Having established a cyber security policy, you and quite possibly your customers and suppliers will want to be sure it works.
You can be audited against your policy, either by yourself or an independent person or organization (this is called certification). If you audit yourself it is called a ‘declaration of conformity’ or ‘self-certification’. If a customer audits you, they can award an inspection certificate (i.e. a declaration that their specified requirements have been met).
Even if you were shown to meet your cyber security policy on the day of auditing, it doesn’t mean you had effective cyber security previously or that you will still have effective security in the future. For longer-term confidence, you need an information security management system (ISMS), however rudimentary, which will provide feedback on present as well as future use.
If you don’t think you want or need a formal information security management system, you can still perform a gap analysis to identify shortcomings in your current cyber security provisions.
