Originally published on 17 May 2017
Updated on 08 Nov 2021
Expert Todd Gifford, CISSP, Shares His Thoughts on Information Security Standards
Information security standards are good news for many reasons, not least of which I believe is their primary purpose – they offer assurance. The reason they offer assurance is that they have been drafted, reviewed and implemented by very competent, experienced and certified individuals and are recognised in the industry and public sector.
These standards are used in supplier management frameworks to help ensure that any given supplier is acting professionally and responsibly when it comes to information security and, moving forwards, compliance with GDPR. Standards should also guide organisations to implement appropriate controls across people, processes and technology to minimise risk. Increasingly, organisations are turning to standards, such as ISO27001, as a way of demonstrating they are security conscious and are not exposing any of their clients to undue risk from cyber attacks.
All this sounds great – a supplier with an accredited standard is secure, right? Well, that isn’t always the case. Based on some of the supplier audits we have carried out for clients, this doesn’t always ring true. I believe that standards are a good thing and should be treated appropriately during any supplier management process. However, like anything, they are not flawless. Let me explain by offering my thoughts on two common standards in the marketplace:
Cyber Essentials and Cyber Essentials Plus Protection
Effectively, Cyber Essentials and Cyber Essentials Plus are the same standards. The main difference being that the “plus” requires organisations to undergo security testing on their infrastructure. For me, the clue is in the title: it is the very basic, absolutely essential thing any organisation that connects its computer network to the outside world should do to protect their computers and networks. If it was called “basic technical controls for computers and networks that connect to the internet”, I doubt very much that it would have caught on. “Cyber” is a great marketing term used to good effect in this instance.
What Is Good About Cyber Essentials and Cyber Essentials Plus?
If implemented correctly and appropriately maintained, it does contain good controls for basic mitigation and reduction of risk from internet-based threats or hackers as they are commonly known. These security controls to aid information security are an essential defence against cyber attacks and offer peace of mind to organisations.
What Is Not so Good About Cyber Essentials and Cyber Essentials Plus?
There are multiple implementations of the standard. There is more than one organisation that can certify organisations to Cyber Essentials. This means that there are different levels and different numbers of questions, depending on which organisation is chosen.
From a purchasing perspective, there is another potential issue: The Cyber Essentials standard relies on reviewing a submitted questionnaire and can be thought of almost as self-certification in that respect.
You can get Cyber Essentials without any more diligence than someone reading a questionnaire you have filled out. I don’t want to suggest that any organisation would wilfully fill out such a questionnaire just to get the certification without actually implementing any of the controls (or just a few). But based on my own experience carrying out security reviews, this may be a practice that some organisations follow. Therefore, cyber security standards can, unfortunately, be misleading.
ISO27001 Information Security Standard
Known as the gold standard for Information Security, ISO27001 is a respected and globally implemented standard. Many organisations are turning to 27001 as it’s known in the trade, as a way of providing a framework to help demonstrate compliance with GDPR. I have been involved with the standard in its various forms for 12 years and its implementation in many organisations. It is well thought out and focuses on a risk-based approach.
What Is Good About ISO27001?
It’s a comprehensive standard on which to base and certify your organisation’s Information Security Management System. It offers a good framework, and if you use it in conjunction with the guidance in the form of ISO27002, it provides a great way of helping any organisation reduce their information security risk. As it’s a global standard and implemented worldwide, it will also help suppliers and purchasers make informed decisions about risk and information security risk management.
What Is Not so Good About ISO27001?
As a standard management system based on risk, ISO27001 is perfectly possible to obtain (which, by the way, can only happen by an official organisation accredited by UKAS auditing you). You can do this without implementing some or many basic information security controls. That’s not to say it isn’t a good standard. In my opinion, it is, but like all things, you need to be aware of its limitations. You can also define a narrow scope for an Information Security Management System, or ISMS for short, meaning that it may not apply to the whole of an organisation – possibly not even the part you are looking to use as a supplier. The various accreditation body auditors are tightening up this practice, but it is still out there.
The other thing to be aware of is that because the standard focuses on risk and risk treatment, an accredited organisation can carry a high risk, as long as someone senior has approved it. Their risk appetite may differ from yours – so it is worth checking to see if their idea of effective cyber security is the same as yours.
Should I Trust Information Security Standards?
I believe the appropriate phrase is “trust, but verify” depending on the level of information security risk and your organisation’s risk appetite. You may need to garner further external verification on your organisation, or any organisations which supply you services and have access to your data or networks. The one last thing to consider around risk, however, is outside influence.
GDPR will change the risk landscape for many organisations, most notably due to the potential fines of up to 4% of global turnover or €20 million, whichever is higher. Fines can be imposed on both the controller and processor (read customer and supplier, respectively), which I suggest should be on the risk register for all organisations. Well executed, documented and sustained information security practice, including good supplier management, will enable you to demonstrate you are doing everything you can, should you suffer a cyber security breach.
Need Information Security Advice?
Optimising IT carries out extensive information security reviews on behalf of many organisations as part of their Information Security Management Systems, including internal auditing and supplier reviews. If you are concerned about Cyber Security and your organisation, please get in touch to see how we can help.
Want to learn about information security from our team of experts? Contact Optimising IT on 01242 505470 or fill out our cyber security services contact form for more information.