Managing cyber security
Every organisation needs effective cyber security. This means:
Having clear company policies about cyber security.
Selecting the right security controls for you
Making sure that your selected controls actually work.
Find out more about security policies
Selecting the right security controls can be difficult. Security controls can:
Already be there (eg as standard features of your chosen software).
Be added to meet your security policies.
Be added as good practice..
Be added just because you think you need them..
For example, the UK Government’s Cyber Essentials scheme recommends a series of controls in five key areas to give you basic technical cyber series of controls in five key areas to give you basic technical cyber protection. You may well choose to implement these controls as a matter of policy..
However, it is very unlikely that a set of controls chosen from checklists is going to be exactly right for you. The only way to be sure that you do have the right cyber controls for your business is to carry out a cyber risk assessment..
Find out more about risk assessment.
Risks change over time, as may the effectiveness of your controls. Having selected and implemented a set of cyber controls, you need to check regularly that they still meet your security needs. To do this, you will need a cyber security management system..
Such a management system can be formal or informal. It can be very simple, perhaps just a once per year management review. However, many companies, including SMEs, choose to implement formal cyber security management systems compliant with ISO/IEC 27001.
Your management system may give you confidence that you have effective cyber security, but convincing your customers might be a different matter. They might want additional assurance..
Find out more about obtaining independent certification that your business is adequately cyber-secure..
How standards can help.
The International Standard BS ISO/IEC 27001, Information security management systems – Requirements is recognised worldwide. It is designed to meet the needs of users, consultants, auditors and certifiers. BSI publishes an Introduction to ISO 27001:2013, which provides a straightforward guide to implementation and is aimed at businesses of all sizes.