Cyber Security

For businesses transacting in the UK, there are many regulations that apply when using an electronic device to communicate. The UK General Data Protection Regulation (UK GDPR), or the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR) which sit alongside the Data Protection Act and the less obvious ones like the Company, Limited Liability Partnership and Business (Names and Trading Disclosures) Regulations 2015, which lays out requirements for information that must me included in your communications.

These give people specific privacy rights and obligations in relation to electronic communications.  Also be mindful of the provisions inside the companies act of record keeping and disclosure. As an information owner, you're responsible for managing your organisation's security risks and fulfilling your lawful requirements with things like disclosure in business communications from the companies act (like having legal email signatures) and retaining of email records.

cyberEssentials-1-1280x605 (1)
Self Assessment

Cyber Essentials

Cyber Essentials covers everything your business should do to protect itself from cyberattacks. Think of it as 'cyber hygiene' - a bit like washing your hands, brushing your teeth or wearing a face mask.

Simply being certified can reduce your cyber risk by up to 98.5%. And, it's a great way to demonstrate to new customers and partners that you take cybersecurity seriously - helping you grow as well as stay safe.

It demonstrates that an organisation has the most important cyber security controls in place.  The annually renewable certification scheme consists of five controls that will reduce the impact of commodity* cyber attacks from the internet.

  • Secure your Internet connection (Firewalls and routers)
  • Secure your devices and software (Secure configuration)
  • Control access to your data and services (Access control)
  • Protect from viruses and other malware (Malware protection)
  • Keep your devices and software up to date (Software updates)

*Commodity is a term used to describe common, low skill, low sophistication cyber attacks that rely on tools which are widely available on the internet.

Organisations assess themselves against these five basic security controls and a qualified assessor verifies the information provided. All the self-assessment questions are available to download for free in advance. Cyber Essentials certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover (terms apply).

Benefits

  • Protection from 98.5% of cyber threats
  • Choose a monthly or annual payment plan to suit your business
  • Gain the ability to bid for government tenders
  • It gives confidence to customers and suppliers
  • Super-fast certification - Get certified, fast with our jargon-free digital audit.
  • Pass with confidence - With unlimited live support and a guided audit, full of handy tips and expert advice, you can be sure you'll pass
  • Free enhanced cyber insurance - Get £25k free enhanced cyber insurance when you achieve Cyber Essentials certification with us
cyberEssentials_PLUS-1280x605 (1)
Audited and Verified Self Assessment

Cyber Essentials Plus

If you've already completed the standard certification no more than 3 months ago, you're eligible for the next level up.  Like CE, Cyber Essentials Plus covers everything your business should do to protect itself from 98.5% of cyberattacks. But, there's one key difference. Cyber Essentials Plus also includes an independent assessment carried out by one of our licensed auditors. This gives you complete peace of mind your cybersecurity is up to scratch. And customers don't have to take your word that you're cyber secure - they can rely on the expertise of a professional.

Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided. All the self-assessment questions are available to download for free in advance.

Cyber Essentials certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover (terms apply).

Benefits

  • Choose a monthly or annual payment plan to suit your business
  • Same day certification - Get certified, fast within 24 hours with our jargon-free digital audit
  • Pass with confidence - With unlimited live support and a guided audit, full of handy tips and expert advice, you can be sure you'll pass
  • Free enhanced cyber insurance - Get £25k free enhanced cyber insurance when you achieve Cyber Essentials certification with us
 
 
ACME Ongoing Support

GET: Active Protection

Cyber Essentials and Cyber Essentials Plus, provide a point of time assessment a bit like an MOT on your car.  To check and report ongoing compliance to the technical controls we use a endpoint software that checks for cyber essentials device compliance, maintains an inventory of installed software checks against known CVEs, provides access too and tracks cyber awareness training, written company policy distribution and the end user agreement to those policys.

We'll work with you to provide Simple guidance on everything you need to do to fulfil your data protection obligations. Create privacy policies in no time at all using our templates. And embed them on your website, forms or anywhere you need to capture personal information.

Build a Subject Access Request Workflow - Ensure GDPR compliance with consent and subject access request tracking and management. Our hosted SAR form allows your customers to submit requests through your website. Plus, every request is logged in our ticket database with automatic reminders sent to help you respond within 30 days.

Benefits

  • 24/7 protection
  • Fix issues in a couple of clicks
  • Full visibility of every device in your business
  • Cyber security training and policies
  • Supports any device on MacOS, iOS, Windows & Android
  • Tools that make privacy simple
  • Easily fulfil your data protection obligations
  • Save valuable time & Capture and track customer consent
  • Understand and address your legal GDPR requirements
IASME Cyber Assurance Is Available In Two Levels

Verified Assessment and Audited

The IASME Cyber Assurance certification includes GDPR requirements and is available in two levels: Level 1 Verified Assessment and Level 2 Audited. There is a prerequisite to applying for IASME Cyber Assurance; you must hold a valid Cyber Essentials certificate throughout your IASME Cyber Assurance certification.

