This is a question we often get asked at RTG Commercial Services by our clients.
Unfortunately, the answer is, it depends which is not always what our clients want to hear.
This blog provides a brief overview of the most common security frameworks used in the UK and some ideas of how to best adopt and tailor them to suit your needs.
As you can see, there are many different frameworks and many options for managing your information security risk.
And there are many reasons for selecting one framework over another:
Legal or regulatory compliance
Internal expertise and preference
To some extent, what matters most, is not which framework you choose, but that you proactively and consciously make a choice. All frameworks include guidance for good practice across a range of areas including risk management, technical security, personnel security, staff awareness and training (to name but a few). Selecting and establishing a security framework is one of the most important decisions made by a leadership team.
To figure out the best framework for your organisation, a logical sequence of events would be:
Identify your business context
what products or services are you selling?
what is your customer profile?
what is your legal and regulatory context?
Identify what you need to protect
what assets do you have that could be at risk (people, process, technology)?
what are your objectives in protecting those assets?
Identify your risk profile
what threats do you face?
what is your risk strategy and approach?
what risks can you tolerate (and which can you absolutely not)?
Identify your current status
what policies and processes do you already have in place?
what gaps do you have and how mature are they?
what risks remain (or are outside your tolerance level)?
Develop and implement an improvement plan
which framework best addresses your risk profile?
what will you need to adapt in the framework to meet your specific objectives?
have you got the resources you need to implement and maintain the framework?
There are many frameworks available, designed for many different types and size of organisation. Often, clients assume that the most appropriate framework is ISO2700; as the most established and internationally recognised suite of standards relating to information security, this is not surprising. At RTG Commercial Services, this was where our security expertise started - helping clients initiate and implement ISO27001 Information Security Management Systems and obtain accreditation by an independent auditor. Key reasons for adopting ISO27001 by our clients as their security framework include:
Established security framework with flexibility to adapt to specific circumstances
Required as part of contractual obligations
Independent accreditation provides credibility to the security posture of the organisation
For smaller clients considering Information Assurance certification, IASME Governance is often a good framework to adopt. Specifically created for small and medium enterprises, IASME Governance can be self-assessed or independently audited depending on the organisational requirement. Reasons for adopting IASME Governance include:
Includes CyberEssentials and GDPR assessments
Tailored to smaller organisations
Flexible certification approach
A new kid on the block (although not that new given it was launched in 2005) is the NIST 800 series. This is a suite of guidelines and good practice, similar to ISO27000 from the US National Institute of Standards and Technology. The NIST CyberSecurity Framework (CSF) was launched in 2014 and provides a structured approach to basic cybersecurity defences grouped around five functions - identify, protect, detect, respond and recover. Very similar in scope to ISO27000, key reasons for adopting the NIST CSF include:
Tailored for cyber security risk management
Voluntary framework that can be adopted by the largest to the smallest enterprises
Cyber security maturity is easily communicated to senior management
By partnering with ISMS Online, RTG Commercial Services has been able to simplify information security risk management and compliance monitoring for clients. All policies are retained in one secure location, easily updated and communicated to customers and third parties and constantly aligned to the relevant industry standard. If you have a need to adopt a security framework and would like some support in selecting the 'right' standard - and planning your implementation - contact us for a free initial discussion. We are always happy to share our knowledge and expertise to help you on the right path.