I’ve Got my Cyber Essentials - Now What?

The most obvious next step is to obtain Cyber Essentials Plus, which includes a technical assessment as well as the completion of the questionnaire from Cyber Essentials.  Obtaining this will demonstrate a more robust approach to security to your partners and clients, as well as provide validation that your systems are, in fact, as secure as you say they are!  You may decide to go a step further, and certify against a more holistic security framework, such as ISO 27001, which focuses on the development, implementation, and continual improvement of an information security management system (ISMS).  ISO 27001 certification is generally more time and resource intensive than certification to Cyber Essentials, however it functions as an excellent next step in improving your organisation’s security posture when you reach the appropriate maturity level to meet the Standard’s requirements.  If you would like to learn more about how to achieve ISO 27001 certification, read our blog on 6 Must Do’s When Implementing ISO 27001.

‍

‍

Of course, not all security improvements lead to certification.  While certification is useful to externally demonstrate a commitment to security, the fixed boundaries of such work are sometimes not as valuable as tailor-made engagements.  It can be useful to work with a security consultancy to discuss your organisation and concerns and allow them to formulate a package of work to suit your business requirements.  This could take the form of governance risk and compliance (GRC) consultancy, which looks to improve policy and process, or technical assessments such as penetration tests which identify vulnerabilities and security issues on your systems.  A good security consultancy will seek to group different GRC and technical assessments together in order provide full insight into your organisation’s security – and provide the best recommendations for improvement.

Security is a journey, and it can be useful to consider your long-term destination: do you want your security to be your organisation’s USP? Do you want to do the minimum required to comply with your industry’s expected standards?  Both approaches have benefits and drawbacks, however often these decisions are made without full understanding of their implications.  A security consultancy can undertake work to assess your current security posture, desired future state, and identify improvements which need to be made in order to reach your destination. Work like this can create a roadmap for you organisation – ensuring that your security posture ends up where you want it to be, as opposed to what you currently have.

If you would like to improve the security competencies and capabilities of your internal personnel, you should also consider hiring individuals with industry-recognised security qualifications, and/or upskilling your existing staff by sending them on training courses to obtain security qualifications, such as the Certificate in Information Security Management Principles (CISMP) and the Practitioner’s Certificate in Information Risk Management (PCIRM).  The CISMP is a foundation-level qualification  which  will provide you with the skills and knowledge to manage information and cyber security and address the ever-evolving threats and changes in working practices, e.g. remote working. The PCIRM is a practitioner-level qualification which demonstrates that an individual possesses a hands-on understanding of information risk management.  The PCIRM syllabus covers the identification of threats that could damage key assets and the assessment of vulnerabilities which could lead to those threats arising, as well as the controls and treatment options available to mitigate information security risks (among other things).  As such, the presence of CISMP and PCIRM-certified personnel within your organsiation will help elevate its security posture, as they possess the necessary skills and understanding to reduce the likelihood of security incidents occurring.

As you can see, there are no right answers to answer the question that prompted this blog.  If you’re currently deciding what your next step should be, URM is happy to offer 30 minutes of free consultancy to help you understand what’s right for you.