Once you have successfully attained Cyber Essentials Plus (CE+) certification and the celebrations are over, what do you do? Do you just sit back and be happy that CE+ has been achieved or do you build upon it? Well, it all depends on why you undertook to achieve CE+ in the first place.
Many companies have an obligation to be CE+ certified to be able to bid for certain contracts. It’s a badge to show the world (including your potential next client) that you take cyber security seriously. Achieving CE+ demonstrates that you have the policies, procedures and technical controls in place to guard against the most common cyber threats.
Going beyond the Cyber Essentials’ five control areas
While the Government’s Cyber Essentials Scheme had a modest start and was not highly regarded in the early days, it has matured to be a recognised accreditation. Companies that have achieved CE+ have invested time and resources to put the scheme’s five controls into place, to reach the required standard as verified by an external Certifying Body. Some companies will be happy with this level of attainment, but they should all consider if CE+ is all that they require.
As I mentioned earlier, CE+ was designed to protect against the most common cyber threats. The focus is on the configuration of the technical controls (firewalls, secure configurations, anti-malware deployments etc.) to protect the infrastructure. Perfectly reasonable and certainly a requirement, but CE+ does not address risk management. This is important as companies face numerous risks originating from a wide selection of sources including people.
What the five controls do not cover
CE+ was not designed to protect against phishing or ransomware attacks for example. Both require human action to initiate a successful attack. In fact, a successful phishing attack may not trigger any technical controls at all as it depends on people (your staff) doing something they are allowed to do. All they need to do is be coerced into doing whatever the attacker wants them to do.
For organisations wishing to step up from CE+ the logical choice would be ISO 27001, the globally recognised standard for information security best practice. What makes ISO 27001 applicable is, at its heart, it’s a risk management framework. Risks to the organisation’s information security are identified and they are then managed in accordance with your risk appetite.
An ISMS that offers protection with risk management
Of course, ISO 27001 includes all the requirements for defining and managing an information security management system (ISMS) that ensures that information security is managed. However, it is the risk management aspect which keeps ISO 27001 relevant as new threats to information security emerge.
There are other approaches to information security a company could adopt such as COBIT, NIST Cybersecurity Framework and ITIL. Which one is the most relevant brings me back to my initial question: why did you achieve CE+ in the first place? Other factors to consider are the industry segment and the type of clients you engage with.
Ready to take the next step with ISO 27001?
For most companies, if they do want to build on the investments they have made with getting CE+, I would strongly urge them to go for ISO 27001. Yes, it will take a little more effort and resources, but it equips organisations with the right toolset to manage their risks and stay ahead of the cyber security arms race. ISO 27001 is widely recognised, after all, it’s an international standard.
If you are ready to learn more or get started, please feel free to reach out to our ISO 27001 experts. We’re here to answer questions or help you better understand what would be needed for your organisation to achieve this best practice ISMS standard. Visit our website, give us a call or send an email to firstname.lastname@example.org.