A little over a year ago, our Head of Managed Services and resident security expert, Richard Slater, took on responsibility for Information Security and Cybersecurity for Ensono Digital. Last week, all of his hard work paid off when IASME notified us that the audit process was complete and Ensono Digital have been certified under NCSCs Cyber Essentials programme. Richard walks us through what Cyber Essentials means to Ensono Digital and some useful advice for anyone currently working through their audit.

‍

Following a conversation with our CTO Simon, we knew that we already had a lot in place for ISO 27001 and Cyber Essentials for Ensono Digital, we just needed someone to bring it all together and drive us through the audit. That someone was me.

What I didn't realise at the time was that I would need to draw on my years of experience to assimilate more than just the words on the page. It turns out it's not the wording of the two standards that differ from my experience; but also a new vocabulary, a new way to explain the technology, and why standards bodies created these standards.

I'm not entirely new to auditing as I have consulted within the insurance and financial services sectors for several years. However, particularly in financial services governance, risk management and compliance activities are critical elements in protecting the business and public interest.

Historically, I had someone working with me during audits helping me frame the conversation in the right way and keep the conversation on track. However, as I found out without a minder, it was pretty easy to throw auditors off by answering the question in overly technical terms. Whereas what I should be doing is focusing on the conversation. We found this particularly hard as we use many best-of-breed controls implemented by Microsoft 365 and Azure Active Directory, so our security posture is inherently technical. Therefore, to be effective, I need to understand the thinking behind the implementation and then explain how it meets the outcomes of the standards.

Standards are different

It helps to understand these two standards, how they are similar and how they are different:

• Cyber Essentials collects technical controls that form a minimal baseline for secure operation, protecting from 80% of cyber attacks. ISO 27001, on the other hand, is the specification for an Information Security Management System that seeks to protect from harm to confidentiality, integrity and availability of information.
• ISO 27001 was last updated in 2013. However, Cyber Essentials has changed at least annually, often more frequently.
• ISO 27001 is an international standard; Cyber Essentials is a UK Government driven initiative.
• Cyber Essentials is significantly more prescriptive than ISO 27001, with the latter leaving the organisation to establish its standard operating procedure.
• ISO 27001 audits are risk assessment-driven, whereas Cyber Essentials seeks to remove risk-based decision making from the auditing process.

‍

Furthermore, ISO 27001 is typically focused on larger organisations, whereas NCSC designed Cyber Essentials to cover the whole gamut of organisations between the one-person band to the multi-national organisation.

Prioritise company culture over certification

Going into an audit, you need to understand the context of why you want to attain and maintain certification. It's pretty standard for organisations to seek a badge. However, this is a fundamentally flawed approach.

When a company chases a badge, they can only expect to get a partial benefit from the standard. Companies will undoubtedly learn from the experience. However, it's unlikely to be embedded in the organisation, resulting in a short-lived value.

Ensono Digital didn't want to pursue a badge; the certification is an emergent property of adequate cybersecurity protection. As such, when we set out to achieve ISO 27001 and Cyber Essentials, we aimed to:

1. Protect the company from reputational damage incurred through information security breaches or cybersecurity incidents.
2. Protect the confidentiality, integrity and availability of information entrusted to Ensono Digital through practical risk management.
3. Protect the people, processes, and technology Ensono Digital relies upon to deliver a value stream through best-of-breed security technology.

For Ensono Digital having a solid cybersecurity posture enables us to bid for new contracts with confidence that we exceed our client's expectations.

What we learned along the way

As a learning organisation, passing or failing is secondary to learning from the experience. Here is what we discovered through the process:

1. Don't change your process to be compliant. Instead, document your method, then use the standard to improve it if necessary.
2. Embed cybersecurity and information security within the organisation; auditors will ask questions of anyone, so it's in your interests to ensure that everyone understands how the organisation protects information.
3. Document everything; auditors tend to want to see documented, reviewed and approved evidence of how you approach cybersecurity.
4. Improve continually; understand the Plan, Do, Check, Act cycle and apply it to your processes between audits. Aim for small iterative change rather than annual overhauls.
5. Automate everything; having a huge budget and headcount is one approach to governance, risk management and compliance - however, the effect on your bottom line is much harder to countenance. Instead, invest in automation, so improvements stack over time.

Everything is a process; 2021 marks the second year of Cyber Essentials for Ensono Digital and the first year of ISO 27001. We will recertify every year, and between audits, we will continue to use cloud-native technology services to automate and drive out efficiency, growth and innovation.

‍