Over the last few months I have been getting more and more people asking me what is the difference between GDPR, Cyber Essentials, IASME standard and ISO 27001. How do these relate to each other, are they the same, do they affect everyone and the questions go on..
I’m hoping that this post will help people understand what the differences are between the four different certifications, and which ones will be best suited to your business.
The General Data Protection Regulation (GDPR) was approved by the EU parliament on the 14th April 2016 and will be enforced on the 25th May 2018, any companies that are not compliant against GDPR will face heavy fines.
The GDPR was released to replace the older Data Protection Directive 95/46/EC and was designed to ensure that data privacy laws are updated across all the EU member states, as well as ensuring that EU citizens privacy is put first.
Although the GDPR is primarily a European Member state law, it will also affect any companies that interact with any EU citizens, this can potentially have global impacts. The UK has also recently stated that they will be implementing the GDPR this means that all UK businesses need to abide by the same regulations.
Some of the key points that make understanding GDPR important are:
- This will apply to all companies that operate within the EU and UK
- GDPR now considers that any data that can be used to identify an individual as personal data. Will include, things such as genetic, mental, cultural, economic or social information.
- Companies need to show that they can prove valid consent for using personal information.
- GDPR requires public authorities processing personal information to appoint a data protection officer (DPO). However, all companies should ensure that they have someone appointed as a DPO and understands the risks associated.
- Companies now need to include mandatory privacy impact assessments (PIAs).
- Companies must now notify of any data breaches.
- The GDPR introduces the right to be forgotten.
- GDPR requires privacy by design.
Cyber Essentials is a UK government scheme which aims to get all businesses in to a state where they manage their IT security up to a certain standard. It aims to help organisations to implement basic levels of protection against cyber-attacks, demonstrating to their customers and suppliers that they take cyber security seriously.
Cyber Essentials comes in two flavours, the standard, self-assessment and the Plus version which requires the self-assessment as well as an onsite audit which involves the assessor to perform a basic vulnerability assessment ensure that security best practices are being performed.
Cyber Essentials has five basic controls which were chosen because, when properly implemented, they will help to protect against unskilled internet-based attackers using commodity capabilities. The five controls are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Additionally, if any companies want to deal with the MOD or Government, you must have Cyber Essentials as a minimal standard.
You can download the Cyber Essentials requirements from here: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
You can also download the self-assessment questions from IASME, which can be found here: https://www.iasme.co.uk/the-iasme-standard/free-download-of-iasme-standard/
Information Assurance for Small and Medium Enterprises (IASME) was designed over several years to ensure businesses are securing their data as much as possible. The goal of the IASME standard is to provide a cyber-security standard for small and medium businesses, the standard is based upon ISO 27001, but tailored for small businesses.
Like Cyber Essentials, the IASME standard can demonstrate to customers and suppliers that their information is being protected.
This standard is provided alongside the Cyber Essentials certification (when going through an IASME certification body). The IASME standard comes in two flavours, like Cyber Essentials. The standard, self-assessment and the Gold standard, which requires an onsite audit.
You can download a copy of the IASME standard here: https://www.iasme.co.uk/the-iasme-standard/
ISO 27001 is the industry standard for the management of information security. The latest version of this standard is currently ISO 27001:2013. The standard covers all aspects of your business and how you interact with security. It provides a model for establishing, implementing, operating, monitoring, reviewing and improving your information security management system in a structured and well defined way.
ISO 27001:2013 currently covers the following:
- Information Security Management System
- IS027001 :2013
- Security Policies
- Access Control
- Operations Security
- Human Resources
- Organisation of Information
- Communications Security
- Asset Management
- Physical & Environment
- Supplier Relationships
- Security Incident
- System Acquisition, development and maintenance
- Business Continuity Management
Achieving ISO 27001 is by far no mean feat, and depending upon the size of your company can take quite a bit of time to be certified. However there are plenty of companies out there, that we will to help you become certified.
Summing it all up
So, there you have it, all companies sooner or later must comply to GDPR in one way or another. If you are serious about ensuring that your business data is being protected and you want to improve your business reputation should look at becoming Cyber Essentials and IASME certified.
If you are a company that has more than 20 staff or so, I’d also recommend that your company looks at obtaining Cyber Essentials Plus and IASME Gold, this will help your reputation and show your customers and suppliers that you take the protection of information seriously.
If you are a large company, you should look at obtaining ISO 27001:2013 (or newer if it comes out), to show that you handle information correctly.
Looking for Cyber Essentials and / or IASME?
If you are looking to become Certified Essentials and/or IASME certified, TeraByte are a certified body which allows you to obtain your certification with ease. Pop on over to their site at: https://terabyteit.co.uk and ensure your business is secure today.