As businesses, we are surrounded by an abundance of choice when it comes to gaining certification. But how do we know which is the right one for us and when the time is right to go for it?
When making this decision there are a lot of considerations, such as cost, time, and legal requirements to name just a few. Whenever a customer asks for advice, my response always starts with two questions; why do you want to certify and what are your business drivers? This is a strategy that is both simple and effective for uncovering the cause-and-effect relationships underlying a particular problem or need. Understanding the risks to your business, what you are trying to protect and why, will help navigate your next steps and prevent you spending money on certifications that may not be necessary.
We work with customers to understand and establish their why. Some customers decide they just want to adopt better security practices rather than gain official certification and would rather align with a particular standard or framework. Others may want to work in different markets that require particular certifications, and some may just want to provide assurance to customers regarding their security practices.
Regardless of the decision about whether to certify, we work to understand the individual business and create a roadmap which ensures security is embedded into day-to-day activities, encompassing people, process, and technology. Security should be part of what the organisation does day-to-day, and a continuous process rather than a tick box exercise.
One point to note, certifications do not mean you are 100% secure, nothing does. But what they do give is an assurance that you have met the requirement criteria of a particular standard.
Our customers are all at various stages of their security journey and come from different sectors which all have their own specific requirements. The one thing they all have in common is they want to be better and understand how they can integrate security into their business. Below I have listed some of the certifications our customers enquire about:
Cyber Essentials is great for any business looking to improve their security, or as an additional layer of defence for more established security programs. By implementing simple controls will protect organisations from a large number of commodity internet-based attacks.
Cyber Essentials Plus takes this a step further and is a verified technical audit of your IT systems. It must be completed within 3 months of achieving Cyber Essentials.
ISO 27001 Is an Information Security Management System which takes a risk-based approach for managing an organisations information security. It is a cyclical framework that allows for continual assessment, review and improvement.
If you are considering certification and would like a pragmatic and honest approach, please get in touch for a free consultation.
