How Well Are You Really Doing With Cyber Essentials?
Organisations, large and small, to take practical steps to prevent Cyber Crime. Certification may provide customers with the confidence to engage suppliers, increasing the addressable business opportunity in markets that a supplier organisation serves.
Although popular, one of the options is to self-certify. I have heard criticism that it can become a check box activity for some who pay lip service to the implementation and ongoing operation of the best practices, but use the badge to promote their business. In my opinion to demonstrate your organisation is serious about protecting its information assets and those of its customers, getting certified by a recognized body (Cyber Essentials Plus) is a much better way to go.
As an applicant you must ensure you can provide the evidence that your organisation meets all of the requirements, so your chosen Certification body can award certification at the appropriate level. It is also important to look beyond the initial certification, and think about how you are going to maintain the program to prevent future risks as well as satisfying your customers & prospects that you continue to follow and enforce the best practices mandated by Cyber Essentials.
Depending on the size and nature of your organisation, this introduces varying levels of complexity associated with coordinating the ongoing maintenance of compliance.
Practically this means that the control owners, typically systems administrators, with responsibilities for individual technologies, have to ensure they regularly carry out a number of activities and that the output of those activities is documented and recorded. Activities include low level compliance checks as well as documenting policy and operating procedures to securely support the technology infrastructure.
Making sure that all of these activities are performed consistently, at the correct time and that the status of compliance is recorded, is generally the responsibility of the Security Officer or IT Manager. The larger the scope of the CE coverage, the more complex and onerous this can become.
If your organization is not keeping up-to-date with all these activities on at least a monthly basis, then you may achieve certification when the annual re-certification rolls around, but have you truly been cyber-secure throughout that 12 month period?
Today, specialised software is available to lend a helping hand, ensuring that the process of implementing and managing Cyber Essentials compliance runs smoothly and is effective.
Such software includes the scheduling of activities to ensure that all of the necessary tasks associated with maintaining low level security controls happen when they are supposed to. It can remind control owners when activities have not been completed on time, and escalate where appropriate. It can also automate compliance checks and remediation tasks reducing the potential for error, and free up skilled resources across the organisation from low level repetitive activities.
Furthermore, it can provide the empirical data so that overall compliance can be measured across the organisation, automating the tracking of compliance and enforcing a process of continual improvement.
By formalising the compliance process through software your organisation is more likely to achieve its certification, continuously improve its security posture and give prospects and customers the confidence that best practices are being followed on an ongoing basis, increasing overall revenue potential.