Tuesday, 25 July 2017

What is the "right" level of security for my business?

So far, 2017 has been the year of the cyber-attack. Now most people know just how insecure data and networks can be, so lots of people are taking extra precautions. But how much protection is the rig

So far, 2017 has been the year of the cyber-attack. Cases of cyber-crime and cyber-terrorism are on the rise, but never before have the general public seen the scope and scale of cyber-crime committed by groups on the government and public services.

Now most people know just how insecure data and networks can be, so lots of people are taking extra precautions. But how much protection is the right amount of protection? What hope do small or medium sized businesses have when entire branches of government or large enterprises are falling foul of such criminals?

Whether you’re a small business with some personal information on customers such as address or date of birth, or a massive data centre with millions of people’s personal financial information, data is data, and every bit of information needs protection.

Cyber security takes many forms and can be implemented in many ways. Currently there are several security standards on the market which helps companies avoid or reduce their financial and operation risks.

So where do you begin?

ISO 27001 Information Security Management Standard

ISO 27001 is the international standard of policies and procedures that includes legal, physical and technical controls. The ISO 27001 relies on a company using an Information Security Management System (ISMS) to analyse risk and set up the appropriate defences.

Implementation of ISO 27001 standard is a complex process to undertake and completion can take anything from 6 months to 18 months. To be able to achieve this standard, companies need to conduct a gap analysis, develop an information security policy, set up a risk treatment plan (RTP) and conduct regular testing, as well as implementing many other controls. Therefore, this standard is often more suitable for larger companies who have the resources to maintain this complex standard.

IASME Standard

A more affordable and achievable alternative to ISO 27001 is the IASME Governance standard. This standard allows even the smallest companies to learn and demonstrate a high level of cyber-security for a realistic cost, helping customers to understand their level of dedication to data security.

This standard covers risk and compliance elements including secure operations, staff awareness, data back-up and incident response. IASME Governance Standard covers many of the requirements of General Data Protection Regulation (GDPR),  so on 1st March 2017 an additional set of questions against the GDPR requirements was introduced.  This module is optional and not required for your company to become IASME certified, however, it will help you implement GDPR requirements and prepare your company for new regulations.

The IASME assessment includes a Cyber Essentials set of questions, therefore after successful completion of the certification process, your company will receive two certifications; Cyber Essentials and IASME.

Cyber Essentials

According to the 2017 Cyber Security Breaches Survey, 80% of cyber-attacks could be prevented if businesses put simple cyber security controls in place. This can be achieved by implementing Cyber Essentials – a Government-backed Security Standard for companies and organisations of all sizes and shapes.

Cyber Essentials is based on a self-assessment questionnaire which focuses on the technical aspects of your company’s IT infrastructure. This certificate is a good safeguard to defend small and medium businesses against the majority of commonplace cyber-attacks. Additionally, while Cyber Essentials does not directly address GDPR, it does help provide the base framework for implementing effective information governance in an organisation.

Cyber Essentials also acts as a public certification, showing your commitment to cyber-security and compared to other security standards, it is relatively cheap and easy to implement.

Cyber Essentials PLUS

Once you have achieved the Cyber Essentials certification, you can enhance your IT security stance further with Cyber Essentials PLUS. This assessment includes detailed verification of the answers provided during the Cyber Essentials self-assessment and requires an on-site technical audit of your IT infrastructure conducted by an independent certified body.

By achieving the Cyber Essentials PLUS certificate, this helps assure investors, clients and potential clients that you take cyber-security seriously.


Regardless of which IT security standard you plan to implement in your company, you should always remember that cyber security risks are not only an IT department problem.

Implementing and maintaining security standards in the company requires collaboration between all of the departments – simply everyone is responsible in ensuring that their work environment is secure.

If you’re not sure where to begin with the certification process – or think there is more your business could be doing to protect itself from cyber-attack, then seek professional assistance.

Grant McGregor is proud to be a certification body for IASME & Cyber Essentials Standards. Find out how we can help you with getting a Cyber Essentials accreditation or call us on 0808 164 4142.