The journey to cybersecurity compliance isn’t easy. You might start at the basics of Cyber Essentials certification and progress to take on the challenge of ISO 27001 compliance. It takes effort to get certified but if you put in the work, you’ll reap the benefits. You could enjoy:

• Greater trust from customers and vendors
• The chance to bid for government contracts
• Protection from cyberattacks
• GDPR compliance

Two of the biggest challenges facing businesses are knowing where to get started and how to build knowledge, but you don’t have to navigate cybersecurity alone. We’ve put together this new, updated guide as your one-stop shop for the three most common UK cybersecurity certifications. 

What’s covered?

In this guide, we outline how to choose the right certification for your business, how to get certified, and where to go for support. 

• Cyber Essentials
  • With information on recent updates
• Cyber Essentials Plus
• ISO 27001
• How to make compliance easy
  • Advice on getting started
• Where to find support

So, if you’re unsure about whether your business needs a cybersecurity certification or which one is right for you, start by downloading our guide. It’s free and includes everything you need to know to make a decision.

It takes months of hard work to meet the rigorous standards outlined by ISO 27001. But if you think it’s the right move for your business, then these are the challenges you should be aware of before starting your journey.

What is ISO 27001?

ISO 27001 is an international information security standard. It was first published by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.

The standard contains 10 management system clauses and 114 information security controls. These provide businesses with impartial, best-practice guidance on building, deploying, and maintaining a robust information security management system (ISMS). ISO 27001’s guidelines cover all key areas in your business, including people, processes, and tools.

ISO 27001 is more comprehensive than similar security certifications, like Cyber Essentials. It isn’t mandatory for UK SMEs, but there are several benefits:

The benefits of ISO 27001 certification

• Protect your business and customers from cybersecurity threats
• Reassure customers
• Enhance your reputation
• Avoid the financial penalties associated with data breaches

Want to protect your business but unsure where to start? Check out our free guide to cybersecurity certifications in the UK.

7 Common challenges of ISO 27001 certification

1. Understanding the guidelines

ISO 27001 is complex. Annex A of ISO 27001 contains 114 controls. These cover everything from information security protocols to incident management and business continuity. It’s a lot to take in and leaves many businesses asking the question: “where do I start?”

2. Building a security framework

Before embarking on ISO 27001 certification, you should have a robust information security framework in place. This outlines your cybersecurity policies, as well as the processes and tools you use to protect sensitive data from potential threats. It also explains what to do in the event of a security breach.

Auditors assess cybersecurity risks against this framework. If you don’t have one, you’ll have to build it from scratch. This is a significant undertaking and can set your project back by several months.

3. Identifying security gaps

What does your current information security ecosystem look like? It’s a simple question, but unless you review your processes, policies, and tools regularly, it’s difficult to get the complete picture you need to spot potential blind spots in your defences.

This is problematic for two reasons:

1. It’s difficult to see where you should focus your efforts
2. You might waste time on unnecessary tasks

You wouldn’t be the first business to spend days writing a new bring-your-own-device policy, only to discover you already have one hidden in a rarely used SharePoint folder. A comprehensive gap analysis can provide you with the information you need. But it requires the cooperation and support of every department to make sure nothing falls through the cracks.

4. Establishing responsibilities and ownership

You might think the ISO 27001 certification process is the sole responsibility of the IT department. But that’s not always the case.

ISO 27001 isn’t only about anti-virus software and data protection. It encompasses everything from helping individual team members understand their responsibilities and physical controls to managing supplier risks and compliance. 

The COO, operations teams, and HR all have a role to play in helping you achieve ISO 27001 certification.

5. Getting stakeholder buy-in

ISO 27001 certification is a long, intensive, and expensive process. You’ll have to put up with plenty of disruption along the way, and this can be a deal-breaker for some stakeholders. If your business has always worked in a certain way – and succeeded – stakeholders might justifiably ask: “is ISO 27001 worth the hassle?”

Many SMEs wrongly assume that they’re too small to be targeted by hackers, but that simply isn’t the case. 39% of UK businesses reported cyber breaches in 2021 and data suggests they’re on the rise.

