I regularly get asked by businesses - often start-ups - how to approach information security. This has become an increasingly frequent question for those looking for some kind of formal recognition, usually certification. Everyone knows that these will take time and cost money. At the end of the day, is it worth it?

The Sea of Standards

There are more infosec standards available than I can possibly list here, so I’m going to go through the main ones with a US/EU perspective. If you’re not in that geographic area, some of these will not be relevant.

Before we get to those, though, let’s define some terms:

Conformance
If there is a written standard and you/your business is meeting the requirements of the standard, we call that business “conformant”.
Certification
If you are conforming to a standard and an external assessor or auditor verifies this, you can usually gain certification.
Attestation
If someone is willing to sign their name to the fact you’re conformant, this is an attestation. Self-attestation is where you sign yourself; most attestations are signed by a third-party. This is a stronger promise than just certification.
Control
The practical implementation of a policy requirement is a control. For example, if you have a clean desk policy, the control would be a walk-around inspection from time to time. Some controls are configuration - e.g. “my firewall blocks all inbound traffic” - however, even in those cases you’re still going to need to audit the controls manually (to make sure they’re still there / working).

Why might you need formal information security?

Businesses of all types have an increasing amount of sensitive information, and often need to demonstrate they properly protect it. This need to demonstrate security is what I’d call a requirement or obligation, and it can arise in a few different ways:

  • Internal: my business’s reputation is so important/valuable that I cannot incur a cyber incident, so want to put in place great processes.
  • Contractual: I want to do a deal with another company, and they require a formal system to be in place before they’re willing to close the deal.
  • Legal: I’m using some specific types of data which have general legal protection, and want to put in place processes to demonstrate I’m making reasonable efforts and/or to ensure I meet legal requirements.
  • Regulatory: I’m operating in a specific market which has expectations on how participants operate (these expectations may be backed by a piece of law, or by a quasi-governmental body which can take civil action if I break the rules)

Here are some specific examples in each case:

  • Internal: I work with celebrity clients. I would lose most of my business if I leaked their ‘phone numbers, so I want to demonstrate I have solid processes in place.
  • Contractual: I use Gmail’s API interface, and need to go through the “Google Security Audit” to do this in production. If I don’t do GSA, I can’t use the API.
  • Legal: I’m storing personal data of EU citizens and therefore need to be compliant with the GDPR.
  • Regulatory: I’m processing healthcare data and need to meet HIPAA requirements.

Quite often a requirement will arise in a couple of different ways. For example, a HIPAA-compliant service provider will usually be asked to sign a Business Associate Agreement. This is simultaneously a regulatory, legal and contractual requirement once executed.

What are the options?

Ok. So approximately, in easiest-to-hardest order, we have:

CyberEssentials (CE)

The most basic accreditation is CE. You can either self-assess this, or have someone else assess you. It covers five areas and includes a simple set of controls, which might be something like “ensure passwords have at least eight characters”. Ideally this is going to be a setting you just turn on somewhere, and suddenly you know your users all have at least a basic decent password. None of the controls require out-of-this-world effort to implement on most off-the-shelf IT systems.

Good for
Everyone. If you’re running a business, you should have done this. There’s literally no good reason to at least self-assess and figure out what you’re missing.
Likely cost
If you have a simple IT environment, it takes about a day to implement the controls, assuming they’re not in place at all. If you want someone to check you remotely, that’s another £300 or so.
Useful to know
CyberEssentials is being run by IASME solely from April 2020. Things may well change at that point. CE tends to be a requirement for UK Government contracts.

CyberEssentials Plus (CE+)

CE+ goes one step further. To get this you definitely need to have someone else assess you, and unlike CE the assessor will also come on-site to run some technical checks of your IT infrastructure.

Good for
A business with an office and its own IT infrastructure. If you’re working out of a WeWork or something, there’s not a big reason to do CE+ over CE. If you’re remote-only then you’ll have difficulty demonstrating the requirements.
Likely cost
Depends on how many locations you have, how much hardware, and whether you bring any off-the-shelf cloud suppliers into scope. £2000 plus probably.

IASME Governance

This is basically a CyberEssentials plus a GDPR compliance check, and you can choose to self-assess or have an external assessor (much like CE/CE+). All the points about CE/CE+ stand. It is marketed as a midway point to ISO 27001:2013, but is much simpler in reality.

