This document discusses whether a business needs ISO 27001 certification and provides context around information security best practices. It summarizes that ISO 27001 describes best practices for information security management and can help businesses systematically manage information assets and risks. However, achieving certification can be time consuming so it's important to apply controls proportionately based on the specific business. The document also discusses regulatory requirements, legal acts, other certifications like Cyber Essentials, and the importance of conducting risk assessments.

1. WhyComply?D O E S M Y B U S I N E S S N E E D I S O 2 7 0 0 1
P G I C Y B E R E - B O O K S E R I E S

2. CONTENTS
Whatis ISO27001?
ISObesolucky
Isitessential?
CyberEssentials
Legal,Regulatory,Certificationand
BestPractice
InformationSecurity
Answeringthewhat,whyandwhen
RiskAssessments
Level 2 - 3 Sheldon Square - Paddington -London - W2 6HY
CONTACT US
clientservices@pgitl.com
+ 44 (0) 207 887 2699

3. EXPLORAC
O U T D O O R G E A R
INFORMATION SECURITY
Regulatory
The main information security centric
standard is the Payment Card Industry
Data Security Standard (PCI DSS)
which any entities that are involved in
the processing, storage or transmission
of Card Holder Data (CHD) must
comply with. This standard, as well as
others relating to CHD, is administered
by the PCI Security Standards Council
(PCI SSC) and was created to reduce
fraud involving CHD. Non­compliance
with the PCI DSS can result in fines
from the appropriate Payment Brand
(MasterCard, Visa, American Express,
JCB or Discover) or the ultimate
penalty which is that the Payment
Brand prohibits you from taking card
payments. There are also many other
industry specific regulations that must
be adhered to if relevant to your
organisation.
Legal
There are a few notable legal information security Acts that currently exist
such as the Data Protection Act 1998 (DPA), Regulation of Investigatory
Powers Act 2000 (RIPA), Computer Misuse Act 1990 and the impending
EU General Data Protection Regulation (EU GDPR) that shall apply from
25th May 2018. The primary Act that most organisations are aware of is the
Data Protection Act 1998, comprising 8 principles on how information must
be used, updated, retained, secured and transferred. It also includes items
such as Subject Access Requests and links into the Freedom of
Information Act 2000, the Computer Misuse Act 1990 and Privacy and
Electronic Communications (EC Directive) (Amendment) Regulations 2011.

4. There are several different certifications that organisations can
attain to evidence the security controls that they have in place.
These certifications provide assurance to any current or potential
customers, stakeholders or suppliers that the appropriate cyber
and information security controls have been implemented. These
controls can assist in the prevention of cyber­attacks and
potentially data breaches. Common certifications include Cyber
Essentials and ISO 27001. Further information about these
certifications is provided later in this document.
• CESG 10 Steps To Cyber Security – Developed by GCHQ in
association with the Centre for the Protection of National Infrastructure
(CPNI) and the Cabinet Office, this framework provides 10 key security
steps, which according to the UK Government, organisations should
adopt to assist in protecting themselves against the most common form
of cyber­attacks.
• SANS CIS Critical Security Controls – A list of 20 technical security
controls that align to the (American) NIST framework which
organisations can implement. They are mainly technology centric and
help protect an organisation from cyber­attacks.
• HMG Security Policy Framework – A specific and comprehensive set
of requirements that an organisation needs to operate in accordance to,
as defined by the UK Government in order to protect UK Government
assets. Adherence to the Security Policy Framework (SPF) is mandatory
for organisations that handle UK Government Classified information.
Certification
Best Practice

5. ISO 27001
ISO BE SO LUCKY
ISO 27001 is an internationally
recognised information security
management standard that
describes best practice for an
information security management
system (ISMS). An ISMS is a
framework that primarily consists of
policies, procedures and other
controls for the systematic
management of an organisation’s
information assets and risks to those
assets. ISO 27001 consists of 114
controls across 14 areas and is
based on industry best practice.
ISO 27001 can often be seen as a
time consuming, complicated and
expensive certification to achieve but
this is not always the case. The
standard and its supporting
documents are designed to be
applied to the specific context and
operation of the organisation wishing
to adopt it; therefore knowing how to
apply appropriate and proportional
controls to the specific organisation
is vital.

6. CYBER ESSENTIALS
Cyber Essentials is an industry supported UK
Government scheme to assist organisations in
protecting themselves against the most
common forms of cyber attacks. There are two
flavours, Cyber Essentials and Cyber
Essentials Plus.
Cyber Essentials requires the organisation to
complete a self­assessment questionnaire
detailing the current security controls that they
have in place across five areas: boundary
firewalls and internet gateways, secure
configuration, access control, malware
protection, and patch management.
Cyber Essentials Plus requires the same
questionnaire to be completed. However,
there is an additional onsite element that
requires evidence that the controls detailed
in the questionnaire have been implemented.
Cyber Essentials Plus includes a penetration
test of web services provided by the
organisation in addition to the Cyber
Essentials requirements, and is intended to
demonstrate security at the internet
boundary.
Cyber Essentials is the minimum requirement mandated by HMG for any business
applying to work on government contracts – including sub­contractors – in order to
make Britain a “safe place to work”. It is a requirement of every central and local
government procurement activity since October 2014.

7. RISK ASS SSMENTS
E
Put simply, a risk assessment is an evaluation of an asset to identify the
possibility of, and effect of, its compromise, disclosure or unavailability. There
are several different methodologies and tools available that can assist an
organisation in completing risk assessments, however these are not out the box
solutions; they still require an element of configuration, asset identification, data
entry and ongoing maintenance.
The question here should really be why wouldn’t I complete a risk assessment?
The answer to this question should be “never in a perfect world”. Risk
assessments provide an organisation with an informed understanding of their
assets and the associated risks.
Risk assessments should be completed at least annually or when there is a
proposition that any aspect of the security of the asset is to be changed e.g.
outsourced, infrastructure change, change to service provision, etc. This
ensures that risks are identified at the earliest opportunity and appropriately
managed.
What?
Why?
When?

8. Wantmore
information?
+ 4 4 ( 0 ) 2 0 7 8 8 7 2 6 9 9
c l i e n t s e r v i c e s @ p g i t l . c o m