Obtaining industry certifications like Cyber Essentials, ISO27001 or SOC 2 (Type 2) can bring significant benefits to an organisation, but which one(s) should organisations aspire to comply with.
Selecting the right standard
Choosing between Cyber Essentials, ISO27001, and SOC 2 (Type 2) depends on your organisation's specific needs, goals, and context. Here's a high-level breakdown to help inform your decision making.
Cyber Essentials:
Best Fit: Small businesses or organisations with basic IT infrastructure and data handling.
Focus: Implementing five essential controls to mitigate common cyber threats, like firewalls, access control, and malware protection. Often referred to as a "Bottom-Up Technical" Standard.
Benefits: Relatively quick and affordable certification, demonstrates basic cyber security hygiene, improves internal security awareness.
Limitations: Not as comprehensive as ISO27001 or SOC 2. Also, unless seeking Cyber Essentials Plus, doesn't offer independent verification.
ISO27001:
Best Fit: Organisations needing a comprehensive information security management system (ISMS) and international recognition.
Focus: Establishing, implementing, and maintaining an ISMS across all information assets, addressing risk management, incident response, and continuous improvement. Often referred to as a "Top-Down Risk Based" standard.
Benefits: Highly recognised global standard, independent verification of security framework, enhanced trust and reputation, potential cost savings from proactive security.
Limitations: Time-consuming and expensive option, requires ongoing maintenance and commitment, complexity may overwhelm smaller organisations. Requires buy-in from all business stakeholders within the scope of the ISMS, not just security/IT Teams.
SOC 2 Type 2:
Ideal for: Service providers (particularly cloud and data processing) needing to demonstrate security and trust to customers.
Focus: Reporting on the effectiveness of controls relevant to specific security practices (e.g., data security, availability, etc.) based on agreed-upon procedures (AUPs) with an auditor.
Benefits: Tailored security assessment for service providers, independent verification of specific security practices, builds trust with potential customers, enhances brand reputation.
Limitations: Not a broad-spectrum standard like ISO27001, only reports on agreed-upon controls, not widely recognised outside tech industry.
When deciding on which certification to obtain, there are some factors to consider:
Industry/Customer Requirements: Certain industries might have specific compliance requirements that influence your choice, or you may have customers that require specific certifications as part of their third-party due diligence work. Consult with your sales and legal teams to identify those requirements.
Budget and resources: Implementing and maintaining each certification requires effort and investment. You will need to agree who will fund this. In reality this should be seen as a business cost, not just a security/IT cost.
Organisational maturity: Choose a standard that aligns with your current security posture, making it feasible, and future goals, supporting your business strategy.
So which one should you go for, it really depends on scale, maturity and desired outcomes:
Starting small: Consider Cyber Essentials Plus as a foundational step before aiming for more complex certifications. Achieving this may give your customers increased confidence, and will help demonstrate security hygiene.
Mature business: ISO27001 is ideal for building a comprehensive security framework and enhancing your overall posture. Being a risk-based standard this may also be preferable for large organisations that may struggle with technical debt, or require flexibility that technical standards may not support.
Demonstrating specific security practices: For service providers, SOC 2 Type 2 offers industry-specific validation of relevant security controls. It should be noted there is a substantial overlap between ISO27001 and SOC 2 - and organisations often achieve both.
You've picked your standard, now should you get certified?
Whether simple alignment with the standard or formal certification offers more value depends on a number of points. If it is demanded of you through regulation, customer requirements or contract, then your decision is made for you.
Benefits of Alignment:
Increased awareness: Simply aligning with the standards raises awareness of cyber security best practices among employees, leading to a more secure culture.
Improved processes: Implementing the controls and procedures outlined in the standards strengthens internal processes and risk management.
Potential cost savings: Proactive security measures can help prevent cyber attacks, saving on incident response costs and potential reputational damage.
Demonstrated commitment: Aligning with recognised standards showcases your commitment to cyber security to stakeholders, including customers, partners, and investors.
Benefits of Formal Certification:
Independent verification: Certification by an accredited body provides independent validation of your compliance with the standards, adding credibility and trust.
Enhanced reputation: A formal certification demonstrates a higher level of commitment to cyber security, enhancing your reputation with clients, partners, and regulatory bodies.
Competitive advantage: Certification can give you a competitive edge when bidding for contracts, particularly those with strict security requirements.
Reduced insurance premiums: Some insurers offer lower premiums for certified organisations, reflecting the reduced risk profile.
While alignment does offer valuable benefits, formal certification takes it a step further by providing:
Tangible proof: A certificate serves as a tangible symbol of your compliance, simplifying communication and building trust with stakeholders.
Regular assessments: Maintaining certification requires regular audits and assessments, ensuring continuous improvement of your security posture.
Access to communities: Certified organisations often have access to exclusive communities and resources, fostering collaboration and knowledge sharing.
Choosing the Right Approach
The decision of whether to align or certify depends on your organisation's specific context and risk profile.
Minimum requirements: Some industries or contracts may mandate certification.
Security maturity: Alignment might be a good starting point before pursuing certification, ensuring a manageable approach to increasing maturity, and allowing time for improvements to embed across the business.
Budget and resources: Certification involves additional costs and ongoing maintenance efforts.
Ultimately, both alignment and certification can significantly improve your organisation's cyber security posture. Weigh the benefits of each approach and choose the one that best aligns with your goals and resources.