Good for
Anyone who needs CE/CE+ and is handling personal data in non-trivial ways (e.g. significant outbound marketing). This is one of the few ways to demonstrate formally that you’re meeting GDPR as of late 2019.
Likely cost
Much like CE; extra time required to write the GDPR policies/etc. An external assessment starts at £400, an on-site one will be more.
Good to know
Again like CE, the various criteria for the standard are available as a free download.

ISO 9001:2015

People commonly ask me if they can use their ISO 9 Quality Management System to implement information security. My response is generally “urgh”. You kinda can; it’s not a great fit and it makes things more complex.

If you express your information security objectives as customer satisfaction objectives, and then implement security controls in response to the risks to those objectives, it will roughly work. You’ll have fewer obligations than under ISO 27 because there aren’t a broad set of standard controls you need to consider.

The downside is that virtually no-one will recognise this as an information security management system. If you have ISO 9 already, then identifying some infosec risks is a reasonable stepping stone to ISO 27.

Good for
Those businesses with ISO 9 already in place, and who want a more structured approach to infosec. Not worth doing just for infosec, though.
Likely cost
Just the additional time to learn about infosec and integrate it properly.

PCI-DSS

The PCI-DSS standard is specifically for those organisations handling credit card data, which isn’t as common as it used to be. The PCI-DSS standard is primarily made up of a series of technical controls: depending on how much data you handle, and how much of the process third parties handle for you, there could be a couple hundred controls to implement.

PCI-DSS gets complex if you handle the data yourself directly, especially over the phone. If you’re an e-commerce startup with a hosted Stripe payment page, you probably don’t have to do anything (although you still need to be able to self-assess to assure yourself of that fact).

PCI-DSS is known for potentially being difficult; depending on who your auditor is (and you can only self-assess to a certain level) this may be true. However, it’s more true to say it’s only difficult for organisations with poor internal infrastructure already. As one example, you have to assess anything on the “card data network”: if you haven’t segmented networks, then everything is on the “card data network” and you have to assess everything. Obviously that’s painful.

Good for
Those businesses handling credit card payment. All such businesses need to be compliant (and don’t believe anyone who tells you otherwise)
Likely cost
Ranges from nothing (simple Stripe integration) up to tens of thousands.

NIST Cybersecurity Framework

NIST is a US-originated framework intended to help protect “critical infrastructure”, but is generally applicable. The majority of the framework is a set of controls in the same manner as ISO 27 or HITRUST; however, it takes an interesting approach in simply defining some activities and intended outcomes. So, where PCI-DSS says “you must have this specific external scan”, NIST simply say “Vulnerability scans are performed”.

Unlike the management standards, there is no over-arching framework: if you want to measure performance, ensure you’re feeding useful information back, and otherwise improving your security posture, NIST isn’t very helpful.

Good for
Businesses operating with lots of sensitive data, particularly in the US
Likely cost
There are a lot of activities to look at, so this would be a multi-week effort to implement at minimum. Almost certainly it will incur costs for external services (such as vulnerability scanning / pentesting).
Good to know
There are certificates and training schemes for individuals implementing NIST, but not for the framework itself. Bank of England is apparently aligning to NIST CF, so this may become increasingly relevant for fintechs in UK/EU.

ISO 27001:2013

We’re starting to get into the big systems now. 27 (as its friends call it) is an Information Security Management System (ISMS): which is to say it doesn’t care about the technical details, it only cares about management/risk. Strictly speaking, you could have a conformant 27 ISMS which lists your business’ risks and accepts them all without mitigation. It’s unlikely you could get an external auditor to agree to that, but in principle you can do it.

27 may apply to your whole business, or just some part of it: this is called the “scope”. There are two main types of certification; those that are UKAS-accredited (“crown and tick”) and those that are not. The ones which aren’t are cheaper, and one supplier can help you set up the ISMS and then assess it. A “proper” certificate costs more, and the auditor will be different to the people who set it up.

While there are no specific controls required by the standard, there are around 180 that you need to consider (overall) compared to the 30-odd in CE.

