Basic cyber security standards compliance

Getting started with cyber security – the most popular security standards explained

If you are looking to protect your business from cyber attacks and demonstrate compliance with the main standards and legislation, it’s not as complex as you might think.

You can get started with straightforward measures that will be able to prevent most basic attacks. They’ll not only be good for your information security, they’ll also send a reassuring message to your customers.

This article covers some of the most popular cyber and information security standards, certificates and regulations. We consider them to be the building blocks to improve your cyber resilience and compliance.

Cyber Essentials Scheme

What? Backed by HM Government, Cyber Essentials sets out an organisational security standard that, if applied appropriately, will protect businesses from the majority of low level basic cyber threats. A start-point in cyber security, there are various routes to certification and it’s largely questionnaire based.

Why? It’s not just the big organisations that are targeted by cyber criminals. If you are a business and online, you are a target too. If you are a supplier to government or the MOD, in most cases it’s mandatory. Obtaining Cyber Essentials will reassure your customers that you take cyber security seriously and you’ll get valuable certification too.

Find out more here.

The IASME Governance Standard

What? The IASME (Information Assurance for Small and Medium Enterprises) Governance Standard was developed for smaller businesses and goes a step further than the Cyber Essentials Scheme. Risk-based, it’s a highly credible security management standard and also includes a mandatory assessment against GDPR requirements.

Why? IASME allows you to demonstrate a more rigorous approach to cyber security – something that may help you to participate in a government supply chain. Smaller companies are recognised as more of a threat to information security so having IASME may set you apart from your competition.

Find out more here.

ISO 27001

What? ISO 27001 is an information risk management standard designed to provide guidance in the selection of adequate and proportionate controls to protect information. It also sets out the objectives of information security management and defines the information security policies, processes and standards to be adopted by a business.

Why? As well as providing businesses with an appropriate level of information security protection, ISO 27001 certification provides third parties and customers with confidence that information they share with you will be protected. It’s also an internationally recognised standard.

Find out more here.

Cloud Controls Matrix (CCM)

What? Designed for cloud vendors, the CCM offers a controls framework to give businesses a detailed understanding of cloud-related security concepts. The framework covers three areas – cloud architecture, governing in the cloud and operating in the cloud. It’s aligned with other industry accepted security standards including ISO 27001.

Why? Cloud vendor’s reputations and business viability rely on offering a secure service. The CCM provides the needed structure, detail and clarity relating to information security tailored to the cloud industry and allows you to strengthen information security control environments.

Find out more here.

ISO 22301

What? ISO 22301 is the international standard for business continuity management. It was developed to help you prepare for and minimise the impact of disruptions which are often totally outside your control. It will help you identify your critical assets and put in place processes and plans to ensure those assets are available in the event of an incident.

Why? Continued operation in the event of business disruption is a fundamental requirement for any organisation. ISO 22301will not only help your organisation recover from a potentially major incident, it will also protect your reputation and revenue and assure customers that you have the necessary measures in place.

Find out more here.

PCI-DSS

What? The Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS applies to any organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Why? Customers expect that when they make a payment to your organisation, their details will remain safe and secure. Being compliant with PCI DSS shows that you are doing your best to achieve this. What’s more, if you suffer a data breach and you are not PCI DSS compliant you risk fines and the damaging loss of customer trust.

Find out more here.

How to identify the risks in your organisation

Identifying where the risks lie in your organisation is a good basis to choose the security standards most appropriate to your needs. Ascentor’s free online risk assessment is a high level look at your main business risks. We’ll send you a free report on where you need to focus your improvement efforts.

Find out more here.

Alternatively, you can gain a specialist review of your organisation with a critique of your cyber risk management arrangements. Our information risk healthcheck includes clear demonstrable priorities for improvement and recommendations for action.

Find out more here.

Case study

Discover how Ascentor helped smart voice services provider Resilient assess their risk and invest in a programme of cyber security improvement and certification. They started with Cyber Essentials, then IASME (Information Assurance for Small and Medium Enterprises) and finally ISO 27001.

Find out more here.

The 10 steps to cyber security – NCSC

You may also benefit from reading the NCSC’s guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cyber security.

Containing an introduction to cyber security for executive/board-level staff, you can find out more here.

A higher level of cyber security – cyber security programme

Where a higher level of cyber security is required – typically in situations where the consequences of a data breach could be huge, Ascentor uses well-established cyber risk management principles guided by widely accepted best practice.

Four internationally recognised and respected framework resources inform and guide our work: the US National Institute for Standards and Technology (NIST) Cybersecurity Framework; ISO27001; the Centre for Internet Security (CIS) Top 20 Critical Security Controls; and the Cybersecurity Capability Maturity Model (C2M2).

Find out more here.

How Ascentor can help

Whichever cyber security route or combination of routes you decide to take, we can help you get started, get better and stay on the right track.

For more details of all the information security standards available through Ascentor, including industry specific compliance (to meet MOD and nuclear industries standards), please visit our cyber security basics page.

For further information

If you have found this article of interest, the Ascentor blog regularly carries articles about a range of topical cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter. Sign-up details below.

If you’d like to discuss any aspect of IA and cyber security, please get in touch with Dave James, MD at Ascentor, using the contact details below.