In today’s world, businesses are at a rising risk of cyber attacks. This poses a significant risk to your operations, finances and customers.
It’s therefore crucial to protect your business. However, it’s even more important to focus on security projects that drive value and reduce risk the most.
Fortunately, there are a number of well-established cyber security frameworks designed to cover businesses and comply with regulations that protect customer data.
We explore each of these frameworks in more detail, including how they can be applied to your business.
Three types of cyber security framework
Before we delve into the frameworks, let’s first explore the types of frameworks available.
Cyber security frameworks will typically fall into one of three types:
- Control frameworks: These serve as the foundation for security programs. They consist of specific controls and processes designed to protect against threats. They also provide guidelines for implementing security measures, such as access controls, encryption and monitoring.
- Program frameworks: These focus on operational aspects and governance across an organisation’s security measures. They ensure consistent implementation of controls and alignment with business goals.
- Risk frameworks: These help businesses when assessing threats, vulnerabilities and potential impacts on business assets. They help organisations prioritise security efforts based on the level of risk exposure.
In this blog, we will focus on control frameworks, as they are essential to mitigating risks and ensuring compliance across your business.
The top three cyber security control frameworks
There are three well-known cyber security control frameworks that businesses typically utilise. These include:
- Cyber Essentials: a UK government-backed scheme designed to help organizations protect against common cyber threats
- CIS Critical Security Controls: a globally recognised set of best practices for cyber security
- ISO 27001: The world’s best-known standard for Information Security Management Systems (ISMS)
A full overview of each can be viewed below:
Next, let’s dive a little more into each framework’s compliance requirements.
The Cyber Essentials scheme
The simplest framework to achieve in your business is likely Cyber Essentials. This framework protects data and programs on networks, computers, servers and other elements of IT infrastructure.
Cyber Essentials is a self-assessment option that assures protection against a wide variety of the most common cyber attacks.
An initial audit will help ascertain whether the organisation has the necessary measures in place to defend itself against the most common forms of cyber attacks.
It also covers Cyber Essentials Plus. This involves an external vulnerability scan. A certification body will visit the organisation and perform a test that is in line with the Cyber Essentials requirements. In addition to mitigation against phishing and most types of hacking, UK Cyber Essentials is a partial means of supporting the ISO 27001 certification.
Attaining certification in either Cyber Essentials or Cyber Essentials Plus (for advanced compliance) requires that five key controls are implemented:
- Secure internet connection
- Secure devices and software
- Controlled access to data and services
- Protection from viruses and other malware
- Up-to-date devices and software
CIS Critical Security Controls
The CIS Critical Security Controls framework encompasses all the elements of Cyber Essentials, plus a prescriptive, prioritised set of cybersecurity best practices and defensive actions. These can help prevent the most pervasive and dangerous attacks, and support compliance in a multi-framework era.
Actionable best practices for cyber defence are formulated by a group of IT experts, using the information gathered from actual attacks and their effective defences.
The CIS controls provide specific guidance and a clear pathway for organisations to achieve the goals and objectives described by multiple legal, regulatory and policy frameworks.
These are the pillars of the CIS framework:
There are some questions to consider to ensure you abide by the framework:
- Do we know what is connected to our systems and networks?
- Do we know what software is running (or trying to run) on our systems and networks?
- Are we continuously managing our systems using “known good” configurations?
- Are we continuously looking for and managing “known bad” software?
- Do we minimise risk by tracking the people who can bypass, change, or over-ride our security defences?
- Are our people aware of the most common threats to our business or mission, and what they can do about them?
ISO 27001
ISO 27001 provides requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO 27000 family. It’s best-practice approach helps organisations manage their information security by addressing people, processes and technology.
Software development companies, cloud companies and IT support companies will implement ISO 27001 to assure clients that they can certifiably safeguard their information in the best possible way.
The basic goal of ISO 27001 is to protect three aspects of information:
- Confidentiality: only the authorised persons have the right to access information
- Integrity: only the authorised persons can change the information
- Availability: the information must be accessible to authorised persons whenever it is needed
Because ISO 27001 certification demonstrates robust security practices, certified organisations often find that their client relationships and retention is improved by this investment.
In addition to improving how an organisation is perceived by clients, suppliers and other stakeholders, ISO 27001 certification benefits an organisation’s internal systems, structure and daily processes.
In summary, it provides a clear framework that addresses information security risks, management processes and key operational elements. This includes how IT systems must be kept up-to-date, anti-virus protection, data storage and back-ups, IT change management and event logging.
Where to get cyber security guidance
There are plenty of options out there to get cyber security guidance for your business. The National Cyber Security Centre provides guidance on how organisations can work to protect their information and systems.
And if you want hands-on guidance, we can help. We’re a leadingcyber security company with clients in many industries – including finance, retail, care and professional services. We give organisations access to strategic and vetted advice, with expertise across cyber security and compliance frameworks.
Our IT consultants provide diverse cyber security consultancy, covering GDPR audits, IT security strategy, business IT solutions, disaster recovery and backup solutions. We’re also experienced with the Cyber Essentials Certification.
