LinkedIn
Instagram
facebook
Twitter

Support: 01242 504614

Sales: 01242 388530

phone
LinkedIn
Instagram
facebook
Twitter
Home > Client Consultancy > Are All Information Security Standards Equal?

Are All Information Security Standards Equal?

by | May 17, 2017 | Client Consultancy, Cyber Security

Are all Information Security standards equal?

Todd Gifford, CISSP, shares his thoughts on Information Security standards.

Information Security standards are good news for many reasons, not least of which is what I believe is their primary purpose – they offer assurance. The reason they offer assurance is that they have been drafted, reviewed and implemented by very competent, experienced and certified individuals, and are recognised in industry and public sector. They are used in supplier management frameworks, to help ensure that any given supplier is acting in a professional and responsible way when it comes to Information Security and, moving forwards, compliance with GDPR. Standards should also guide organisations, such that they implement appropriate controls across people, process and technology to minimise risk. Increasingly, organisations are turning to standards, such as ISO27001, as a way of demonstrating they are security conscious and are not exposing any of their clients to undue risk. All this sounds great – a supplier with an accredited standard is secure, right? Well, there’s a question… Based on some of the supplier audits we have carried out for clients, this doesn’t always ring true. I do believe that standards are a good thing and should be treated appropriately during any supplier management process. However, like anything, they are not flawless. Let me explain, by offering my thoughts on two common standards in the market place:

‘Cyber Essentials’ and ‘Cyber Essentials plus’

Effectively, these are the same standard, the main difference being that the ‘plus’ requires organisations to undergo security testing on their infrastructure. For me, the clue is somewhat in the title: it is the very basic, absolutely essential things any organisation that connects its computer network to the outside world should do, in order to protect said computers and networks. If it were called ‘basic technical controls for computers and networks that connect to the internet’, I doubt very much that it would have caught on – Cyber is a great marketing term used to good effect in this instance.

What is good about it?

If implemented correctly and appropriately maintained, it does contain good controls for basic mitigation and reduction of risk from internet based threats, or hackers as they are commonly known.

What is not so good about it?

There are multiple implementations of the standard. There is more than one organisation that can certify organisations to Cyber Essentials. This means that there are different levels and different numbers of questions, depending on which organisation is chosen. From a purchase perspective, there is also another potential issue: The Cyber Essentials standard relies on the review of a submitted questionnaire, and can be thought of almost as self-certification in that respect. You can get Cyber Essentials without any more diligence than someone reading a questionnaire you have filled out. Now, I don’t want to suggest that any organisation would wilfully fill out such a questionnaire, just to get the certification, without actually implementing any of the controls (or just a few of them), but based on my own experience carrying out security reviews, this may unfortunately be a practice that some organisations are following.

ISO27001

Known as the gold standard for Information Security, ISO27001 is a respected and globally implemented standard. Many organisations are turning to 270001 as it’s known in the trade, as a way of providing a framework to help demonstrate compliance with GDPR. I have been involved with the standard in its various forms for twelve years and its implementation in many organisations – it is well thought out and focuses on a risk based approach.

What is good about it?

It’s a comprehensive standard on which to base and certify your organisations Information Security Management System. If offers a good framework, and if you use it in conjunction with the guidance in the form of ISO27002, then it does offer any organisation a great way of helping them to reduce their Information Security risk. As it’s a global standard and implemented the world over, so will also help suppliers and purchasers alike make informed decision about risk.

What is not so good about it?

This may seem like a contradiction, but, as a standard for Management System based on risk, it is perfectly possible to attain ISO27001 (which by the way can only happen by an official organisation, accredited by UKAS auditing you), without implementing some, or indeed many basic cyber controls. That’s not to say it isn’t a good standard, in my opinion it is, but like all things, you need to be aware of its limitations. You can also define a narrow scope for an Information Security Management System, or ISMS for short, meaning that it may not apply to the whole of an organisation – possibly not even the part you are looking to use as a supplier. This practice is being tightened up on by the various accreditation body auditors, but it is still out there. The other thing to be aware of is that because the standard focusses on risk, and risk treatment, it is possible for an accredited organisation to carry a high risk, as long as someone senior has approved it. Their risk appetite may be different to yours – so worth checking out.

Should I trust these information security standards?

I believe the appropriate phrase is ‘trust, but verify’. Depending on the level of Information Security risk, and your organisations risk appetite, you very well may need to garner further external verification on your own organisation, or any organisations which supply your organisation services and have access to your data and/or networks. The one last thing to consider around risk however – outside influence. GDPR will change the risk landscape for many organisations, most notably due to the potential fines of up to 4% of global turnover or €20 million, whichever is higher. These fines can be imposed on both the controller and processor (read customer and supplier, respectively) which I suggest should be on the risk register for all organisations. Well executed, documented and sustained Information Security practice, including good supplier management, will enable you to demonstrate you are doing everything you can should the worst happen and you do suffer a breach.

Need advice?

Optimising IT carry out extensive Information Security reviews for and behalf of many organisations as part of their Information Security Management Systems, including internal auditing and supplier reviews. If you are concerned about Cyber Security and your organisation, please get in touch to see how we can help.

Contact us

GOT A QUESTION ABOUT YOUR IT SYSTEMS AND SERVICES?

Our experts are ready and waiting to help you get more out of your business. Get in touch today!

78% Average First Contact Resolution

98.8% Average Customer Satisfaction Score

Rapid Response Time

Cyber Focused Approach

Why Choose Us

why choose us

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

CONNECTED WITH TRUSTED TECHNOLOGY

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

connected with trusted technology

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

Case study

Read Case Studies

Shonga-shonga paminta Cholo neuro na ang sudems jongoloids biway thunder majubis klapeypey shonga sa tungril planggana katagalugan lulu

Testimonials

What Our Customers Say