Cyber Essentials Scheme and ISO 27001
Information Security – Where do You Start?
According to the Beaming Q1 2021 Cyber Threat Report, the first quarter of 2021 saw an 11% rise in cyberattacks on British businesses.
With the UK government aiming to make the UK the safest place to be online, (Policy Paper 21 April 2021), the next piece of primary legislation will address the security of consumer-connected products, and related services.
As well as being vigilant to cyber crime, however, we must not forget the need to stay compliant with the latest UK data protection and privacy legislation, namely the UK GDPR and DPA 2018 and the potential negative impact to brand, reputation and bottom line, should a personal data breach occur.
Under the GDPR, the maximum fine for a data breach is £17.5 million or 4% of annual global turnover – whichever is greater.
So, given this as a backdrop, how is your organisation best advised to protect itself?
Cyber Essentials VS ISO 27001
Achieving certification to Cyber Essentials is the most effective way that your organisation can demonstrate it is taking cyber security seriously and is mitigating some of the most common Internet-related risks.
ISO 27001 is an international standard that provides a risk-based and holistic approach to managing Infosecurity proactively, allowing you to identify, and manage all of the risks to your information assets.
More about Cyber Essentials
The UK Government’s foundation scheme for cyber security, Cyber Essentials (CE), has been established since 2014. The objective of CE is to help organisations target key technical measures to protect themselves against the cyber-attacks by specifying 5 ‘no-brainer’ basic control areas that all organisations should address. These are:
Making sure that only those people who need access to specific information in your organisation have it and ensuring that this is monitored and checked regularly.
Choosing and applying the most secure settings for all of your devices and software by changing passwords and removing unused accounts and software.
Ensuring that your software and operating systems are regularly checked and updated with the latest patches to protect against vulnerabilities.
Reducing the likelihood of being infected by some form of malware including computer viruses, worms, spyware, botnet software and ransomware, by ensuring that you have correctly configured anti-malware software which only allows trusted applications.
Firewall and Routers
Creating a ‘buffer zone’ to allow you to analyse traffic looking to gain access to your network to establish whether or not it should be allowed.
This protection can be further extended by taking the extra step, in this case undergoing vulnerability scans and having your patching and anti-virus verified, and attaining the Cyber Essentials Plus (CE+) certification.
CE was initially used as a pre-requisite for any suppliers to central UK government, which were processing sensitive and personal information, but the scheme has now been adopted by organisations across the board to demonstrate that they have the basic cyber security controls in place and to reassure their internal and external stakeholders.
What’s the Next Step After Establishing the CE Foundation?
Where CE and CE+ target basic technical controls to reduce the risk of a successful attack, legislation such as the GDPR has a clear expectation that appropriate organisational controls, such as policies, governance and risk management, are implemented rather than just relying on technical measures.
ISO 27001, the International Standard for Information Security Management, is widely recognised as the de facto best practice means of protecting your information assets.
It provides a robust and structured framework for planning, implementing and continual improving your information security management system (ISMS), capable of addressing current and ongoing information security and business needs.
The management system elements of ISO 27001 provide a governance, risk and compliance framework that enables your organisation to identify, manage and continually improve your risk stance and compliance obligations, regardless of size, complexity, industry or geography.
Adoption of relevant technical and organisational controls from ISO 27001 Annex A control set is achieved through a risk management approach which means that the controls implemented are those required to mitigate those risks relevant to your organisation’s information assets.
The control set includes controls that satisfy the CE / CE+ requirements, as well as others that address other technological, physical, compliance and human risk areas.
ISO 27001 builds on the technical measures introduced by CE and CE+ and provides the organisational controls, implemented as part of a risk-based approach, to build an appropriate policy and governance framework.
Additionally, if privacy and the protection of personal data is a particular concern for your organisation, there is an extension to ISO 27001 in ISO 27701 which addresses the specific requirements of privacy information management.
Conformance with ISO 27701 will further enhance the capability of your organisation to comply to the requirements of the GDPR in relation to technical and organisational controls.
Do you Need Support? Why URM?
URM Consulting Services is an authorised certification body for Cyber Essentials.
We have assessed hundreds of clients and, with our unrivalled information security pedigree, are on hand to guide you through the process and provide you with any assistance you need.
With regard to ISO 27001, URM has been advising organisations how to comply with and certify to this Standard since 2005 and has established a reputation for assisting organisations implement an ISMS which is not only guaranteed to achieve certification but also one that is fully tailored, appropriate and sustainable to the organisation.
More about Cyber Essentials
Our office is open 08:00 – 17:30 Monday to Friday.