Frameworks that can help

There are several frameworks that help in both achieving and demonstrating a managed data security plan, most notably Cyber Essentials, Cyber Essentials + and ISO 27001.

Scope

The Cyber Essentials Scheme covers the basics of cyber security in an organisation’s enterprise or corporate IT system. Implementation of these controls can significantly reduce the risk of prevalent but unskilled cyber-attack.

For many organisations, especially those with significant information assets or who are exposed to a wider range of threats, Cyber Essentials will become a practical component of a wider ranging cyber security posture. For example, as described in the Government’s 10 Steps to Cyber Security and Cyber Security: what small businesses need to know. 

The scheme requirements document focuses on internet-originated attacks against an organisation’s IT system. Many organisations will have particular additional services, for example web applications, that will require additional and specific controls beyond those provided by cyber essentials.

Cyber essentials concentrates on 5 key controls.

These are:

1. Boundary firewalls and internet gateways 

These are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.

2. Secure configuration

Ensuring that systems are configured in the most secure way for the needs of the organisation.

3. Access control

Ensuring only those who should have access to systems to have access and at the appropriate level.

4. Malware protection

Ensuring that virus and malware protection is installed and is it up to date.

5. Patch management

Ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

As stories of organisations exposing customers’ information to cyber threats continue to create headlines in the media, it is becoming increasingly important for organisations to not only maintain a robust cyber security stance but also demonstrate this to clients.

The assurance framework is designed to provide a simple means for third parties to distinguish between organisations that are implementing basic cyber security controls from those that are not.

This can be used in a number of ways:

• an organisation may undergo certification to mark them out from their competitors
• they may require certification from partners where contractual relationships expose them to wider cyber risk, for example where information is shared
• insurers, investors and auditors may take certification into account when assessing an organisation’s risk profile

The ISO/IEC 27001 is part of a family of standards which helps organisations keep information assets secure.

Using this family of standards will help your organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector to keep information assets secure.

Like other ISO management system standards, certification to ISO/IEC 27001 is possible but not obligatory.

Some organisations choose to implement the standard in order to benefit from the best practice it contains while others decide they also want to get certified to reassure customers and clients that its recommendations have been followed. ISO does not perform certification.