that manage your information security. According to the ISO 27001, secure configurations for this infrastructure include:
- Protection against malware and loss of data through measures such as antivirus software
- Ensuring that default settings and passwords from manufacturers are changed according business requirements
- Gathering and recording evidence of any security vulnerabilities you have
9. Secure configurations for network infrastructure
‘Network infrastructure’ is the devices such as routers and switches, services, and software that make up your network. ISO 27001 asks your business to:
- Monitor and control network traffic.
- Ensure applications and systems using your network are secure (using measures like firewalls)
- Produce a network services agreement that identifies security features and management requirements for the network
10. Prioritise security when acquiring, developing, and maintaining information systems
ISO 27001 states that security should be considered at every level of an information system. From the moment you set up a new system, your business requirements should include security controls to prevent the loss or misuse of information.
11. Ensure information security for activities by suppliers
Under ISO 27001, all outsourced activities must be monitored for information security controls. For instance, your suppliers are required to comply with the same security requirements you’ve laid out for your own organisation.
12. Develop an effective approach for managing information security incidents
If an accident occurs or your systems are breached, you need to do the following:
- Properly communicate the details of the security incident and event quickly
- Gather and preserve evidence for further analysis of the security incident
- Develop processes for improving information security and preventing the incident happening again
13. Prevent information security failures from interrupting business continuity
‘Business continuity’ is the ability of your business to keep running even after something’s gone wrong. ISO 27001 provides a step-by-step process for ensuring your business can continue operating after a breach. A key aspect of this is making sure information systems can still be accessed even during and after an incident.
14. Ensure compliance with information security policies and standards
Lastly, your organisation should never be in breach of any law or security standard. ISO 27001 guides you through getting compliant and staying that way.
PCI DSS
The Payment Card Industry (PCI) Data Security Standard (DSS) is an international information security standard launched in 2004. This standard affects anyone who handles credit cards from leading card companies such Visa, MasterCard, American Express, Discover, and JCB.
Which organisations need to comply with PCI DSS?
Any organization that accepts, stores, or transmits cardholder information must comply with PCI DSS. Cardholder information includes the Primary Account Number (PAN), cardholder name, service code, and expiration date.
The Four Levels of PCI DSS:
Each organisation falls into one of four levels of PCI DSS. These levels are determined by the number of VISA transactions performed by your business annually.
The four levels:
- One: organisations that process over 6 million transactions per annum
- Two: businesses that process between 1 million to 6 million transactions per annum
- Three: organisations that process between 20,000 to 1 million e-commerce transactions per annum
- Four: those that process less than 20,000 e-commerce transactions or up to 1 million transactions per annum
With the exception of level 3, these categories apply regardless of the transaction channel.
The Six Goals of PCI DSS:
PCI DSS has six key goals.
1. Build and maintain a secure network
To comply with the PCI DSS, you need a secure system and network. To achieve this, you’ll need to:
- Install and configure a firewall for protecting your network
- Make use of secure configurations for devices and software instead of manufacturers’ default settings
2. Protect carholders’ information
Protecting cardholder information isn’t just about preventing breaches of your network. It’s also important that you stop any stolen records from being used.
PCI DSS requires the use of encryption when transmitting cardholder information across public networks. Encrypting the information guarantees that it is inaccessible and unreadable, even if a breach occurs.
3. Maintain a vulnerability management program
A ‘vulnerability management program’ ensures that malware and other security vulnerabilities are adequately taken care of.
Protection against malware
Anti-malware tools, whitelisting, and sandboxing should all be used to protect your business against malware. And these tools should be updated and monitored regularly. To comply with PCI DSS, you’ll need to protect all company devices against any type of malware.
Secure systems and applications
PCI DSS instructs you to ensure the following when securing your systems:
- Keep all devices and software updated by installing the latest manufacturer-provided security patches
- Establish a process for identifying and reporting newly discovered security vulnerabilities
- Use industry best practices when developing or changing software applications and system components
4. Implement strong access controls
Access control is all about restricting users on a ‘need-to-know’ basis. Cardholder information is highly sensitive and access to it should be restricted, even for your employees.
PCI DSS requires businesses to ensure access to system components is authorised and authenticated through user accounts. What’s more, physical access to cardholder information should be tightly controlled. This means all your system components should be stored in an inaccessible location – far away from anyone unauthorised.
5. Monitor and test networks regularly
To check for vulnerabilities in your networks, you’ll need to monitor and test them regularly. Any access to network resources, particularly cardholder data, should be tracked and monitored. This will tell you know the who’s accessing your cardholder data, when they’re doing it, and how.
PCI DSS also requires you to monitor network traffic, run scans for detecting internal and external network vulnerabilities, and set up a detection system for intruders.
6. Maintain a policy for information security
Any organisation looking to comply with PCI DSS needs comprehensive guidelines for staff on how to handle information security. The policy should include a risk-assessment process, usage policies for technologies, information security requirements for personnel, and a formal awareness program.
A short summary
If you’ve made it this far, you’re now well-versed in the differences between government certifications. But here’s a quick summary of the key differences between them.
| Parameter | Cyber Essentials | ISO 27001 | PCI DSS |
| Creator | Government of UK | International Organization of Standard (ISO) | PCI Council consisting of VISA, MasterCard, American Express, Discover, and JCB. |
| Flexibility | Low | High | Low |
| Scope | Depends on the business. Limited to the UK only. | Depends on the business and is international. | Applies to cardholders’ information only and is international |
| Number of Domains | 5 requirements | 14 controls | 6 goals |
| Auditing | None. | Maintenance audits each year and recertification audits every 3 years. | Network-scanning audits and onsite audits depending on the level of compliance needed. |
| Certification | Must have for government suppliers handling personal information. | Given to all organizations. | Required by organizations that involve payment through credit cards. |
| Compliance | Easy | Complex | Complex |
| Time to Compliance | 1 – 2 days | 6 – 9 months | 1 – 2 weeks |
So which should you pick?
Cyber Essentials, ISO 27001, and PCI DSS are very different standards. However, they share a common goal: information security.
The ISO 27001 looks like the most comprehensive standard, but it isn’t the silver bullet it appears to be. Government departments in the UK often prefer (and even require) CE over both ISO 27001 and PCI DSS. So best certification for your business depends on your requirements, size and infrastructure.
This might seem like a bit of a minefield, but that’s where we come in. At CyberSmart, we understand cybersecurity can be confusing. But we don’t believe it has to be.
So if you’re looking to improve cybersecurity but aren’t sure where to begin, talk to us. We can help you navigate tricky government standards and choose the right option for your business.
