Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

00) Does your organisation hold any certifications in information security?

August 30, 2022
Security Certifications
Scoping
Small Framework

Answer yes if your organisation has been certified to an information security standard (such as PCI DSS, Cyber Essentials or ISO27001) or has completed an information security audit such as a SOC2.

There are a number of certifications that you can be audited against that cover information security.

Risk Ledger has put together a list of the certifications most common for UK and US organisations and included our thoughts on each. Guidance on security certifications across the world will be added soon.

Cyber Essentials and Cyber Essentials Plus

Cyber essentials is a UK government backed certification that covers the implementation of controls designed to protect you against the ten most common types of cyber attack. You can certify to either the basic level through a self assessment or to the plus level after a third party assessment has been completed.

If you are a small to medium enterprise or startup we would recommend this certification as it is lightweight and effective. If you supply (or want to supply) to the UK government you need to be Cyber Essentials certified to the basic level.

ISO27001

ISO27001 is based around the implementation of an information security management system (an ISMS). This is a comprehensive certification that requires a three stage external audit to be certified, and as such requires a large amount of preparation and implementation.

ISO27001 is a great framework for any corporates or larger enterprises who need a way to effectively manage their security systems.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is a framework developed by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. It was developed as a security framework for use by all critical infrastructure of the United States.

NIST Cybersecurity Framework is a great framework for any critical infrastructure or utilities enterprises who need a way to effectively manage their security systems.

SOC2 Report

A SOC 2 report is designed to provide assurance to an organisations’ clients, management and users about the presence and effectiveness of the organisation’s controls that are relevant to security, availability, processing integrity, confidentiality and/or privacy.

A SOC2 audit is a comprehensive audit that includes both the presence testing of controls and the effectiveness testing of controls. The audit is also not information security specific.

How to implement the control

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.