As security becomes a fundamental aspect in our increasingly digitized world, with news about hacks and attacks appearing in the media on a daily basis, organizations seek to reduce the risk to their operations and become more secure.
For many small and medium enterprises, including start-ups and companies in sectors traditionally not related to digital services, the decision to heighten security is often motivated by a feeling of insecurity, derived from a recent attack, or a near-miss (an attack compromising a firm within the same sector). Let’s not forget that many of these SMEs are seen as ‘easy pickings’, or low-hanging fruit, as attackers know their defences are ripe with vulnerabilities, and will not stand a solid probing effort.
Once the decision has been taken at a governance level, the logical next step is oftentimes the adoption of a standard or framework. These provide a reference upon which secure practices can be built and improved.
The main driver to implement a standard or framework is, or should be, the intrinsic benefit in channelling and orchestrating efforts in a holistic manner. However, this is often superseded by the outcomes they enable:
Some of the standards can be certified against (like the ISO/IEC 27001), which typically entails some form of external audit, and enhances visibility by gaining a ‘badge of honour’, perhaps with the inclusion of the organization’s name in a database or register.
In certain cases, there is no choice but to become compliant, or face penalties and possibly cease trading or stop some critical activities. For example, the PCI/DSS requires merchants and service providers to carry out due diligence and have all the applicable requirements in place in order to get their Attestation of Compliance (AoC). Without it, banks may impose hefty fines and may demand the cease of processing payment transactions.
The trouble is, once you are shopping for a standard or framework there are many to consider and the whole process may become time consuming, or even infuriating. Below are some of the questions to ask yourself:
There are many aspects to consider, and these are weighted differently, according to your organization’s priorities and what you are trying to achieve.
Although there is a plethora of standards, frameworks and architectures, the ones below are the most popular, in my experience:
This standard is pretty old, being around since the late nineties, although back then it was known as the British Standard (BS) 7799. It consists of requirements like having leadership and commitment, raising awareness, and a need for continual improvement. Additionally, a set of 114 controls grouped into 14 categories, which form part of Annex A, state the aims. Within these categories we have compliance, physical and environmental security (often neglected by some organizations which emphasize their cyber security), business continuity, and information security policies. It allows tailoring, where controls can be deemed not applicable. Organizations can become certified against this standard.
This expands the information provided for those controls in the ISO/IEC 27001, making it a good companion. You cannot become certified against this one.
Here the focal point lies on privacy and confidentiality aspects, with clearly different responsibilities depending on whether the organization is a data controller or a data processor. It assumes compliance with the ISO/IEC 27001 as a prerequisite.
All of the ISO standards are available on the British Standards Institution (BSI) shop. Having said that, they are also available on the Estonian Center for Standardization and Accreditation (EVS), in English, for a fraction of the price.
The current version (v1.1) is composed of 3 elements: Tiers (or levels), Profiles (current – where you stand now, and target – where you want to be), and Core, with controls in 5 main areas: Identify, Protect, Detect, Respond, and Recover. Like the ISO/IEC 27001, it also allows for tailoring.
As its name implies, the focus is on the cyber side of things. It is a scheme operated by the National Cyber Security Centre (NCSC) in the UK. The organization is required to fill in a questionnaire online, hosted by IASME, which will be evaluated by an external, qualified assessor. Although it is very prescriptive, it relies on trust, as the responses are taken bona fide (in good faith), with no verification required.
Normally taken in conjunction with Cyber Essentials, this entails a penetration test to check whether the network and systems conform to the scheme.
Cyber Essentials and Cyber Essentials Plus are like passing a vehicle inspection test: they cover the basics, but there is still some work to do in terms of service and maintenance. Both provide certification once attained.
This is mandatory for all merchants or service providers that process, store or transmit cardholder data for payment transactions. It is very prescriptive and has 2 levels of scrutiny, based on the evidence required. The most basic is a Self-Assessment Questionnaire (SAQ), whereas the more complex is a Report on Compliance (RoC). For a RoC, the reporting template alone is nearly 200 pages long, which gives you an idea on the level of detail it involves.
I have consciously discarded COBIT, ISO/IEC 27005, ISO/IEC 31000, SOC2, SABSA, TOGAF, and many others, for the sake of brevity and to focus on the most common ones (your mileage may vary depending on your industry).
Once certified, or once the policies, processes and procedures are in place, these need to be embedded into your daily operations. Also, do not let your guard down, or apply the ‘path of least resistance’, by only caring about it once a year (when the audit is due). Be proactive, and stay updated about changes in the legal and regulatory framework, changes in your business objectives, as well as changes to the standards and frameworks themselves.
Standards are not set in stone, and are reviewed and amended periodically. To provide a couple of examples, two of the ones I have cited are due for a new version by the end of 2021 or the beginning of 2022:
The current draft (not final) has reduced the control categories from 14 to just 4, and the controls from 114 to 93.
The current version (3.2.1) will be overridden when the new version (4.0) is released.
Not only that, but standards can sometimes contradict each other, which may result in chaos if your organization is trying to comply with both. Such is the issue with one of the requirements under the PCI/DSS, which mandates that “passwords must contain both numeric and alphabetic characters”, whereas the NCSC “do not recommend the use of complexity requirements”.
Adopting a standard or framework is not a trivial matter, it can (and should) have an impact on how your organization runs things. Therefore, it is important to be aware of the potential benefits and drawbacks before adopting one, bearing in mind it’s not just for Christmas, but for an extended period, and you need to look after it: ensuring correct procedures are followed, training your employees, and keeping an eye on changes to your organization, the jurisdiction it operates in, and new versions that come out.
