The cybersecurity sector is a crowded place when it comes to different standards, certifications, rules and regulations. It can also cause a lot of head-scratching and confusion for those not familiar with the best practice.
Founders and business owners often come to us and say they want to or have to get ISO 27001 certified. Hardly anyone knows when and how ISO 27001 makes sense for a small business and what other certifications can be achieved instead of ISO 27001 or used as a stepping stone towards achieving ISO 2700. Here is a brief overview of the most common cybersecurity standards in the UK:
In short, Cyber Essentials is a scheme designed by the UK government that aims to get all UK businesses to be able to manage their IT security to a certain level. It helps companies to implement basic levels of protection against cyberattacks, demonstrating to their customers and suppliers that they take cybersecurity seriously.
Established in 2014, the purpose of this standard is to develop necessary cybersecurity standard throughout an organisation. The standard is relatively technical and protects organisations from 80% of cyber-attacks. The most surprising factor we discovered as cybersecurity consultants was that most companies that had other standards, such as ISO 27001 or PCI-DSS implemented, would still fail under Cyber Essentials. The best use case for this standard is to implement it as a first defence and perimeter security before other standards are considered.
Cyber Essentials certification is a great first step towards GDPR. It serves as evidence that you have carried out basic steps towards protecting your business from internet-based cyber attacks.
Cyber Essentials Plus
Cyber Essentials Plus is the audited standard of Cyber Essentials. Besides including some additional controls, the implementation needs to be assessed by a Cyber Essentials Plus auditor. This obligatory audit creates additional trust in the standard and it is safe to assume that once Cyber Essentials is well-established, Cyber Essentials Plus will increasingly become mandatory.
This standard goes far beyond Cyber Essentials and can be described as a “mini version of ISO 27001:2017”. Together with the government, IASME developed this standard in order to create an easily adaptable and affordable alternative to ISO 27001. The IASME standard is specially tailored towards SME’s and includes processes, people and technology. In May 2018 both IASME standards will be expanded to include GDPR readiness. Both IASME standards require Cyber Essentials as part of the readiness as well. Similarly to cyber essentials, the IASME standard can serve as proof to customers and suppliers that their information is being protected. It is provided alongside the cyber essentials certification. There are two types: the standard self-assessment and the Gold standard, which requires an audit onsite.
ISO 27001 is an international information security standard. Including far over 100 controls the standard is frequently implemented by corporations or businesses dealing with critical infrastructure or the public sector. ISO27001 covers areas that include security policies, access control, operations security, human resources, cryptography and compliance. It does not cover GDPR*. However, an organisation can voluntarily include GDPR in their ISMS (Information Security Management System).
*A note on GDPR: GDPR is NOT a standard, it’s a law, so we’ve excluded it here.
If you have any questions about Information Security Standards or Cyber Security in general or just want to have a chat, drop us a line at firstname.lastname@example.org.
Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.