‘Take Your Pick’ by the National Cyber Skills Centre

23 Sep, 2016

The National Cyber Skills Centre and ISO Quality Services Limited are collaborating on a 12 week series of articles, made available free their respective websites, to raise awareness for SMEs on how the adoption and adherence to a recognised industry or international standard provides the levels of information security and governance expected in today’s business world.

Within a business there will be a tipping point, a time when the decision is made to address the management and protection of data. This may occur through an internal desire for better corporate governance. Alternatively, it may be due to requirements needed to successful fulfil a new contract. Or perhaps it is due to a recent data breach that has caused boardroom unease at what may potentially happen in the future.

Regardless of the origins of this decision for greater governance, and for the record it is a very wise decision, then a path needs to be taken towards a standard. Which way is the right way – ISO27001 or Cyber Essentials? Both have merits, both have a long list of positive attributes to them and both will provide governance. Which one are you going to pick?

If truth be told, these two standards do not in fact compete, it’s not a case of one or the other, they are in fact complimentary. There is a crossover in some places but a business can actually start with either standard and then progress to the other when needed.

Cyber Essentials is composed of five key ‘technical’ controls. This means that the thrust of impending cyber essentials is going to be predominantly a technical exercise. ISO27001 is an information management system and thus in many cases is predominately a management exercise.

However, when discussions commence on choosing a path the waters may get muddied. For example, when discussing the technicalities of access control – which in short is ensuring that people only have access to data that is relevant to their current role and responsibility – it may become apparent that a more detailed system is needed than just checking the current permissions for access to servers.

Conversely when discussing the scope of an information management system, such as ISO27001, it may become apparent that to successfully implement it a company is going to need strong and transparent access control procedures.

A company can start with either standard and then at the appropriate time implement the other, or they may find that wish to implement them together. It all comes down to the aforementioned tipping point – what is the most pressing issue surrounding data protection and information management to a company right now?

Commencing the adoption of a standard is going to cause short term disruption to a company. Established processes and procedures around the protection and management of information, even the effective ones, will need to be audited, reviewed and revised causing many to question the value of such an undertaking.

Regardless of the choice of standard a project leader, with the necessary management support, will need to be appointed and they are going to be equally loved and loathed by those employees who are going to have their working processes and procedures changed by the implementation of one of these standards. However the long term gain will easily outweigh the sort term pain – just like any other necessary change.

There is no wrong choice in deciding which path to take, Cyber Essentials or ISO27001. Which in itself is unusual in business as there is normally an obvious downside to most business decisions. Both will protect your data, both will help manage your data, both will place your company on a firmer footing for data management going forward. The key decision is getting started and driving through what are necessary changes in the data driven world of modern business. So no need to hesitate any longer, it’s time to take your pick.