Passing Cyber Essentials for the first time is an achievement in and of itself. You’ve been able to explain that your business meets a baseline standard of cyber hygiene – and an external party agrees. However, security is a journey and while your compliance obligations may have been met, there’s much more you could do to ensure that your organisation is as secure as it could be.
The most obvious next step is to obtain Cyber Essentials Plus, which includes a technical assessment as well as the completion of the questionnaire from Cyber Essentials. Obtaining this will demonstrate a more robust approach to security to your partners and clients, as well as provide validation that your systems are, in fact, as secure as you say they are! You may decide to go a step further, and certify against a more holistic security framework, such as ISO 27001, which focuses on the development, implementation, and continual improvement of an information security management system (ISMS). ISO 27001 certification is generally more time and resource intensive than certification to Cyber Essentials, however it functions as an excellent next step in improving your organisation’s security posture when you reach the appropriate maturity level to meet the Standard’s requirements. If you would like to learn more about how to achieve ISO 27001 certification, read our blog on 6 Must Do’s When Implementing ISO 27001.
Of course, not all security improvements lead to certification. While certification is useful to externally demonstrate a commitment to security, the fixed boundaries of such work are sometimes not as valuable as tailor-made engagements. It can be useful to work with a security consultancy to discuss your organisation and concerns and allow them to formulate a package of work to suit your business requirements. This could take the form of governance risk and compliance (GRC) consultancy, which looks to improve policy and process, or technical assessments such as penetration tests which identify vulnerabilities and security issues on your systems. A good security consultancy will seek to group different GRC and technical assessments together in order provide full insight into your organisation’s security – and provide the best recommendations for improvement.
Security is a journey, and it can be useful to consider your long-term destination: do you want your security to be your organisation’s USP? Do you want to do the minimum required to comply with your industry’s expected standards? Both approaches have benefits and drawbacks, however often these decisions are made without full understanding of their implications. A security consultancy can undertake work to assess your current security posture, desired future state, and identify improvements which need to be made in order to reach your destination. Work like this can create a roadmap for you organisation – ensuring that your security posture ends up where you want it to be, as opposed to what you currently have.
If you would like to improve the security competencies and capabilities of your internal personnel, you should also consider hiring individuals with industry-recognised security qualifications, and/or upskilling your existing staff by sending them on training courses to obtain security qualifications, such as the Certificate in Information Security Management Principles (CISMP) and the Practitioner’s Certificate in Information Risk Management (PCIRM). The CISMP is a foundation-level qualification which will provide you with the skills and knowledge to manage information and cyber security and address the ever-evolving threats and changes in working practices, e.g. remote working. The PCIRM is a practitioner-level qualification which demonstrates that an individual possesses a hands-on understanding of information risk management. The PCIRM syllabus covers the identification of threats that could damage key assets and the assessment of vulnerabilities which could lead to those threats arising, as well as the controls and treatment options available to mitigate information security risks (among other things). As such, the presence of CISMP and PCIRM-certified personnel within your organsiation will help elevate its security posture, as they possess the necessary skills and understanding to reduce the likelihood of security incidents occurring.
As you can see, there are no right answers to answer the question that prompted this blog. If you’re currently deciding what your next step should be, URM is happy to offer 30 minutes of free consultancy to help you understand what’s right for you.
How URM can Help?
Whether your organisation is currently looking to achieve Cyber Essentials certification or has already certified and would like to further enhance its security posture, URM is ideally-placed to offer advice and guidance to help you protect your organisation against security incidents. Leveraging nearly 2 decades of experience in the security sphere, URM’s large team of consultants can provide you with practical support that is appropriate and tailored to your organisation’s unique requirements. Our broad range of competencies include assisting with and facilitating Cyber Essentials and Cyber Essentials Plus certification, providing penetration testing services, assisting organisations to achieve ISO 27001 certification, running accredited PCIRM training courses, and much more. As such, we are able to provide reliable and effective support, regardless of where you currently are in your cyber and information security journey.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes
On 23 January 2023, NCSC published an updated set of requirements, v.3.1 for the Cyber Essentials scheme....
URM’s blog answers key technical questions about Cyber Essentials and Cyber Essentials Plus, what’s in scope, CE compliant use of BYOD, and more.