You can overcome these objections by building a business case that outlines the value of ISO 27001 certification. This includes the benefits of ISO certification, such as stronger information security processes and enhancing your reputation.

6. Having no project plan

Attempting ISO 27001 certification without a plan is like trying to hit a bullseye while wearing a blindfold. You’ll hit the target eventually, but it’ll take longer and require considerably more effort.

ISO 27001 is a complex and time-consuming process. Successful ISO 27001 certification is a business-wide effort, and that means you need a project roadmap to:

• Split the project into smaller, more manageable steps
• Provide clear timelines for delivery
• Ensure everyone’s on the same page

7. Implementing the project

One of the biggest challenges of ISO 27001 certification is implementing the project. SMEs typically lack the internal skills and knowledge to make the changes required by the ISO.

The key to a successful ISO 27001 implementation is to provide internal teams with the relevant security training, so they can implement the changes with confidence. Alternatively, you could work with a third-party auditor to make sure you’re moving in the right direction.

Is ISO 27001 right for my business?

It depends. Most businesses that embark on ISO 27001 certification are enterprises that have an information security framework in place and are ready to add another layer of protection. They also have the resources to implement the required changes.

For most UK SMEs, ISO 27001 is a nice to have rather than a necessity. Cyber Essentials and Cyber Essentials Plus provide all the security you need to defend your business against the most common cyber threats, like phishing scams and human error.

We certainly wouldn’t recommend attempting ISO 27001 until you’ve completed Cyber Essentials at the very least. Cyber Essentials accreditation isn’t a prerequisite for ISO 27001. But starting with ISO is like trying to run before you can walk.

Still unsure which certification is best for your business? Check out our in-depth guide to cybersecurity certifications in the UK.

Practicing good cyber hygiene has never been more important for SMEs. In the last two years alone, small firms were subject to 10,000 cyberattacks daily and one in five reported suffering a breach. Regardless of their size or industry, all SMEs face similar risks. So, to counter, the UK government has developed various standards to ensure we all have access to the same resources and knowledge. 

But it’s easy to get confused between the various standards for information security. Which one should you get certified for? To help you make a decision, let’s look at the differences between Cyber Essentials, ISO 27001, and PCI DSS.

Cyber Essentials

Cyber Essentials (CE) is a UK government program for protecting information, launched in 2014. CE is the minimum certification required for any government supplier responsible for handling personal information in the UK.

For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators. 

The Five Requirements of Cyber Essentials

The key requirements of Cyber Essentials certification are as follows:

1. Configure and deploy a firewall

A firewall is a secure buffer zone between your organisation’s internal network and the Internet. Using a firewall ensures that malicious traffic is not allowed to enter your network.

The certification requires you to configure and deploy a firewall that protects all devices, especially those connected to a public or untrustworthy network.

2. Use secure configurations for devices and software

Most devices and software come with the manufacturer’s default settings. And these aim to make the device as open and available as possible. However, these aren’t usually the most secure settings, leaving you open to cyber attacks. 

CE asks you to reconfigure these settings to maximise security. This includes using strong (and not default) passwords and introducing extra layers of security such as two-factor authentication.

3. Make use of access control to prevent unauthorized access to data and services

Your employees should only have the minimum access needed to perform their role. Providing extra permissions to settings, software, or online services can be a potential threat to your business if the account gets stolen or misused.

Standard accounts vs. administrative accounts

Standard accounts are made for general work purposes and have limited access. On the other hand, administrative accounts have greater privileges and are used for administrative tasks such as installing software.

In the case of a breach, unauthorised access to an administrative account can cause much more damage than access to a standard one. So it’s important to provide administrative accounts to only qualified and authorised staff. 

To get certified, you have to control access to company data. In practice, this means making administrative accounts only available to those that need them. What’s more, the actions an administrator can take should also be tightly controlled.

