I am really pleased to announce that Barry Horne Training has been awarded the Cyber Essentials and IASME Information Security Standard Certificates of Assurance.
Working toward the award is the reason my website and blog have been rather quiet of late – but that will change now!
At a recent networking event at The Hive organised by Barclays Bank and Weston-super-Mare Chamber of Commerce I heard how local Micro/SMEs were becoming more aware of and concerned about cyber threats to their businesses.
A presentation by the South West Regional Cyber Crime Unit brought home to the attendees the seriousness of cyber security threats to small business. The speaker mentioned the Cyber Essentials scheme in that presentation.
This was timely as I was going through the Cyber Essentials assessment process at the time and could speak about my experience.
Symantec reported that more than half of all spear phishing attacks in 2015 were aimed at SMEs. The Cyber Essentials scheme represents an excellent route to good cyber security for the small business.
So What Is The Cyber Essentials Scheme?
The scheme aims to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. The scheme is available at two levels:
- Cyber Essentials – an independently verified self assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.
- Cyber Essentials PLUS – a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.
The five basic controls within Cyber Essentials were chosen because, when properly implemented, they will help to protect against unskilled internet-based attackers using commodity capabilities which are freely available on the internet.
Organisations that undertake Cyber Essentials are encouraged to recertify at least once a year and, where appropriate, progress their security.
Since 1 October 2014, Cyber Essentials became a minimum requirement for bidding for some government contracts.
And What Is IASME?
The IASME standard describes itself like this:
Information Assurance for Small to Medium-sized Enterprises (IASME) is designed as a security
benchmark for the SME. IASME is designed to guide the SME where needed and then assess the level of
maturity of an SME’s information security. Recognition of this benchmark can be used to assure
themselves and their customers that information lodged with them is safe in all practical respects. IASME
can also be scaled up for larger organisations.
The BS ISO/IEC 27xxx series of standards represent the gold standard for information assurance. Achieving certification against these standards is no mean feat and can be extremely expensive.
IASME recognises that SMEs, by nature of their size and flexible business approach, cannot necessarily afford the money or resources for a full ISO 27001 certification. The IASME standard is comprehensive enough but not too prescriptive to enable SMEs to demonstrate their level of cyber security and that they are able to properly protect their customers information. As with ISO 27001 IASME is a risk based methodology with the appropriate level of rigour making it the cyber security benchmark for SMEs.
In summary, quoting from the standard:
IASME is a formal information and cyber security methodology that is suitable for any organisation and
SMEs in particular. It is sector agnostic and provides a working framework to assure information security
against the background of contemporary threats.
Why Did I Do This?
Throughout my professional life I have always believed that you should not expect anyone to do anything you would not do yourself. In other words, practice what you preach. This is particularly important when training people.
My business is about training SMEs, and individuals, in cyber security awareness. I strongly believe that the key factor to protecting information assets – cyber security – is education. Without cyber security aware staff in an organisation any investment in security technology is largely wasted.
So, for me, in addition to my practical experience in cyber security and training businesses and people in the subject, the opportunity to achieve the Cyber Essentials and IASME certificates was not to be missed. My Cyber Essentials certificate allows me to demonstrate I am serious about cyber security.
Cyber Essentials has provided me with a framework relevant to SMEs in which I can set the training I offer. I shall now be offering basic cyber security awareness training to SMEs eventually leading to Cyber Essentials preparation courses. You will find details of these courses announced on this website soon.