Cyber Essentials

Cyber Essentials is a UK government scheme which aims to help organisations to implement basic levels of protection against cyber-attacks, a demonstration to customers and suppliers alike that they take cyber security seriously. Cyber Essentials comes in two flavours, the standard or basic form , a self-assessment test and a Plus version. This version requires a combination of self-assessment as well as an onsite audit involving independent vulnerability testing. At the time of writing, 21/09/2017, there are five bodies who train assessors.

Cyber Essentials has five basic controls which were chosen because, when properly implemented, they will help to protect against basic internet-based attacks The five controls are:

• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management

Additionally, if any companies want to deal with the MOD or Government, you must have Cyber Essentials as a minimal standard.

You can download the Cyber Essentials requirements from here.

You can also download the self-assessment questions from IASME, which can be found here.

Will Cyber Essentials certification make me GDPR compliant? – answer no!! but it’s a great first step. GDPR requires more than just basic technical controls, but it can mitigate ICO fines if a company suffers a breach.

The Cyber Essentials scheme is like any other business certification scheme in delivering good processes and best practice. The five technical pillars of Cyber Essentials are not difficult and they represent the very basics all businesses should be addressing as a very minimum.

Cyber Essentials is a government approved business certification scheme and proven to prevent 80% of on-line born attacks. The very fact it is an embedded pre-requisite in many Government and MoD contracts, and is often required throughout the supply chain, this is a true endorsement of the effectiveness of the scheme for protecting sensitive and valuable data. It is additionally worth noting that Cyber Essentials is still required in many public sector contracts even if a company already has the Information Security Management Standard ISO27001.

IASME Standard

Information Assurance for Small and Medium Enterprises (IASME) was designed over several years to ensure businesses are securing their data as much as possible. The goal of the IASME standard is to provide a cyber-security standard for small and medium businesses. The standard is based upon ISO 27001, but tailored for small businesses. Like Cyber Essentials, the IASME standard can demonstrate to customers and suppliers that their information is being protected.

This standard is provided alongside and independent of the Cyber Essentials certification (when going through an IASME certification body). The IASME standard comes in two flavours, like Cyber Essentials. The standard, self-assessment and the Gold standard, which requires an onsite audit. The IASME standard governance self-assessment includes the Cyber Essentials assessment within it.

You can download a copy of the IASME standard here.

Will IASME certification make me GDPR compliant? – answer no !! but it does offer support in getting your business GDPR ready.

ISO 27001

ISO27001 is the industry standard for the management of information security. The latest version of this standard is currently ISO 27001:2013. The standard covers the interaction of security with all aspects of a business. It provides a model for establishing, implementing, operating, monitoring, reviewing and improving your information security management system in a structured and well defined way. ISO 27001:2013 currently covers the following:

• Information Security Management System
• IS027001 :2013
• Security Policies• Access Control
• Operations Security• Human Resources
• Organisation of Information
• Security
• Communications Security
• Cryptography
• Compliance
• Asset Management
• Physical & Environment
• Supplier Relationships
• Security Incident
• Management
• System Acquisition, development and maintenance
• Business Continuity Management

Achieving ISO 27001 is by far no mean feat, and depending upon the size of your company, it  can take a fair degree of energy to become certified.

Will ISO 27001 certification make me GDPR compliant? – answer it depends!! In addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents in organisations. The employees of these organisations are more aware and have more knowledge to be able to detect and report security incidents.

Information security is not only about technology; it’s also about people and processes. The ISO27001 standard is an excellent framework for compliance with the EU GDPR. If the organisation has already implemented the standard, it is at least halfway toward ensuring the protection of personal data and minimising the risk of a leak, from which the financial impact and visibility could be catastrophic for the organisation.

The first thing an organisation should do is conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001.

Summary

All companies must comply to GDPR before May 2018. If you are serious about ensuring that your business data is being protected and you want to improve your business reputation, you should look towards becoming Cyber Essentials and IASME certified.

If you are a company that has more than 20 staff or so, we would probably also recommend that your company looks to obtaining Cyber Essentials Plus and possibly IASME Gold, This will help your reputation and show your customers and suppliers that you take the protection of information seriously. Many larger companies, typically look at obtaining ISO 27001.

Looking for Cyber Essentials and IASME Guidance

If you are looking to become Certified Essentials and/or IASME certified, Blue Saffron can help you on the road towards certification.

References

ISO 27001 and the Cyber Essentials scheme

What is Cyber Essentials?

ISO 27001 VS Cyber Essentials

ISO 27001 vs. Cyber Essentials: Similarities and differences

An Overview of Cyber Essentials

IASME Consortium