4. Protect yourself against malware such as viruses

Malware, an acronym for malicious software, is any computer program that causes harm to a device or its user. Perhaps the most well known type of malware is viruses. Simply put, a virus infects the software on your device to corrupt files and data. Malware can come from anywhere, but the most common sources are email attachments, malicious websites, and files from a removable device such as a USB.

Defending your business against malware

CE requests that you implement at least one of the following approaches to malware protection:

• Anti-malware measures: For desktops and laptops, this means enabling anti-virus solutions such as Windows Defender or Mac OS XProtect. Meanwhile, for smartphones, you’ll need to keep software up to date, enable features to track and erase devices when lost, and password protection
• Sandboxing: A sandbox is an environment that has very restricted access to the rest of your files and network. Whenever possible, you should make use of applications that support sandboxing to keep your data far from malware
• Whitelisting: A whitelist is a list of software that is allowed to be installed and run on a device. This prevents users from running software that can be potentially harmful. Administrators create whitelists and implement them on devices including laptops, desktops, and smartphones

5. Keep devices and software updated

All devices, software, and operating systems you use should be kept updated. Alongside adding new features, device manufacturers and software developers also release updates (or patches). These are key to fixing known vulnerabilities in the software. 

CE builds on this requirement. All devices, software, and operating systems must be kept up to date and upgraded once they are no longer supported by the manufacturer or developer.

ISO 27001

ISO 27001 is an international standard for information security that was first introduced in 2005. The standard defines what is required for establishing, implementing, maintaining, and improving an information security system.

ISO 27001 is much more comprehensive than CE. However, unlike CE, it’s not yet a requirement for SMEs operating in the UK.

The 14 Controls of ISO 27001

Contrasting with CE and PCI DSS, ISO 27001 doesn’t have specific requirements for compliance. Instead, ISO 27001 provides guidelines through a set of ‘controls’. Let’s run through them. 

1. Develop an information security policy

An information security policy provides direction and support your people. It should clearly lay out how to manage information in accordance with laws, regulations and business requirements. It should also be an ever-changing document, with regular reviews to check it’s effective and everything in it is suitable.

The information security policy document should be approved by your management team and communicated to all employees and external parties.

2. Implement and manage information security within your organisation

This control’s primary goal is to provide a mechanism for managing information security within a business. This includes coordinating responsibilities to employees and maintaining appropriate contact with authorities, third-parties, and security providers.

The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example,  teleworking or project management.

3. Provide training and awareness to HR

You need to ensure that employees are aware of their responsibilities towards information security. Employees that can control or affect information security should be trained for their roles. And any changes in the employment conditions of employees should not affect your business’s security standards. 

4. Ensure organisational assets are secure

‘Information security assets’ are best defined as the devices used for information storage and processing. According to ISO 27001, you should be able to identify and classify information security assets based on the sensitivity of the information they handle. On top of this, you’ll also need to assign staff responsibility for keeping each of these devices secure. 

5. Make use of access control to protect information

Employees and third-parties should have restricted access to your information. ISO 27001 shows you how to use formal processes to grant and revoke user rights. 

6. Protect the confidentiality and integrity of information through cryptography

Use cryptography tools such as encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to get in. 

7. Prevent unauthorised physical access to your workplace

The physical areas where your information security assets are kept should be protected from unauthorised access and natural disasters. If these areas are breached, say by a break in or winter storm, it could stop your business functioning properly or expose your data. 

8. Deploy secure configurations for operational infrastructure

‘Operational infrastructure’ is the devices, software, and operating systems that manage your information security. According to the ISO 27001, secure configurations for this infrastructure include:

• Protection against malware and loss of data through measures such as antivirus software
• Ensuring that default settings and passwords from manufacturers are changed according business requirements
• Gathering and recording evidence of any security vulnerabilities you have 

9. Secure configurations for network infrastructure

‘Network infrastructure’ is the devices such as routers and switches, services, and software that make up your network. ISO 27001 asks your business to: 

• Monitor and control network traffic.
• Ensure applications and systems using your network are secure (using measures like firewalls)
• Produce a network services agreement that identifies security features and management requirements for the network

10. Prioritise security when acquiring, developing, and maintaining information systems

ISO 27001 states that security should be considered at every level of an information system. From the moment you set up a new system,  your business requirements should include security controls to prevent the loss or misuse of information.

