Why should businesses consider obtaining a Security Certification?
There are several reasons why businesses choose to attain security certifications. For some, it’s in order to benefit from the best practice they demand while others decide they also want to get certified to reassure customers that the business is less likely to be affected by cyber-attacks. In some cases, contracts with clients, in particular Government, require certification to certain standards.
The information/data held by a company is clearly important and as such there are several factors that impact on that data’s quality.
- It needs to be available, but only to those who are authorised to access it.
- The format of the data needs to be correct for the permitted use
- The version of the files being viewed must be managed so that the correct information is used.
- Of course, the information must also be complete
- Security of the data is key so that confidentiality is maintained and it can’t be stolen
By putting good security measures in place businesses can be sure that their information can be relied on and not be stolen or attacked. Additionally, by obtaining a data security certification the businesses management team will have a clear picture of the organisation’s ICT security.
GDPR & PCI DSS
There are legal requirements which businesses need to adhere to, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Standard (PCI DSS):
PCI DSS Security Standards are developed specifically to protect payment account data throughout the payment lifecycle. They include standards for merchants, service providers, and financial institutions on security practices technologies and processes, and standards for developers and vendors for creating secure payment products and solutions.
General Data Protection Regulation (GDPR) is the UK’s (and Europe’s) framework for data protection laws, its primary aim is to give control to individuals over their personal data. It also makes data protection rules more or less identical throughout the EU. Companies can be fined for non-compliance and breaches and gives us all more say over what companies can do with our data.
Both the PCI DSS and the GDPR aim to ensure organisations secure personal data. PCI DSS is not a strictly legal requirement in UK law, however, credit card details are not just financial data but personal data and as such falls under the GDPR Act. So, while it’s not a legal requirement, it should be considered as such.
These regulations are focusing on the impact of others in relation to the data held about them and this is because any information about an individual belongs to that person and not to the holder of the data. Businesses need to have permission to both hold and use that data. It is, therefore, incumbent on businesses holding personal information, such as staff records, names of clients staff etc, to keep that information secure.
In addition, the business has responsibilities in respect of the Consumer Data Rights and must register with the Information Commissioners Office (ICO) and report any data breaches to them and subsequently report lost information to all individuals whose data was affected.
Businesses can be fined if they don’t comply with GDPR law, however, the bigger impact of a security breach is likely to be a loss of reputation with customers and they may no longer wish to transact with the business following the breach.
In some cases, recovery from a breach can also seriously impact the day-to-day operation of the business unless resilient systems are in place to speed up the systems and data restore process.
So, in short, there are 2 things to focus on: Firstly, protecting the data from threats and secondly being able to access that information in a timely manner should it be compromised. This sounds simple enough but there are a lot of factors at play which can be addressed by opting to attain a security certification.
It is generally considered a requirement for key personnel and decision-makers of businesses to openly support the Data Protection processes to make sure they are implemented and operated effectively. Some businesses should appoint a Data Protection Offices (DPO) who will report directly to the ICO.
We can prepare a business’s Security Fabric and Protection Services so that it can be sure its ICT is not the weak link in attaining GDPR Compliance. We do this through our Cyber Security Assessment Framework to produce a detail report with recommendations to correct weaknesses in a business’s systems.
It should be noted though that to comply with the GDPR Act businesses will also need to have sound Policies and Procedures in place. Additionally, HR, Legal and Marketing functions will need to consider the acts ramifications and Staff will need training to understand their responsibilities.
Our Assessment Framework will also prepare businesses to they can be audited by external assessors so that the required security standard can be achieved. The typical standards that businesses seek certification for are: Cyber Essential, Cyber Essentials Plus or ISO/IEC 27001
How to get the Cyber Essentials Certification?
Cyber Essentials is a simple but effective, Government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.
The Cyber Essentials scheme is a cybersecurity certification that outlines the security procedures a company should have in place to keep their data secure. Firewalls, Internet gateways, secure configuration, access control, malware protection, and patch management are the protection measures the certification covers.
To achieve certification, you must complete a self-assessment questionnaire and submit it through an online portal. Once you have applied, a certification body assesses and grades the application.
Certification gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.
While your organisation needs more than Cyber Essentials to comply with GDPR, it’s a great first step. Cyber Essentials certification is evidence that you have taken steps towards protecting your data from cyber-attacks.
Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protection you need to put in place is the same, but for Cyber Essentials Plus a hands-on technical verification is carried out.
The auditor will review your cybersecurity measures and verify that your data handling skills are up to scratch. We recommend Cyber Essentials Plus to those who want a thorough assessment of their cybersecurity measures.
Deciding which certification is better depends entirely on your goals. If you’re looking to achieve certification just to get on the public register and access certain government contracts, you should opt for Cyber Essentials. However, if you want to really show your customers that data protection is a high priority and work with top-notch clients, Cyber Essentials Plus is the better option.
It is important to note that both levels have the same requirements that you need to fulfil. The difference lies in the type of assessment and the cost of paying for independent auditing to achieve the Plus certification.
ISO/IEC 27001 is an international information security standard. It includes some 114 controls in 14 groups and 35 control objectives. This standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s information security management system.
The standard takes a comprehensive approach to information security, assets that need protection range from digital information, paper documents, and physical assets (computers and networks) to the knowledge of individual employees.
The standard is frequently implemented by corporations or businesses dealing with sensitive data and needing the highest level of information assurance. It is also attained by organisations which are required to include relevant laws and to meet GDPR requirements in their Information Security Management System (ISMS).