It is a great fit for organisations that want ISO 27001, but realise it's a long journey and use IASME as a significant stepping stone towards ISO 27001, as shown below there a mappings from Cyber Assurance to these other standards, meaning that the work is reusable towards those standards.

For  Level 1 - verified assessment,  organisations access a secure portal to answer around 160 questions about their security. The assessment is marked by a Certification Body and a pass or fail is returned to the organisation. For Level 2 - audited,  an independent assessor conducts an on-site audit of the controls, processes and procedures covered in the IASME Cyber Assurance standard. The audited version gives a higher level of assurance and is pass or fail.

The Government's Procurement Bill 2022 is passing through the parliamentary process and is due to come into law. It seeks to reform the UK's public procurement regime to create a fairer and more transparent system. It also aims to support businesses by making public procurement more accessible to small businesses, and voluntary, charitable and social enterprises, by enabling them to compete for public contracts. Over 95% of all organisations in the UK are SMEs, many of whom are the most innovative organisations in their sector. The new procurement bill is a positive sign that SMEs are being welcomed and encouraged into supply chains and allowed to compete with larger organisations for business.

A wide range of industry sectors now accept the audited IASME Cyber Assurance certification as an alternative to ISO 27001 for small companies. This is a significant step towards reducing barriers to entry for smaller organisations in a supply chain as IASME Cyber Assurance gives SMEs a legitimate way to prove their compliance.

IASME Cyber Assurance maps to the majority of the ISO27001 / ISO27002 controls at achieved or partially achieved level, the mapping between IASME Governance and ISO27001 can be found here

The UK General Data Protection Regulation (GDPR) sets out seven key principles that should lie at the heart of an approach to processing personal data. Accountability is the seventh principle and the one that demonstrates that businesses are doing the right thing. IASME cyber Assurance aligns with the vast majority of the ICO's Accountability Framework, the mapping between IASME Governance and the ICO's Accountability Framework is here

Originally published in 2012 and is now used by a majority of the FTSE350 aligns directly with 10 Steps to Cyber Security on all topics, the mapping between IASME Governance and the 10 Steps Guidance is available here

The mapping between IASME Governance and the Network & Information Systems Regulations (NIS) Cyber Assessment Framework (CAF) can be found here

IASME-CYBER-ASSURANCE-LEVEL-ONE-SCHEME-LOGO-1024x413-1
Self-Assessed

IASME Cyber Assurance (Level 1)

IASME Cyber Assurance is risk based and includes key aspects of security such as incident response, asset management, people management, physical controls and GDPR compliance.

This certification allows smaller companies to demonstrate their level of cyber security and information governance for a realistic cost.  It indicates that they are taking further steps to properly protect their customers' information and also meeting the data protection requirements of GDPR.

The IASME Governance standard is aligned to a similar set of controls as ISO 27001* but is more practical, affordable and achievable for small and medium sized organisations to implement.

This standard, complements and builds on Cyber Essentials.  Indeed, it even includes a Cyber Essentials assessment and the GDPR requirements.  Whereas Cyber Essentials checks the technical controls, this standard also includes a check against key governance aspects, such as

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Incident response and business continuity

Level 1 certification is the first step along the certification pathway for IASME Cyber Assurance.  For the Level 1 certification, organisations are given access to a secure portal to complete their application and provide details against the Question Set.

IASME-CYBER-ASSURANCE-LEVEL-TWO-SCHEME-LOGO-1024x413-1
Independently Verified Audited Self-Assessment

IASME Cyber Assurance (Level 2)

You will need to have completed the IASME Cyber Assurance Level 1 certification before you can progress to the Level 2 audit.

IASME Cyber Assurance Level 2 involves an audit of your processes, procedures and controls required by the standard. The audit is independent and conducted by an IASME Certification Body and Assessor.

A wide range of UK and International industry sectors now accept the Level 2 audited IASME Cyber Assurance certification as an alternative to other international standards.

The standard covers 13 themes across 5 areas of control.

IASME Thirteen Themes

ISO 27001

ISO 27001 is the leading international standard for information security. Over 44,000 organisations all over the world use ISO 27001 to protect their data. The basic goal of the certification is to protect three aspects of information:

  • CONFIDENTIALITY. Only authorised people have the right to access information
  • INTEGRITY. Only authorised people can change the information
  • AVAILABILITY. The information must be accessible to authorised people whenever it's needed

Don't look at ISO27001 and Cyber Essentials as somehow equivalent. They complement each other very well and don't directly overlap. ISO27001 focuses more on process controls and policy positions, with some practical assessment. Cyber Essentials is the opposite - the focus is much more on practical assessment, with some process and policy assessment.

Successful implementation of ISO 27001 requires careful planning and project management. Unlike the checklist-style of Cyber Essentials, ISO 27001 is an interlocking framework of policies and processes. So, you'll need to create process documents and maintain mandatory records of training, internal audits, and more.

Statius Management Services Ltd is a management consultancy company that we work closely with, and whose aim is to implement ISO management systems along side our technical deployments, that improve business efficiency and minimise disruption.  Obtaining ISO 27001 is about systematically and rigorously testing your information security processes is against the 100+ controls detailed in Annex A of the standard.