Every organisation needs effective cyber security. This means:
- Having clear company policies about cyber security.
- Selecting the right security controls for you
- Making sure that your selected controls actually work.
Find out more about security policies
Selecting the right security controls can be difficult. Security controls can:
- Already be there (eg as standard features of your chosen software).
- Be added to meet your security policies
- Be added as good practice.
- Be added just because you think you need them.
For example, the UK Government’s Cyber Essentials scheme recommends a series of controls in five key areas to give you basic technical cyber protection. You may well choose to implement these controls as a matter of policy.
However, it is very unlikely that a set of controls chosen from checklists is going to be exactly right for you. The only way to be sure that you do have the right cyber controls for your business is to carry out a cyber risk assessment.
Find out more about risk assessment
Risks change over time, as may the effectiveness of your controls. Having selected and implemented a set of cyber controls, you need to check regularly that they still meet your security needs. To do this, you will need a cyber security management system.
Such a management system can be formal or informal. It can be very simple, perhaps just a once per year management review. However, many companies, including SMEs, choose to implement formal cyber security management systems compliant with ISO/IEC 27001. You can find out more about ISO/IEC 27001 from our how standards can help you manage cyber security page.
Your management system may give you confidence that you have effective cyber security, but convincing your customers might be a different matter. They might want additional assurance.
