Cyber Essentials and ISO 27001 – where should organisations be looking?

14 Sep, 2016

The National Cyber Skills Centre and ISO Quality Services Limited are collaborating on a 12 week series of articles, made available free their respective websites, to raise awareness for SMEs on how the adoption and adherence to a recognised industry or international standard provides the levels of information security and governance expected in today’s business world.

With the risk of data loss becoming more and more apparent to organisations of all shapes and sizes, many questions are being raised as to adequate protective layers for policies and processes. What should organisations have in place to protect its staff and customer data and its overall reputation – is there a minimum security level small businesses should adhere to?

With the number of high profile attacks increasing, the security of data is becoming a priority for business leaders and governments alike. There was a 35% increase in the number of attacks from 2014 to 2015 (PWC) in the UK and according to a report by the UK government, 90% of large businesses were affected by a data breach in the last year.

It is still a common misconception that hacks and data breaches only happen to larger businesses, but alarmingly 74% of small businesses in the UK suffered a data breach in the last year. These breaches can cost organisations anywhere between £75,000 – £311,000 to repair, not to mention, can also be accompanied by heavy fines. Organisations, large and small, are collecting, storing and harnessing more information than ever before, and all businesses store potentially sensitive data; whether about your customers, staff or suppliers. This data is all under threat, and by various different means, but what are the ramifications should it be accessed?

What sort of measures should you have in place to minimise the risk? What is out there to help?

The Cyber Essentials Scheme is a Government backed initiative tasked with providing guidance for businesses of all sizes in various sectors, with two tiers of assessment. The scheme helps put companies in a position to protect themselves against basic cyber-attacks through a set of security controls, within their IT systems, which include: Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management. The initiative provides “basic but essential” protections that any business should have in place to minimise threats, to which the business is assessed and certified. This level of protection allows a business to demonstrate to customers that cyber threats are understood and measures are in place to protect their information.

But threats to security aren’t just cyber – what do you do if a data breach is physical not digital. This is where the ISO 27001 Information Security Standard comes in. But what is it and how can it help?

While it is great that a business would be certified to Cyber Essentials, what about the bigger security picture? You could be protecting the business from cyber-attacks, but are you leaving the front door open to other threats? And are you missing ones that could be right under your nose? It’s a bit like the scene in the first Mission Impossible movie, where Tom Cruise lowers himself into the room to access the computer – we’re not saying everyone would go to these extremes, but the idea is there!

The ISO 27001 Information Security Management Standard is an internationally recognised standard that companies worldwide are certified to. ISO, the International Organisation for Standardisation, create standardised business practices that help organisations demonstrate their commitment to their customers.

ISO 27001 incorporates all the requirements of the Cyber Essentials Scheme and much, much more. The standard takes a look at information security as a whole; encompassing people, processes and technologies, forming a complete outlook to securing your confidential information. Ultimately, ISO 27001 is considered a much more comprehensive and all-inclusive standard, which also monitors the risk levels and the after effects of a security threat. Examining and controlling your policies and procedures, helps eliminate the problem at the source, before the threat can escalate.

ISO 27001 also helps you control another potentially volatile variable – your staff. Often over-looked, your staff are one of the biggest risks to the information you hold. Employees should understand the risks and be educated against accidental leaks as well as malicious ones. Email policies, human resource security, key fobs, transferring data and working from home, are all factors that also need to be considered as part of a comprehensive approach. Information is not just data, and attacks are not just cyber!

Best practice advice stipulates that Cyber Essentials should be adopted in addition to, not as an alternative to the ISO 27001 Standard. Having both initiatives in place communicates a strong sense of responsibility to customers and both help to improve governance and enhance your security practices. You can’t eliminate the threats, but both will help you to categorise and minimise them.

The information you collect needs to be safeguarded and secure. For more information regarding Cyber Essentials protection please speak to the team at the National Cyber Skills Centre or learn more at the Department for Business, Innovation and Skills. If you would like to learn more about becoming certified to the all-encompassing ISO 27001 Information Security Management System, we can help!

Worcester-based, ISO Quality Services Ltd is proud to specialise in the implementation and certification of the internationally recognised ISO and BS EN Management Standards.

Do you want to protect the data within your business? Are you seeking training to understand the ISO 27001 further? Contact ISO Quality Services Ltd today on 01905 670303 or email info@isoqsltd.com.