‘Cyber essentials’ is a great name for an IT security standard, it has enough Dr Who/Trekkie overtones to persuade the non-techies amongst us that it is really important, which it is up to a point. It’s a government backed scheme for ensuring that businesses meet some basic IT security standards, for example having strong passwords, keeping anti virus up to date, preventing malware etc. – all essential stuff, but it’s only really the tip of the iceberg in terms of real IT security.
The international standard ‘ ISO27001:2013’ covers all aspects of an organisation’s information security. It goes beyond the obvious technical stuff and addresses the wider organisational issues which affect the security of critical systems inside the business. It does have a cool acronym though ‘ CIA’ – Confidentiality, Integrity and Availability of information – and this information can be on disc or on paper – if it’s important to the business the standard applies.
And it goes well beyond the nuts and bolts of cyber essentials to look at the wider corporate environment – the best firewall in the world won’t protect you against someone grabbing sensitive documents from a filing cabinet, or getting data from a scrapped PC that wasn’t properly disposed of.
The standard also looks at whether information security has a high profile with senior management, and whether regular internal audits are being undertaken. In short every area of your business has some link to information security and you need to demonstrate a commitment across the entire business.
Your reception, your phone system, your publicity materials, your accounts, your suppliers – all need to be viewed through the lens of information security, even for small companies. You need buy-in across the business, not just from the techies, and you need to have someone dedicated to identifying and managing the risks that emerge.
Embarking on ISO27001 accreditation will involve a lot of commitment, and will probably reveal a lot of gaps in your approach to Information Security, but the signs are that more and more companies will start to demand this critical accreditation from their suppliers so it makes sense to get started early.
We started our journey a few years ago and it was hard but we’re glad we did it – if you’d like any information on how we did it and what the benefits are please get in touch.