Cyber security compliance – why you should treat it as a journey rather than a one off goal
Where the cyber security compliance journey starts: –
Many companies seek out our services as a matter of urgency because they need to achieve compliance with a relevant cyber security standard, such as Cyber Essentials certification, PCI DSS compliance or ISO 27001. This is mainly to enable them to pitch for a contract or work with a certain client.
There’s nothing wrong with this and we always do everything we can to help meet these needs, but our experience suggests clients have a much less stressful, much more secure and much more cost effective experience when they treat cyber security compliance as an on-going journey.
To explain this further lets take a simple certification like Cyber Essentials, a base line security standard often mandated for government or MOD contracts. As a Certification Body we are approached initially because this is required by an organisation to bid on a particular tender or contract. It is a self assessment questionnaire with 34 questions around 5 control areas. Some companies see this merely as a box ticking exercise, but in reality these controls, when implemented correctly can help protect businesses against 80% of the most common internet threats.
Making certification meaningful…and useful
When reviewing Cyber Essentials questionnaires there are often areas where we will seek further clarity to ensure the control has been properly implemented. As a Cyber Essentials Certification body we want to ensure that the certification is meaningful to both the organisation achieving it and the organisation relying on it being implemented correctly.
Organisations that implement these controls as they are intended, and take ownership of this process, making it part of ‘business as usual,’ will find the certification process simple. They will have the reassurance that they have implemented a base line of cyber security, and that they are reducing the potential for costly and stressful cyber breaches.
Cyber security compliance – business as usual
Payment Card Industry (PCI) compliance should always be incorporated as part of business as usual. It would be unwise to consider this as a one off annual assessment. Card breaches are costly on both reputation and a company’s profit and loss account, therefore protecting sensitive card data should be of major importance to organisations taking credit card payments. Just ensuring the controls are in place at the time of the assessment would be a high risk approach for businesses to take.
Similarly ISO 27001, the international standard for information security, actively seeks you to be continually reviewing and assessing your information security risks, putting processes and controls in place to manage these. The scope of the standard needs to be meaningful, and the integration of the standard into business activities makes it a useful tool. The annual audit for this will look for evidence of this during the year. It is considerably easier to incorporate this into your business practices than try and recreate the required documentation at the end of the year!
Use compliance to incorporate best practice
The different routes to the various cyber security certifications and compliance are therefore an important, and useful business tool against current cyber threats when they treated as both an on going journey and being constantly reviewed. Compliance incorporates best practice into an organisation, and provides a meaningful journey that becomes part of normal business operations. Importantly it gives the board reassurance that the company is taking continual steps to protect itself, whilst demonstrating externally that it is a trustworthy partner.