Good for
Businesses with more complex information security requirements - bespoke software development for example - and those with significant regulatory or legislative obligations
Likely cost
Will eat up days writing the paperwork. To self-certify you’ll need to spend £200 or so getting access to the standard; the costs of an external consultant to set up the ISMS are much greater. A full audit will run to a minimum of £5,000, and a UKAS-accredited certificate will take a minimum of three months to achieve.
Good to know
Accreditation lasts three years, with interim audits along the way. Across the three year cycle, you’re likely to be spending £12k minimum on audit.

HITRUST

Originally designed to help US healthcare businesses demonstrate HIPAA/HITECT compliance, the recent HITRUST standards are more generic and can be applied to more organisations. HITRUST is more specific and involved than ISO 27; in particular there are a set of controls which you must have in place (depending on the size and complexity of your business).

HITRUST is a standard controlled by a private, commercial organisation. This means you can only access HITRUST services and advice through their approved channels, and the standard itself is similarly constrained. The assessment is made through the central organisation, through a bespoke web application, so it’s uniform across the world. It’s increasingly recognised in the healthcare sector, and can short-cut the sales process signficiantly.

Good for
Healthcare businesses operating in the US market. Increasingly good for sophisticated enterprises in other areas
Likely cost
Tens of thousands of pounds/dollars. This is a significant undertaking, and the requirements you need to meet go up in years 2 & 3 of certification - so you’re signing up to more future work too.

COBIT for information security

More commonly seen in the US, the COBIT framework is a system for risk/benefit analysis of potential information security controls. It’s really a governance or management framework, so like ISO 27 it’s not going to give you a lot of specific detail to implement. It has a relatively old-school view of IT, so a lot of the expectations are driven from defined “good practices” which have in some cases been superseded.

COBIT 2019 itself is a much broader management framework, and designed for larger enterprises with more sophisticated needs for risk management, etc. The infosec version is a “profile” of that broader framework, with non-security pieces removed. This results in a framework which is still quite heavy in some areas.

Good for
Enterprises. If you need COBIT 2019, you’re probably not reading this.
Likely cost
As long as a piece of string, and certainly expensive in a complex enterprise.
Good to know
Sees itself as an umbrella standard, so you can implement this happily alongside ITIL, TOGAF, etc. If you’re not a user of those things, COBIT is unlikely to appeal.

System and Organised Controls reporting (SOC)

SOC comes in a number of flavours. SOC 1 is for financial regulators, so I’m going to ignore that in this context (although some parts are infosec-relevant, if you need SOC 1 you will know that without me telling you).

SOC 2 is relevant if you use third parties to process sensitive data. SOC 2+ goes one step further to address GDPR/HIPAA/NIST. SOC 3 reports tend to be less involved and are generally only used for public attestation - e.g. sales documents.

You may also see reference to Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and/or International Standard on Assurance Engagements 3402 (ISAE 3402). These are the standards by which the controls are evaluated/reported (sort of), and a SOC attestation would need to be done in compliance with those approaches. Generally this means it’s going to be a large accountant doing this report.

Many of the previous standards are audited on an annual basis, and you get a certificate demonstrating that at the time of audit everything looked good. A SOC attestation goes further: was everything good for a specific period of time?

The key bit in a SOC attestation will be a phrase along the lines of:

“In our opinion, Acme Corp’s controls over the system were effective throughout the period 1st January 2019 through 30 September 2019, to provide reasonable assurance that its principal service commitments and system requirements were achieved based on the applicable trust services criteria”

This will then be signed by a Big Four accountant. As you can imagine, auditing all the evidence from that period of time to a degree an accountant will sign off is a lot of work. It’s always backward-looking, too - it’s a statement about whether your system was working.

Good for
The largest of large enterprises
Likely cost
Ruinous

That’s basically it

There’s a bunch of systems I haven’t mentioned. Those I have mentioned, I’ve done a disservice: by trying to tease out the essential benefits, I’m leaving out an awful lot. Each of the systems have their proponents and detractors.

I personally believe all businesses should be CE compliant (whether they know it or not - but obviously better to do the assessment and formally record it). Virtually all businesses, on the other hand, do not need SOC attestation. The “right level of compliance” is therefore somewhere inbetween.

If you’d like to comment on this at all, or have any questions, please ping me on Twitter - links below!