11. Ensure information security for activities by suppliers

Under ISO 27001,  all outsourced activities must be monitored for information security controls. For instance, your suppliers are required to comply with the same security requirements you’ve laid out for your own organisation. 

12. Develop an effective approach for managing information security incidents

If an accident occurs or your systems are breached, you need to do the following:

• Properly communicate the details of the security incident and event quickly
• Gather and preserve evidence for further analysis of the security incident
• Develop processes for improving information security and preventing the incident happening again

13. Prevent information security failures from interrupting business continuity 

‘Business continuity’ is the ability of your business to keep running even after something’s gone wrong. ISO 27001 provides a step-by-step process for ensuring your business can continue operating after a breach. A key aspect of this is making sure information systems can still be accessed even during and after an incident. 

14. Ensure compliance with information security policies and standards

Lastly, your organisation should never be in breach of any law or security standard. ISO 27001 guides you through getting compliant and staying that way.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) is an international information security standard launched in 2004. This standard affects anyone who handles credit cards from leading card companies such Visa, MasterCard, American Express, Discover, and JCB.

Which organisations need to comply with PCI DSS?

Any organization that accepts, stores, or transmits cardholder information must comply with PCI DSS. Cardholder information includes the Primary Account Number (PAN), cardholder name, service code, and expiration date.

The Four Levels of PCI DSS:

Each organisation falls into one of four levels of PCI DSS. These levels are determined by the number of VISA transactions performed by your business annually. 

The four levels:

• One: organisations that process over 6 million transactions per annum
• Two: businesses that process between 1 million to 6 million transactions per annum
• Three: organisations that process between 20,000 to 1 million e-commerce transactions per annum
• Four:  those that process less than 20,000 e-commerce transactions or up to 1 million transactions per annum

With the exception of level 3, these categories apply regardless of the transaction channel.

The Six Goals of PCI DSS:

PCI DSS has six key goals.

1. Build and maintain a secure network 

To comply with the PCI DSS, you need a secure system and network. To achieve this, you’ll need to:

• Install and configure a firewall for protecting your network
• Make use of secure configurations for devices and software instead of manufacturers’ default settings

2. Protect carholders’ information 

Protecting cardholder information isn’t just about preventing breaches of your network. It’s also important that you stop any stolen records from being used. 

PCI DSS requires the use of encryption when transmitting cardholder information across public networks. Encrypting the information guarantees that it is inaccessible and unreadable, even if a breach occurs.

3. Maintain a vulnerability management program

A ‘vulnerability management program’ ensures that malware and other security vulnerabilities are adequately taken care of.

Protection against malware

Anti-malware tools, whitelisting, and sandboxing should all be used to protect your business against malware. And these tools should be updated and monitored regularly. To comply with PCI DSS, you’ll need to protect all company devices against any type of malware. 

Secure systems and applications

PCI DSS instructs you to ensure the following when securing your systems: 

• Keep all devices and software updated by installing the latest manufacturer-provided security patches
• Establish a process for identifying and reporting newly discovered security vulnerabilities
• Use industry best practices when developing or changing software applications and system components

4. Implement strong access controls

Access control is all about restricting users on a ‘need-to-know’ basis. Cardholder information is highly sensitive and access to it should be restricted, even for your employees. 

PCI DSS requires businesses to ensure access to system components is authorised and authenticated through user accounts. What’s more, physical access to cardholder information should be tightly controlled. This means all your system components should be stored in an inaccessible location – far away from anyone unauthorised.

5. Monitor and test networks regularly

To check for vulnerabilities in your networks, you’ll need to monitor and test them regularly. Any access to network resources, particularly cardholder data, should be tracked and monitored. This will tell you know the who’s accessing your cardholder data, when they’re doing it, and how.

PCI DSS also requires you to monitor network traffic, run scans for detecting internal and external network vulnerabilities, and set up a detection system for intruders. 

