A short guide to cyber security frameworks

What are cyber security frameworks?

Cyber security frameworks exist to protect organisations from threat actors and cyber attacks. They provide a standardised system of guidelines and best practices that support the overall security of your digital infrastructure. While cyber security frameworks do not exist tangibly, it’s important not to mistake them for optional guidance. They provide an essential structure and foundation as you develop deliverable security solutions. And will help you define the policies and procedures involved as you implement security and governance controls. By establishing the people, technology and processes needed to reduce potential vulnerabilities, these frameworks effectively help organisations of any size to manage and minimise risk.  

Who are they for?

In short – cyber security frameworks are for everyone. Every organisation that operates with digital assets should be referencing cyber security frameworks. Specifically, IT Security or Cyber Security Managers will use them to highlight the tasks, actions and processes required to mitigate risks. They also enable these roles to manage any risks more systematically and intelligently. Depending on your organisation and government, some frameworks will also be essential to meet governance and compliance requirements.   

However, choosing the proper framework for your organisation is still important. Many objectives and measures can crossover, so understanding what is applicable and beneficial to your organisation is critical.   

Here are three cyber security frameworks to help you start:

1. Cyber Essentials & Cyber Essentials Plus

Cyber Essentials is a UK government framework providing a simple approach that most companies can undertake. It acts as the government’s minimum baseline standard for cyber security in the UK. As the name suggests, this framework covers the essentials and will protect your organisation from a wide variety of the most common cyber attacks. It covers a set of basic technical control themes such as: 

  • Firewalls 
  • Secure configurations 
  • User access control 
  • Malware protection  
  • Security update management 
  • Home working devices and all cloud services (as of Jan 24th 2022) 

Who is it for? 

The Cyber Essentials framework provides organisations of all sizes and industries with the first step to cyber security maturity. Any organisation that wants protection against the most common cyber attacks should use the Cyber Essentials framework. The certification alone will deter cybercriminals. While beneficial for all, organisations that work with the UK government must also have a Cyber Essentials certification.   

Advantages for organisations:

  • Ability to achieve a self-assessed certification (Cyber Essentials). 
  • Isis Cyber Essentials Plus available – this ensures you have the Cyber Essentials controls in place through a hands-on technical verification. 
  • Cyber Essentials readiness toolkit available – this provides targeted guidance, specific to your organisation. You can create a personal action plan with guidance on how to meet the requirements of the certification.  
  • Certification reassures your customers and stakeholders that you are actively securing your infrastructure against cyber attacks. 
  • Clarity on your organisation’s cyber security posture and actionable advice and guidance to make improvements.  

2. Cyber Assessment Framework 

The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre. The NCSC helps organisations responsible for some of the UK’s most critical services and activities strengthen their cyber resilience. It is an assessment of current cyber security and consists of a set of principles indicating what an organisation should achieve. Rather than a step-by-step guide of how to achieve it. The CAF has four key objectives which provide organisations with more guidance as to what processes and systems should be in place. These are: 

  1. Managing security risk 
  2. Protecting against cyber attack 
  3. Detecting cyber security events* 
  4. Minimising the impact of cyber security incidents 

Who is it for? 

This cyber security framework was introduced as part of a programme to improve government cyber security. It is primarily applicable to government bodies and organisations like emergency services and defence. In addition, The CAF is also recommended for organisations that fall into three categories: organisations within the UK Critical National Infrastructure (CNI), organisations subject to Network and Information Systems (NIS) regulations, and organisations managing cyber-related risk to public safety. 

Advantages for organisations:  

  • Provides a systematic and comprehensive approach to assessing the extent of cyber risk management within your organisation. 
  • Provides guidance for sector-specific assessment.  
  • CAF guidance includes Indicators of Good Practice (IGPs) to assist with assessment.  
  • Achieving the outcomes of the framework principles will help to improve cyber resilience and increase awareness of the importance of effective risk management.  

*A security solution like MDR would be beneficial in supporting the detection of cyber security events. MDR supports organisations with a dedicated Security Operations Centre that monitors and manages risks 24/7. With 26% of public sector organisations having just one person responsible for their cyber security, this would be a great supplementary service for those organisations to support the objectives of this framework. Find out more about MDR from Brightsolid here. 

3. ISO/IEC 27001

ISO/IEC 27001 is a cyber security framework recognised internationally. It sets a standard for best-practice Information Security Management Systems (ISMS). It provides requirements for ISMS so organisations can effectively manage the controls and systems that will protect assets such as financial information, intellectual property, employee details and third-party information from threats and vulnerabilities. Made up of two sections, ISO/IEC 27001 comprises of: 

  1. 11 sections defining the requirements for establishing, implementing and maintaining an ISMS.
  2. Annex A, outlines a set of control objectives and general security controls, guiding how to treat identified risks through a risk assessment process.  

Who is it for? 

This cyber security framework is for any organisation that chooses to implement its standards. It is not obligatory, but ISO 27001 certification has already been achieved by over 33,000 organisations worldwide. Due to the focus of this framework being on best practices for information security management, industries like telecommunications, finance, and IT will benefit hugely from ISO/IEC 27001.  

Advantages for organisations 

  • Internationally recognised standard. 
  • Best practice gives your organisation a recognised best method for protecting sensitive information. 
  • Certification highlights that your organisation follows information security best-practices, which can be influential in securing new customers. 
  • Validates your cyber security program, demonstrating you have the right systems, processes and people in place to effectively manage cyber risk. 

To sum up, your organisation should consider a range of frameworks; it doesn’t need to be one or the other. There are many available that can help enhance your cyber security maturity – and many of them are complementary. Just remember that some will also be industry-specific frameworks with regulations that those organisations are expected to adhere to. With the possibility of crossovers in guidance and controls, it’s always best to review what cyber security frameworks are most suitable. More importantly, what are beneficial for your organisation and its security.