GDPR, Cyber Essentials, IASME and ISO 27001 Over the last few months Blue Saffron have had many customer requests regarding the difference between GDPR, Cyber Essentials, IASME standard and ISO 27001. Just how do these relate to each other, are they the same, do they impact everyone? This post should help you understand the differences between the four different certifications, and which ones might best fit your organisation. GDPR The General Data Protection Regulation (GDPR) was approved by the EU parliament on the 14th April 2016 and will be enforced on the 25th May 2018. Any companies that are not compliant against GDPR will face heavy fines. The GDPR was released to replace the older Data Protection Directive 95/46/EC and was designed to ensure that data privacy laws are updated across all the EU member states, as well as ensuring that EU citizens privacy is put first. Although the GDPR is primarily a European Member state law, it will also affect any companies that interact with any EU citizens. This can potentially have global impacts. The UK has also recently stated that they will be implementing the GDPR. This means that all UK businesses need to abide by the same regulations. Some of the key points that make understanding GDPR important are: This will apply to all companies that operate within the EU and UK GDPR now considers that any data that can be used to identify an individual as personal data. Will include, things such as genetic, mental, cultural, economic or social information. Companies need to show that they can prove valid consent for using personal information. GDPR requires public authorities processing personal information to appoint a data protection officer (DPO). However, all companies should ensure that they have someone appointed as a DPO and understands the risks associated. Companies now need to include mandatory privacy impact assessments (PIA). Companies must now notify of any data breaches. The GDPR introduces the right to be forgotten. GDPR requires privacy by design. Cyber Essentials Cyber Essentials is a UK government scheme which aims to help organisations to implement basic levels of protection against cyber-attacks, a demonstration to customers and suppliers alike that they take cyber security seriously. Cyber Essentials comes in two flavours, the standard or basic form , a self-assessment test and a Plus version. This version requires a combination of self-assessment as well as an onsite audit involving independent vulnerability testing. At the time of writing, 21/09/2017, there are five bodies who train assessors. Cyber Essentials has five basic controls which were chosen because, when properly implemented, they will help to protect against basic internet-based attacks The five controls are: Boundary firewalls and internet gateways Secure configuration Access control Malware protection Patch management Additionally, if any companies want to deal with the MOD or Government, you must have Cyber Essentials as a minimal standard. You can download the Cyber Essentials requirements from here. You can also download the self-assessment questions from IASME, which can be found here. Will Cyber Essentials certification make me GDPR compliant? – answer no!! but it’s a great first step. GDPR requires more than just basic technical controls, but it can mitigate ICO fines if a company suffers a breach. The Cyber Essentials scheme is like any other business certification scheme in delivering good processes and best practice. The five technical pillars of Cyber Essentials are not difficult and they represent the very basics all businesses should be addressing as a very minimum. Cyber Essentials is a government approved business certification scheme and proven to prevent 80% of on-line born attacks. The very fact it is an embedded pre-requisite in many Government and MoD contracts, and is often required throughout the supply chain, this is a true endorsement of the effectiveness of the scheme for protecting sensitive and valuable data. It is additionally worth noting that Cyber Essentials is still required in many public sector contracts even if a company already has the Information Security Management Standard ISO27001. IASME Standard Information Assurance for Small and Medium Enterprises (IASME) was designed over several years to ensure businesses are securing their data as much as possible. The goal of the IASME standard is to provide a cyber-security standard for small and medium businesses. The standard is based upon ISO 27001, but tailored for small businesses. Like Cyber Essentials, the IASME standard can demonstrate to customers and suppliers that their information is being protected. This standard is provided alongside and independent of the Cyber Essentials certification (when going through an IASME certification body). The IASME standard comes in two flavours, like Cyber Essentials. The standard, self-assessment and the Gold standard, which requires an onsite audit. The IASME standard governance self-assessment includes the Cyber Essentials assessment within it. You can download a copy of the IASME standard here. Will IASME certification make me GDPR compliant? – answer no !! but it does offer support in getting your business GDPR ready. ISO 27001 ISO27001 is the industry standard for the management of information security. The latest version of this standard is currently ISO 27001:2013. The standard covers the interaction of security with all aspects of a business. It provides a model for establishing, implementing, operating, monitoring, reviewing and improving your information security management system in a structured and well defined way. ISO 27001:2013 currently covers the following: Information Security Management System IS027001 :2013 Security Policies• Access Control Operations Security• Human Resources Organisation of Information Security Communications Security Cryptography Compliance Asset Management Physical & Environment Supplier Relationships Security Incident Management System Acquisition, development and maintenance Business Continuity Management Achieving ISO 27001 is by far no mean feat, and depending upon the size of your company, it can take a fair degree of energy to become certified. Will ISO 27001 certification make me GDPR compliant? – answer it depends!! In addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents in organisations. The employees of these organisations are more aware and have more knowledge to be able to detect and report security incidents. Information security is not only about technology; it’s also about people and processes. The ISO27001 standard is an excellent framework for compliance with the EU GDPR. If the organisation has already implemented the standard, it is at least halfway toward ensuring the protection of personal data and minimising the risk of a leak, from which the financial impact and visibility could be catastrophic for the organisation. The first thing an organisation should do is conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001. Summary All companies must comply to GDPR before May 2018. If you are serious about ensuring that your business data is being protected and you want to improve your business reputation, you should look towards becoming Cyber Essentials and IASME certified. If you are a company that has more than 20 staff or so, we would probably also recommend that your company looks to obtaining Cyber Essentials Plus and possibly IASME Gold, This will help your reputation and show your customers and suppliers that you take the protection of information seriously. Many larger companies, typically look at obtaining ISO 27001. Looking for Cyber Essentials and IASME Guidance If you are looking to become Certified Essentials and/or IASME certified, Blue Saffron can help you on the road towards certification. References ISO 27001 and the Cyber Essentials scheme What is Cyber Essentials? ISO 27001 VS Cyber Essentials ISO 27001 vs. Cyber Essentials: Similarities and differences An Overview of Cyber Essentials IASME Consortium Further Information Backup and compliance services from Blue Saffron More about IT Security & Compliance More about managed services and why Blue Saffron Contact us How Are We Doing? Our service is proactive, robust and industry accredited. Customer Satisfaction - 98%Response time under 1hr - 95%First Contact Fix Rate 83% Be more productive with brilliantly managed IT TALK TO US | 0844 560 0202 CONTACT US Related Articles