Things are changing. And fast. Businesses are moving from offices to remote workforces and on April 1, 2020, the IASME Consortium will take over full responsibility of delivering Cyber Essentials certifications.
We sat down with our Head of Cyber Auditing at CyberSmart, Glen Patrick, to discuss the impact of these April 1 changes on certification bodies, the nature of remote auditing, and some of the challenges faced by assessors today.
What exactly is happening on 1 April?
Previously there were five accreditation bodies who were able to provide Cyber Essentials certification to businesses. As of April 1, IASME will take over as the one and only Cyber Essentials Partner with the National Cyber Security Centre.
What does this change mean for the world of certification?
This means that all certification bodies (CBs) will be working from the exact same standard as everyone else – in the old scheme each accreditation body had a slightly different way of working. Now all CBs will follow the same standard. CyberSmart already used IASME for certification so there will be no change for us.
What does this mean for customers?
For those in the process of going through certification (but haven’t completed the process by 1 April 2020), they will have until 30 June 2020 to complete their application through existing arrangements. Then when the certificate is due for renewal, they will need to contact a CB who offers IASME accreditation.
Tell us about your role as an auditor. How does a typical audit work and when does it happen?
As a qualified Cyber Essentials, Cyber Essentials PLUS and IASME assessor my days vary. I might be assessing submitted questions sets or booking or carrying out CE Plus audits. These audits can be done remotely or onsite, but many customers request an on-site visit as they often want issues explained to them and advice on remediation.
To combat coronavirus, many businesses are no longer in their offices. What does that mean for the auditing process?
The required questionnaire for Cyber Essentials can be done from any location so that process is relatively unaffected. And actually, when it comes to Cyber Essentials PLUS (which requires a visit from an auditor), CyberSmart is one of the few services on the market that offers the option to remotely audit already. We were carrying these out well before the lockdown but we are really gearing up to prepare for more remote assessments soon as we know it will be a real need for most businesses soon.
We were carrying out well before the lockdown but we are really gearing up to prepare for more remote assessments soon as we know it will be a real need for most businesses soon.
What does a remote CE+ audit look like?
Just as in person, a remote CE+ audit requires access to the company’s network as an admin. That allows us to carry out credentialed vulnerability scans (that’s how we discover any weaknesses in the system). Then we need access to a normal user account so we can perform email and web tests. For IASME Gold audits, the auditor is required to have access to the company ISMS (Information Security Management System) so they can read the company policies and then ask questions/ request evidence on how these policies are being applied.
What are the biggest challenges for auditors?
The biggest challenge for assessment is usually around misunderstanding. The question set can be confusing for people not used to technical language. They may not be sure what a question is asking. One project I’m working on at CyberSmart is using my experience with common mistakes and questions to improve the user experience of customers completing the questionnaire through our platform. That makes my job easier by decreasing the amount of questions I have to return to the customer for clarification, and speeds up the process for them.
A common problem in the past was also the inconvenience of communicating errors to customers. If I needed clarification on an answer, I would be forced to send the whole question set to the customer who has scroll through to find the relevant questions, update their answers and then send the whole question set back. This isn’t the case anymore using the certOS platform.
What is certOS and how does it address those challenges?
So, certOS is an auditor’s dream. It is a platform developed at CyberSmart by and for auditors. It’s not used by direct customers but we give it for free to any certification bodies.
It solves a lot of the biggest headaches of auditing by incorporating the marking guide next to the customer’s answers, all on the same page, making it easier to evaluate, and allows us to send only questions that require clarification back to the customer. It’s also just added a layer of clear organisation by grouping and numbering questions under relevant headings. Instructions for the customer appear next to each question in plain English with possible examples of answers so they understand exactly what they are being asked.
Is there anything else you’d like other CBs to know about changes to the industry?
All CBs are probably now aware of the new IASME process and the majority of CBs from the other (now no longer) accreditation bodies have successfully moved over to the new Cyber Essentials partner IASME – I would however encourage them to book a demo on our certOS platform and get a feel for how it simplifies the whole Cyber Essentials/ IASME question assessment process.
Glen Patrick is Head Auditor for CyberSmart and is a CISSP – Certified Information Systems Security Professional, MinstISP – Full Member of chartered institute of information security professionals, SCCP – Senior NCSC Certified Cyber Professional as an IA Auditor, and a CEH – Certified Ethical Hacker.
Get in touch to learn more about Cyber Essentials Plus, certOS, and how our auditing system works.