Supplementing Cyber Essentials

A logical next step following Cyber Essentials certification is to achieve Cyber Essentials Plus, which covers the same requirements as Cyber Essentials, but also requires you to undergo an independent technical audit and vulnerability scan.  In this blog, the additional measures outlined will be applicable to those with Cyber Essentials and Cyber Essentials Plus certification.  

You may also consider adopting more comprehensive frameworks or standards, such as ISO 27001, SOC 2, and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0.  URM recognises that it may not be feasible for your organisation to implement another framework or standard immediately after achieving Cyber Essentials.  The following steps can be taken independently to supplement Cyber Essentials and better prepare your organisation to adopt more complex frameworks as it reaches a higher level of maturity.

‍

The management of assets is a core security function that not only allows you to identify and track assets, but also streamlines the Cyber Essentials recertification process, as a significant proportion of the information required to complete the Question Set will be readily available.  An up-to-date asset register will provide you with clear oversight of your assets, making it easier to carry out tasks such as identifying assets nearing end-of-life (EOL) and ensuring that software is running the latest versions.  Maintaining an asset register will also assist you to effectively allocate resources and manage organisational risk.

By documenting assets, you will be better placed to adopt risk management processes and conduct effective risk assessments.  This involves identifying the potential risks to your organisation’s assets, evaluating their likelihood and impact, and subsequently assigning a risk score, allowing you to effectively prioritise risk treatment.

Cyber Essentials provides a foundational level of security that can mitigate the risk of disruptive incidents. However, it does not eliminate these risks entirely.  As such, your organisation must prepare for potential disruption by creating robust business continuity plans (BCPs) that enable you to maintain an acceptable level of operations during a disruptive incident.  You should also consider how your organisation would recover from and resume normal operations after an incident, for example, by taking and testing backups in case they are required to restore critical systems or data.  To learn more about producing effective BCPs, read our blog on How to Develop a Robust Business Continuity Plan.

Similar to business continuity, your organisation will benefit from implementing an incident management process to ensure you are as prepared as possible to deal with a disruptive incident.  Such a process should define the steps to be taken at each stage of the incident lifecycle, including incident detection, response, escalation, notification to authorities and identifying lessons learned.  It should also identify the individuals within your organisation who are responsible for responding to incidents and their contact information, as well as the responsibilities of all staff (e.g., reporting an incident as soon as it is identified, following instructions during the response, etc.).

Suppliers can pose serious risks to your organisation’s security; if a supplier has access to your systems and information, any attacks or breaches they suffer could impact your organisation.  As such, a valuable next step following certification to Cyber Essentials is to consider whether your suppliers’ information security is at an acceptable level.  As part of this process, it is important to conduct continuous supplier information security risk management activities; in some cases, this could involve checking that they have relevant certifications such as Cyber Essentials, Cyber Essentials Plus, ISO 27001, etc., and in others this may include requiring them to fill out a questionnaire or undergo an audit.  For more detailed guidance on how to approach this, read URM’s blog on How to Conduct Effective Supplier Information Security Risk Management.

People play a significant role in maintaining an organisation’s information security and, as such, it is vital that they understand their responsibilities and can recognise common threats.  This can be achieved through the delivery of periodic security training and awareness.  As part of your compliance with the General Data Protection Regulation (GDPR), you are likely already delivering training to your employees on data protection principles and the correct handling of personal information.  This existing training framework can be extended to cover wider information security topics, such as safe remote working practices and secure password management.  Information security training can also be reinforced through practical methods, for example by running phishing simulations.  By ensuring your employees aware of and trained in information security best practices, you will enable them to act as effective risk mitigators for your organisation.

Rather than relying solely on annual Cyber Essentials (or Cyber Essentials Plus) assessments to understand your organisation’s security posture, it is highly beneficial to implement a structured internal audit and monitoring programme that enables you to proactively identify and remediate security issues before they can lead to an incident.  An internal programme can take various forms depending on the maturity and resources of your organisation.  For example, you might implement a schedule of internal audits to evaluate how effectively policies and processes are being followed, and whether security awareness and training are successfully embedded.  Additional assurance can be gained through ongoing monitoring activities that supplement the audits your organisation conducts.  This may involve setting and tracking key performance indicators (KPIs), such as the number and severity of security incidents, or the completion rate of security and awareness training.

Cyber Essentials is primarily aimed at preventing incidents within an organisation, however you should also consider the benefits of enabling incident detection within your organisation’s environment.  Detection may involve using software that monitors network traffic or collects and analyses logs to identify patterns that may be indicative of an incident.  Such detection measure positions your organisation to mitigate or eradicate a potential threat before they escalate into genuine incidents.

A business enabler when used appropriately, the massive increase in AI usage is something all organisations need to consider, as improper utilisation of AI can leave organisations at significant risk.  This may involve identifying and outlining acceptable usage of AI in your organisation to reduce the risk of sensitive information being input to AI, which may come in the form of training or the development of an AI policy.  To understand what such a policy should contain, visit our blog on Establishing Organisational Control Over Artificial Intelligence.

Cyber Essentials is perhaps one of the most effective first steps your organisation can take in its cyber security journey, helping you to establish strong security foundations whilst also providing external validation of your cyber security practices.  However, as is always the case in the area of information security, there are additional steps that can be taken to further strengthen your organisation’s posture.  By adopting some of the controls outlined in this blog, you will be able to build on those foundations to develop a more comprehensive and resilient security strategy that better protects your organisation against cyber and information security threats.