Improving cyber security remains a top priority for small businesses, SMBs, SMEs and enterprises alike.
Cyber attacks in the UK are becoming more common for both smaller and larger businesses, whereas global losses from cyber crime are expected to reach $10.5 trillion by 2025.
To combat cyber crime, national and international institutions have produced cyber security frameworks to unify organisations under professionally developed standards. Frameworks guide cyber security risk assessment, providing a roadmap towards more effective controls and risk mitigation strategies, and are also key part of cyber risk management.
With a solid cyber security risk assessment in place, organisations can confidently move forward with the knowledge that their data and critical assets are secure. Frameworks are integral to the assessment process.
This is an introduction to cyber security assessment frameworks.
A cyber security assessment framework provides organisations with a means to systematically analyse and review their digital infrastructure and operations to control and mitigate cyber security risks.
Applying a cyber security assessment framework helps businesses address the following core threats:
A cyber assessment framework is multi-faceted and assesses everything from governance and risk management to data and system security, asset management, detection and incident/crisis response.
Above: Businesses can apply a cyber assessment framework to virtually every industry in our highly-digitised world
While prevention and threat detection are vital to prevent risks from developing in the first place, assessments also look at incident response, communications and disaster recovery.
Many guidelines are long, highly detailed, and don’t apply to every organisation. However, there are fundamental similarities. All in all, a cyber assessment framework addresses the following core elements:
Cyber security frameworks support laws and regulations, such as the EU Security of Network and Information Systems Directive (NIS Regulations) and the General Data Protection Requirements (GDPR). They act as a valuable resource for businesses that belong to critical infrastructure or regulated sectors (e.g. UK Critical National Infrastructure).
Above: Implementing a cyber security assessment framework supports cyber security regulation
The choice of cyber security assessment framework varies with the business, sector, industry and other factors. Some of the most popular assessment frameworks include:
Most organisations are free to apply the frameworks and guidelines that best fit their operations and objectives.
Cybersecurity assessment frameworks are fundamentally similar, but some have been developed for specific industries and critical infrastructure (e.g. PCI DSS for the payment and financial services industries). There are both national frameworks (e.g. the USA’s NIST CSF and the UK’s NSCS CAF) and international frameworks (e.g. CIS CSC and ISO/IEC 27001 and 27002).
On balance, the CIS Critical Security Controls framework and ISO 27001 are perhaps the most universally applicable assessment frameworks and controls. Thousands of global organisations utilise the CIS framework. They’re endorsed by the European Telecommunications Standards Institute (ETSI) and the UK Centre for the Protection of National Infrastructure (CPNI).
The CIS publish mappings of the Critical Security Controls onto other frameworks and controls such as NIST CSF and ISO 27000. This, in principle, makes CIS one of the most comprehensive frameworks available.
In addition, SOC2 and ISO 27001 are widely used by organisations to give clients assurance that cyber security is being taken seriously and is properly managed. ISO 27001 is generally used for this purpose in Europe, and SOC2 in the US.
Our Cyber Health Checks typically use a mixture of the CIS Critical Security Controls framework and ISO 27001, which gives extensive coverage and can be tailored to the requirements of businesses in every sector.
Overall, every organisation with substantial digital operations should conduct cyber security assessments and choose a framework applicable to their industry, requirements and business objectives.
Applying frameworks and guidelines and addressing issues builds resilience and enables digital transformation.
Nicolson Bray offers bespoke cyber security risk management and review services catering to organisations across multiple industries and industries.
We help businesses build secure and resilient architectures and engineer security solutions that address complex objectives. Contact us today to find out how we can help you transform your organisation’s cyber security.