6. Maintain a policy for information security

Any organisation looking to comply with PCI DSS needs comprehensive guidelines for staff on how to handle information security. The policy should include a risk-assessment process, usage policies for technologies, information security requirements for personnel, and a formal awareness program.

A short summary

 If you’ve made it this far, you’re now well-versed in the differences between government certifications. But here’s a quick summary of the key differences between them. 

So which should you pick?

Cyber Essentials, ISO 27001, and PCI DSS are very different standards. However, they share a common goal: information security. 

The ISO 27001 looks like the most comprehensive standard, but it isn’t the silver bullet it appears to be. Government departments in the UK often prefer (and even require) CE over both ISO 27001 and PCI DSS. So best certification for your business depends on your requirements, size and infrastructure. 

This might seem like a bit of a minefield, but that’s where we come in. At CyberSmart, we understand cybersecurity can be confusing. But we don’t believe it has to be.

So if you’re looking to improve cybersecurity but aren’t sure where to begin, talk to us. We can help you navigate tricky government standards and choose the right option for your business.

The cybersecurity sector is a crowded place when it comes to different standards, certifications, rules and regulations. It can also cause a lot of head-scratching and confusion for those not familiar with the best practice.

Founders and business owners often come to us and say they want to or have to get ISO 27001 certified. Hardly anyone knows when and how ISO 27001 makes sense for a small business and what other certifications can be achieved instead of ISO 27001 or used as a stepping stone towards achieving ISO 2700. Here is a brief overview of the most common cybersecurity standards in the UK: 

Cyber Essentials

In short, Cyber Essentials is a scheme designed by the UK government that aims to get all UK businesses to be able to manage their IT security to a certain level. It helps companies to implement basic levels of protection against cyberattacks, demonstrating to their customers and suppliers that they take cybersecurity seriously.

Established in 2014, the purpose of this standard is to develop necessary cybersecurity standard throughout an organisation. The standard is relatively technical and protects organisations from 80% of cyber-attacks. The most surprising factor we discovered as cybersecurity consultants was that most companies that had other standards, such as ISO 27001 or PCI-DSS implemented, would still fail under Cyber Essentials. The best use case for this standard is to implement it as a first defence and perimeter security before other standards are considered.

Cyber Essentials certification is a great first step towards GDPR. It serves as evidence that you have carried out basic steps towards protecting your business from internet-based cyber attacks.

Cyber Essentials Plus

Cyber Essentials Plus is the audited standard of Cyber Essentials. Besides including some additional controls, the implementation needs to be assessed by a Cyber Essentials Plus auditor. This obligatory audit creates additional trust in the standard and it is safe to assume that once Cyber Essentials is well-established, Cyber Essentials Plus will increasingly become mandatory.

IASME

This standard goes far beyond Cyber Essentials and can be described as a “mini version of ISO 27001:2017”. Together with the government, IASME developed this standard in order to create an easily adaptable and affordable alternative to ISO 27001. The IASME standard is specially tailored towards SME’s and includes processes, people and technology. In May 2018 both IASME standards will be expanded to include GDPR readiness. Both IASME standards require Cyber Essentials as part of the readiness as well. Similarly to cyber essentials, the IASME standard can serve as proof to customers and suppliers that their information is being protected. It is provided alongside the cyber essentials certification. There are two types: the standard self-assessment and the Gold standard, which requires an audit onsite.

ISO27001

ISO 27001 is an international information security standard. Including far over 100 controls the standard is frequently implemented by corporations or businesses dealing with critical infrastructure or the public sector. ISO27001 covers areas that include security policies, access control, operations security, human resources, cryptography and compliance. It does not cover GDPR*. However, an organisation can voluntarily include GDPR in their ISMS (Information Security Management System). 

*A note on GDPR: GDPR is NOT a standard, it’s a law, so we’ve excluded it here. 

If you have any questions about Information Security Standards or Cyber Security in general or just want to have a chat, drop us a line at hello@cybersmart.co.uk.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.