Why Comply ?D O E S M Y B U S I N E S S N E E D I S O 2 7 0 0 1

P G I C Y B E R E - B O O K S E R I E S

CONTENTS

What is ISO 27001?

ISO be so lucky

Is it essential?

Cyber Essentials

Legal, Regulatory, Certification andBest Practice

Information Security

Answering the what, why and when

Risk Assessments

Level 2 - 3 Sheldon Square - Paddington -London - W2 6HY

CONTACT US

clientservices@pgitl.com

+ 44 (0) 207 887 2699

EXPLORACO U T D O O R G E A R

INFORMATION SECURITY

RegulatoryThe main information security centricstandard is the Payment Card IndustryData Security Standard (PCI DSS)which any entities that are involved inthe processing, storage or transmissionof Card Holder Data (CHD) mustcomply with. This standard, as well asothers relating to CHD, is administeredby the PCI Security Standards Council(PCI SSC) and was created to reducefraud involving CHD. Non­compliancewith the PCI DSS can result in finesfrom the appropriate Payment Brand(MasterCard, Visa, American Express,JCB or Discover) or the ultimatepenalty which is that the PaymentBrand prohibits you from taking cardpayments. There are also many otherindustry specific regulations that mustbe adhered to if relevant to yourorganisation. 

LegalThere are a few notable legal information security Acts that currently existsuch as the Data Protection Act 1998 (DPA), Regulation of InvestigatoryPowers Act 2000 (RIPA), Computer Misuse Act 1990 and the impendingEU General Data Protection Regulation (EU GDPR) that shall apply from25th May 2018. The primary Act that most organisations are aware of is theData Protection Act 1998, comprising 8 principles on how information mustbe used, updated, retained, secured and transferred. It also includes itemssuch as Subject Access Requests and links into the Freedom ofInformation Act 2000, the Computer Misuse Act 1990 and Privacy andElectronic Communications (EC Directive) (Amendment) Regulations 2011.

There are several different certifications that organisations canattain to evidence the security controls that they have in place.These certifications provide assurance to any current or potentialcustomers, stakeholders or suppliers that the appropriate cyberand information security controls have been implemented. Thesecontrols can assist in the prevention of cyber­attacks andpotentially data breaches. Common certifications include CyberEssentials and ISO 27001. Further information about thesecertifications is provided later in this document.

• CESG 10 Steps To Cyber Security – Developed by GCHQ inassociation with the Centre for the Protection of National Infrastructure(CPNI) and the Cabinet Office, this framework provides 10 key securitysteps, which according to the UK Government, organisations shouldadopt to assist in protecting themselves against the most common formof cyber­attacks.

• SANS CIS Critical Security Controls – A list of 20 technical securitycontrols that align to the (American) NIST framework whichorganisations can implement. They are mainly technology centric andhelp protect an organisation from cyber­attacks.

• HMG Security Policy Framework – A specific and comprehensive setof requirements that an organisation needs to operate in accordance to,as defined by the UK Government in order to protect UK Governmentassets. Adherence to the Security Policy Framework (SPF) is mandatoryfor organisations that handle UK Government Classified information.

Certification

Best Practice

ISO 27001

ISO BE SO LUCKYISO 27001 is an internationallyrecognised information securitymanagement standard thatdescribes best practice for aninformation security managementsystem (ISMS). An ISMS is aframework that primarily consists ofpolicies, procedures and othercontrols for the systematicmanagement of an organisation’sinformation assets and risks to thoseassets. ISO 27001 consists of 114controls across 14 areas and isbased on industry best practice.

ISO 27001 can often be seen as atime consuming, complicated andexpensive certification to achieve butthis is not always the case. Thestandard and its supportingdocuments are designed to beapplied to the specific context andoperation of the organisation wishingto adopt it; therefore knowing how toapply appropriate and proportionalcontrols to the specific organisationis vital.

CYBER ESSENTIALSCyber Essentials is an industry supported UKGovernment scheme to assist organisations inprotecting themselves against the mostcommon forms of cyber attacks. There are twoflavours, Cyber Essentials and CyberEssentials Plus.

Cyber Essentials requires the organisation tocomplete a self­assessment questionnairedetailing the current security controls that theyhave in place across five areas: boundaryfirewalls and internet gateways, secureconfiguration, access control, malwareprotection, and patch management.

  

Cyber Essentials Plus requires the samequestionnaire to be completed. However,there is an additional onsite element thatrequires evidence that the controls detailedin the questionnaire have been implemented.

Cyber Essentials Plus includes a penetrationtest of web services provided by theorganisation in addition to the CyberEssentials requirements, and is intended todemonstrate security at the internetboundary.

Cyber Essentials is the minimum requirement mandated by HMG for any businessapplying to work on government contracts – including sub­contractors – in order tomake Britain a “safe place to work”.  It is a requirement of every central and localgovernment procurement activity since October 2014.

RISK ASS SSMENTS E

Put simply, a risk assessment is an evaluation of an asset to identify thepossibility of, and effect of, its compromise, disclosure or unavailability. Thereare several different methodologies and tools available that can assist anorganisation in completing risk assessments, however these are not out the boxsolutions; they still require an element of configuration, asset identification, dataentry and ongoing maintenance.

The question here should really be why wouldn’t I complete a risk assessment?The answer to this question should be “never in a perfect world”. Riskassessments provide an organisation with an informed understanding of theirassets and the associated risks.

Risk assessments should be completed at least annually or when there is aproposition that any aspect of the security of the asset is to be changed e.g.outsourced, infrastructure change, change to service provision, etc. Thisensures that risks are identified at the earliest opportunity and appropriatelymanaged.

What?

Why?

When?

Want moreinformation?

+ 4 4 ( 0 ) 2 0 7 8 8 7 2 6 9 9

c l i e n t s e r v i c e s @ p g i t l . c o m