The most popular cyber security standards explained

If you are looking to protect your business from cyber-attacks and demonstrate compliance with the main standards and legislation, it’s not as complex as you might think.

You can get started with straightforward measures that will be able to prevent most basic attacks. They’ll not only be good for your information security, they’ll also send a reassuring message to your customers.

This article covers some of the most popular cyber and information security standards, certificates and regulations. We consider them to be the building blocks to improve your cyber resilience and compliance.

Cyber Essentials Scheme

What? Backed by HM Government, Cyber Essentials sets out an organisational security standard that, if applied appropriately, will protect businesses from the majority of low-level basic cyber threats. A start-point in cyber security, there are various routes to certification and it’s largely questionnaire-based.

Why? It’s not just the big organisations that are targeted by cyber criminals. If you are a business and online, you are a target too. If you are a supplier to the government or the MOD, in most cases it’s mandatory. Obtaining Cyber Essentials will reassure your customers that you take cyber security seriously and you’ll get valuable certification too.

Find out more here.

The IASME Governance Standard

What? The IASME (Information Assurance for Small and Medium Enterprises) Governance Standard was developed for smaller businesses and goes a step further than the Cyber Essentials Scheme. Risk-based, it’s a highly credible security management standard and also includes a mandatory assessment against GDPR requirements.

Why? IASME allows you to demonstrate a more rigorous approach to cyber security – something that may help you to participate in a government supply chain. Smaller companies are recognised as more of a threat to information security so having IASME may set you apart from your competition.

Find out more here.

ISO 27001

What? ISO 27001 is an information risk management standard designed to provide guidance in the selection of adequate and proportionate controls to protect information. It also sets out the objectives of information security management and defines the information security policies, processes and standards to be adopted by a business.

Why? As well as providing businesses with an appropriate level of information security protection, ISO 27001 certification provides third parties and customers with confidence that the information they share with you will be protected. It’s also an internationally recognised standard.

Find out more here.

Cloud Controls Matrix (CCM)

What? Designed for cloud vendors, the CCM offers a controls framework to give businesses a detailed understanding of cloud-related security concepts. The framework covers three areas – cloud architecture, governing in the cloud and operating in the cloud. It’s aligned with other industry-accepted security standards including ISO 27001.

Why? Cloud vendors’ reputations and business viability rely on offering a secure service. The CCM provides the needed structure, detail and clarity relating to information security tailored to the cloud industry and allows you to strengthen information security control environments.

Find out more here.

ISO 22301

What? ISO 22301 is the international standard for business continuity management. It was developed to help you prepare for and minimise the impact of disruptions which are often totally outside your control. It will help you identify your critical assets and put in place processes and plans to ensure those assets are available in the event of an incident.

Why? Continued operation during business disruption is a fundamental requirement for any organisation. ISO 22301 will not only help your organisation recover from a potentially major incident, it will also protect your reputation and revenue and assure customers that you have the necessary measures in place.

Find out more here.

PCI-DSS

What? The Payment Card Industry Data Security Standard (PCI DSS) is designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS applies to any organisation, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Why? Customers expect that when they make a payment to your organisation, their details will remain safe and secure. Being compliant with PCI DSS shows that you are doing your best to achieve this. What’s more, if you suffer a data breach and you are not PCI DSS compliant you risk fines and the damaging loss of customer trust.

Find out more here.

Minimum Cyber Security Standard

What? Issued by the Cabinet Office in collaboration with the National Cyber Security Centre (NCSC), this is a new minimum set of cyber security standards that government expects its departments, agencies and suppliers to adhere to and exceed wherever possible.

Why? It covers five categories: identify, protect, detect, respond, and recover and is a useful framework for organisations to base their cyber security strategy on. The measures covered in the standard will grow with time to address new threats and vulnerabilities to ensure those who follow it remain secure and compliant.

Find out more here.

How to identify the risks in your organisation

Identifying where the risks lie in your organisation is a good basis for choosing the security standards most appropriate to your needs. Ascentor’s free online risk assessment is a high-level look at your main business risks. We’ll send you a free report on where you need to focus your improvement efforts.

Find out more here.

Alternatively, you can gain a specialist review of your organisation with a critique of your cyber risk management arrangements. Our information risk health check includes clear demonstrable priorities for improvement and recommendations for action.

Find out more here.

Case study

Discover how Ascentor helped smart voice services provider Resilient assess their risk and invest in a programme of cyber security improvement and certification. They started with Cyber Essentials, then IASME (Information Assurance for Small and Medium Enterprises) and finally ISO 27001.

Find out more here.

The 10 steps to cyber security – NCSC

You may also benefit from reading the NCSC’s guidance on how organisations can protect themselves in cyberspace, including the 10 steps to cyber security.

Containing an introduction to cyber security for executive/board-level staff, you can find out more here.

A higher level of cyber security – cyber security programme

Where a higher level of cyber security is required – typically in situations where the consequences of a data breach could be huge, Ascentor uses well-established cyber risk management principles guided by widely accepted best practice.

Four internationally recognised and respected framework resources inform and guide our work: the US National Institute for Standards and Technology (NIST) Cybersecurity Framework; ISO27001; the Centre for Internet Security (CIS) Top 20 Critical Security Controls; and the Cybersecurity Capability Maturity Model (C2M2).

Find out more here.

Written by

Dave James

Start Your Cyber Security Journey

Get in touch with our cyber security experts at Ascentor to discuss how we can support your security requirements.

Fields marked with an * are required

Ascentor will use this information to provide you with the requested information. On occasion, we will also contact you in line with our Privacy Policy about other information you may be interested in, including our products and services. You may manage your preferences or unsubscribe from these communications at any time via this link.
Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch