Cyber security assurance: What is right for my business?

Cyber security can be complex enough without adding compliance and assurance obligations. Yet without these, it is unlikely a security programme will succeed in it’s objectives because you’re not running it for you — you’re running it for your stakeholders, both internal and external. And boards, managers, clients, regulators, customers — all quite reasonably want to know that your organisation does not pose a risk to them, and would like you to prove it. It’s easier to trust if you can first verify.

That expectation of reasonable assurance leaves most organisations with a lot to consider, as cyber security assurance takes many forms and which you need will depend on your organisation - it’s risk profile; it’s size, complexity or regulatory status; it’s objectives — and, yes, it’s budget and resources too.

It is of course possible to build a great internal monitoring programme based around your own security policies, and this is also important. For today’s purposes though we are talking about external or independent assurance. That’s means someone else marking your homework — not you marking your own.

The key types of cyber security assurance you will see in practice will be:

a) assurance over your risk management system — how you identify, assess and manage your risks

b) assurance over your technical infrastructure — an expert review of specific controls such as your website or network

c) assurance over your business control environment — have you implemented good controls for your people and processes as well as technology, and dare the operating effectively?

It’s also important to remember that have a security programme build around an industry standard does not mean it is independently assured. Common standards and control frameworks such as NIST or IS0 27002 are helpful for designing a good security programme, but are not certifications — there is no such thing as a ‘NIST certified’ organisation.

So what are the key types of assurance report you should consider, and when would they be useful?

ISO 27001

ISO 27001 is often misunderstood. It is not in fact a technically driven assessment and nor does it require a specific list controls  — rather this is a good example of assurance over a risk management system,. In other words, the auditor is assessing whether the organisation has considered it’s risks, identified suitable controls, and then implemented them. This does mean that an organisation can assess controls as out of scope and still pass, as long as they can explain it. That provides useful flexibility but also means that an ISO27001 certificate by itself does not tell you much about the technical controls an organisation operates. Whilst a list of controls is provided (Annex A), you do not have to implement these to get a certificate.

CyberEssentials (and similar frameworks)

CyberEssentials is the UK’s cyber certification scheme for smaller and mid-szed organisations. It has 4 essential controls and can be undertake for £300. It’s intentionally assessible. This focussed on key technical controls, such as patching systems within 14 days. The basic assessment is a self-assessment, so if you see a CE logo it doesn’t mean the organisation has independent assurance, only that they have reviewed their controls. CyberEssentials Plus includes verification of the organisation’s controls by an accredited certification body, but it’s still very accessible on cost and time and the easiest ‘first certification’ to undertake. Large organisations can also do CE, but they may find it harder if they have legacy systems and technology which are not well managed. This makes CE a very good standard to look for, with CE certified organisations shown to be 80% less likely to have an incident (based on cyber insurance policy claims data).

SOC 2

SOC 2 is a US driven framework for operational cyber assurance. The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner. An assurance engagement will be carried out by a consultancy firm during which they will document the controls you are going to attest to against the assurance framework, and then test that these controls are operating in practice. There are two types — a SOC2 type 1 report, which attests to the controls in operation on a specific date, and a SOC2 type 2 report, which attests to the controls operating over a period — usually, but not necessarily, 12 months. These are particularly valuable for large listed companies looking to provide a high level of ongoing assurance, highly regulated organisations such as banks, and technology service provides who provide cloud, hosted or managed services. It is not only suitable for large organisations — it is perfectly possible for smaller organisations, such as those providing niche hosted services or software, to undertake a SOC 2. However the requirement to do so is generally driven by client need. Whilst a simple SOC 2 report can be low cost, for larger and more complex organisations the cost can be much higher. It is not however necessarily more expensive than ISO 27001, and it’s narrower focus on agreed controls can sometimes make it more achievable.

Technical security testing (penetration testing, red teaming, etc)

Technical testing takes many forms but is usually focussed on a specific area of technology. A great example is a penetration test — there are many different types, but essential the testing provider seeks to gain access to your infrastructure in order to ascertain how easy or difficult this is to do, and identify improvements you can make to ensure an attacker can’t get in. An automated vulnerability scan is often performed first to identify easy-to-find issues, after which a technical specialist will carry our manual testing. The value of the engagement varies, and with no fixed standard to test against, who you select to do it really matters.

You also need to consider whether they will do a ‘black box’ test, where no information is provided other than the scope, or whether you will give them some additional access or information so they can find more advanced vulnerabilities. Commonly, penetration tests are carried out against public-facing infrastructure such as networks, websites, or online applications. However there are many good cases for testing infrastructure within a network too. More advance technical testing can involve simulated attacks and defence with specific goals in mind. The outcome of a technical security test is a report, and it is common to share executive summaries with clients for review.

So what cyber assurance should I do?

If you’re looking to do your first cyber assurance or on a budget, CyberEssentials Plus is a great start as it also involves a vulnerability scan and a range of checks that give your practical assurance over your basic controls. It’s also required for suppliers to the UK Government. If you can’t access CyberEssentials Plus, perhaps because you’re not in the UK, look for equivalent standards locally or consider starting with a network penetration test.

Larger organisations or those with compliance or regulatory requirements, or high risk profiles, should consider ISO27001. This can be administratively heavy as it does mean regular audits. However the benefit of ISO is that it by looking at your risk management practices, it provides confidence that you are running an effective security program that will continue to learn and adapt for future needs. However, this should be combined with technical security testing over (at a minimum) public facing infrastructure such as websites and your network, and effective internal security monitoring.

If you’re running hosted or managed services such as Software as a Service applications, delivery critical services to large enterprise clients or are operating and processing client data in a heavily regulated industry, a SOC2 report combined with technical security testing can provide the best of both worlds and keep your clients happy — at a cost.

It is of course possible to undertake multiple types of assurance, and this will be the case for many organisations. If that applies to you, consider first mapping the controls in scope for each assessment into your internal information security management system and policies, and documenting how you can evidence each control is operating. That way you know that your internal practices will meet all requirements, and you will avoid unnecessary duplication of effort. This will reduce both the internal resource requirements and the external cost of assurance, allowing you to focus resources on other areas of your security programme.