We cover many areas of compliance for data and IT security and can assess your systems for several levels depending on your requirement. At minimum we would want to take you to the basic level which would be Cyber Essentials.
Regardless of whether you require the certification at the early stages, or if you just want to make your network a little less open to attack, or even maybe following an attack, we will look at your system based on the requirements of Cyber Essentials. We would of course recommend taking on the remedial suggestions either way.
Once any remedial work has been done to this level, further compliance certifications can follow, and will be a great deal easier to achieve, by simply building on what has already been established. Generally, most of the factors of IT Compliance follow similar guidelines, just getting more in depth with each level. For example, it may be a requirement for a company to be compliant with ISO 27001, in order to be part of the supply chain, but if the lower levels can not be achieved, or the company does meet the requirements for these lower levels, there would be no way that they would sensibly be able to achieve an ISO standard. With IT Security, Rome certainly was not built in a day.
What is the path to follow?
Cyber Essentials is the first low level compliance for IT Security. It is a UK Government backed scheme to ensure businesses are at a sensible level for their IT security and can help to mitigate at least 90% of cyber attacks that occur. The certification is helping towards the compliance of GDPR, which in the UK came into force on May 25th 2018. It is a self-assessment based system, with which users fill in a form and submit to an external certification body. As many business owners and directors would not really know where to begin with their IT infrastructure, least of all how to answer the questions, we, as IT assessors can hold your hand through the process.
Cyber Essentials Plus is the next level up from Cyber Essentials and is follows the same path with a self assessment. The difference is, that the Cyber Essentials Plus also requires a 3rd party to come and do a penetration test and or an audit of the system within the scope. We can again hold your hand through the process and will find a suitable assessor to come and do the additional tests, working with them and your IT team to sort additional remedial actions, if required.
There is of course further paths to take dependant on your organisation and how it operates. These may include the ISO 27001 (or any of the other ISO categories surrounding Data Security). We have worked with several clients in the financial industry, and they, for example have stipulations from the FCA. Either way we can help you achieve these goals
IASME
ISO 27001
GDPR
PCI Compliance
Cyber Insurance
CIA TRIAD
Passwords
Firewalls
Data Integrity
Backups
Disaster Recovery / Business Continuity
Encryption
Antivirus / Antimalware
RansomWare
Social Engineering
What we need to do an audit.
An audit is carried out on your premises
Firstly, we need access to the system, preferably with some sort of administrative credentials. If these are unknown, then we may need to speak to your existing IT provider. We need this to accurately collect the information about your network to see where vulnerabilities and unknown activity may be occurring. The administrative accounts can normally see this information