Both ISO 27001 and Cyber Essentials Certification are available from the British Assessment Bureau. What are the differences between them and more importantly, what do they cover?
Section One: ISO 27001
An Introduction to ISO 27001
The information security standard, ISO 27001 particularly references handling sensitive data appertaining to customers and individuals. It helps companies ensure that they are minimising the effective levels of risk, whilst creating a framework that allows them to implement new technologies and developments.
ISO 27001 allows companies to create an information security management system using the methodology of continual improvement. Your systems are repeatedly checked and audited to identify points of failure. Policies and procedures are implemented to reduce the overall risks and threats to your data.
ISO 27001 – Effectively Plan for Common Risks
Gaining ISO 27001 certification will help you develop a strategy to combat the following risks:
- Controlling security – looking at password privileges, ensuring that passwords are regularly updated and not shared between workers. Keeping detailed logs and privilege levels that prevent personnel from accidentally or purposefully accessing information.
- Physical security measures – ensuring that workers are not writing down customer information, that all physical copies of data are kept under lock and key or shredded by a company who can provide a certificate of destruction. Even looking at the locks on the doors to your data servers.
- Compliance with local laws – with the data protection act now being superseded by the GDPR, it has never been more important for businesses to respect the terms of this legislation or face large fines from the information commissioner’s office (ICO).
- Security of communication – how secure are you routers and networks? Could this hardware be accessed by an outside agency? When you transfer information from site to site even in physical form, what precautions are you taking against theft or attack?
- Operational security measures – is someone in your business tasked with installing software patches that end vulnerabilities with your data handling programs? Are you keeping your data backed up somewhere? What are you doing about temporary data storages such as hard drives in printers?
- Supplier access – can your suppliers access your systems? How are you ensuring that there is a defined wall between them and the rest of your data? Unique login credentials may not be enough.
- Incident management – if there is a data breach or an information leak how will the company react? Who will be responsible and more importantly what kind of policy is in place to close the vulnerability in your systems and ensure that more breaches do not occur?
Who Should Consider ISO 27001?
All businesses that handle customer information such as addresses, payment and banking information and other sensitive data should be strongly considered ISO 27001 even if they are not using computer systems.
One of the types of crime that has been on the rise over the past decade is identity theft which is now being described as an epidemic. According to CIFAS there are now around 500 cases of this crime every day. Customer data is now a prime target for criminal organisations, which could even make your commercial waste of interest to gangs looking to exploit valuable business information. ISO 27001 will ensure that all the weak points in your data handling process are strengthened, helping you and your customers achieve peace of mind.
Additionally, ISO 27001 allows companies to skip large sections of pre-qualification questionnaires when applying to tender for contracts. It is the fast way to assure potential customers of your competency and proficiency when handling data. There are also similar benefits to brand, as customers will be happier dealing with suppliers that are serious about how they handle vital information.
Section 2: Cyber Essentials Certification
An introduction to Cyber Essentials Certification
With the British Assessment Bureau’s cyber essentials certification, businesses can access similar management systems to those offered by ISO 27001 certification, although these are strictly for information technology systems and are not applicable to all the information that’s handled by a company.
The package has been designed to help businesses protect themselves against some of the most common forms of cybercrime including phishing, website links, malware, malicious emails and even targeted attacks from outside agencies, also known as hacking. It focuses on exploring and recognising vulnerabilities computers and tech, and in particular the parts of the system connected to the internet.
There are two levels of certificate available. The standard package helps businesses that want to demonstrate government backed IT security compliance, the plus package helps businesses that work in highly regulated fields and are looking to tender for larger contracts.
Cyber Essentials – What is Covered
There are 5 main areas that are covered in the cyber essentials certificate. These include the following:
- Boundary firewalls and internet gateways – stopping external access to your systems from outside agencies, robot programs and data intercept programs, whilst better managing your own bandwidth requirements.
- Secure configurations – ensuring that your computers and network are all set up and managed correctly, allowing you to remove and uninstall programs that are no longer needed by your company, freeing up bandwidth and removing legacy vulnerabilities.
- Access control – managing software installations and preventing users from accessing sites deemed unimportant by management. Also ensuring that password are updated and administration privileges are respected and cannot be breached from within the company.
- Malware protection – regular scans and investigations to ensure that malware has not been installed by robot programs or unauthorised websites onto your systems.
- Patch management – ensuring that any vulnerabilities or loopholes that have been newly discovered in your systems are eliminated with the latest patches that have been issued by the software provider.
Who is the Cyber Essentials Certification For?
The cyber essentials certification is perfect for businesses looking to start moving towards ISO 27001 or wanting an addition to this certification that’s focused specifically on the data handling and vulnerabilities of information technology. In this sense, it is the ideal stepping stone to move onto the ISO certification.
However, it does make sense for businesses to have both certificates as there is now an increasing demand for companies to prove competency when applying for larger tenders with a data handling and information technology component.
Many high profile businesses have been fined recently because of data breaches. Equifax was made subject to the maximum possible penalty of £500K in 2017 and these amounts are only set to go up under GDPR. Making sure your business is safe is about more than preventing fines. Small businesses rely on reputation and word of mouth to win business and having a data breach may be a whole lot more costly than a simple fine.