A short guide to cyber security frameworks

 What are cyber security frameworks?

Cyber security frameworks exist to protect organisations from threat actors and cyber attacks by providing a standardised system of guidelines and best practices that support the overall security of your digital infrastructure. While cyber security frameworks do not exist tangibly, it’s important not to mistake them for optional guidance. They provide an essential structure and foundation as you begin to develop deliverable security solutions, and will help you to define the policies and procedures involved as you implement security and governance controls. By establishing the people, technology and processes needed to reduce potential vulnerabilities, these frameworks effectively help organisations of any size to manage and minimise risk.  

 Who are cyber security frameworks for?

In short – cyber security frameworks are for everyone. Every organisation that operates with digital assets should be referencing cyber security frameworks. Specifically though, IT Security or Cyber Security Managers will use them to highlight the tasks, actions and processes that are required to mitigate risks. They also enable these roles to manage any risks more systematically and intelligently. Depending on your organisation and government, some of these frameworks will also be essential to meet governance and compliance requirements.   

But choosing the right framework for your organisation is still an important decision to make. Many have objectives and measures that can crossover so understanding what is applicable and beneficial to your organisation is key.   

Here’s three cyber security frameworks to help you get started:

1. Cyber Essentials & Cyber Essentials Plus 

Cyber Essentials is a UK government framework providing a simple approach that most companies can undertake, and acts as the government’s minimum baseline standard for cyber security in the UK. As the name suggests, this framework covers the essentials and will protect your organisation from a wide variety of the most common cyber attacks. It covers a set of basic technical control themes such as: 

  • Firewalls 
  • Secure configurations 
  • User access control 
  • Malware protection  
  • Security update management 
  • Home working devices and all cloud services (as of Jan 24th 2022) 

Who is it for? 

The Cyber Essentials framework provides organisations of all sizes and industry with the first step to cyber security maturity. Any organisation that wants to be protected against the most common cyber attacks should use the Cyber Essentials framework as the certification alone will act as a deterrent to cyber criminals. While beneficial for all, organisations who work with the UK government will also be required to have a Cyber Essentials certification.   

Advantages for organisations:

  • Ability to achieve a self-assessed certification (Cyber Essentials). 
  • Cyber Essentials Plus available – this ensures you have the Cyber Essentials controls in place through a hands-on technical verification. 
  • Cyber Essentials readiness toolkit available – this provides targeted guidance, specific to your organisation so you can create a personal action plan with guidance on how to meet the requirements of the certification.  
  • Certification reassures your customers and stakeholders that you are actively securing your infrastructure against cyber attacks. 
  • Clarity on your organisation’s cyber security posture and actionable advice and guidance to make improvements.  

2. Cyber Assessment Framework 

The Cyber Assessment Framework (CAF) was developed by the UK’s National Cyber Security Centre (NCSC) to help organisations responsible for some of the UK’s most critical services and activities strengthen their cyber resilience. It is an assessment of current cyber security and consists of a set of principles indicating what should be achieved by the organisation – rather than a step-by-step guide of how to achieve it. The CAF has four key objectives which provides organisations with more guidance as to what processes and systems should be in place, these are: 

  1. Managing security risk 
  2. Protecting against cyber attack 
  3. Detecting cyber security events* 
  4. Minimising the impact of cyber security incidents 

Who is it for? 

This framework was introduced as part of a programme to improve government cyber security and therefore is primarily applicable to government bodies and organisations like emergency services and defence. In addition, The CAF is also recommended for organisations that fall into three categories: organisations within the UK Critical National Infrastructure (CNI), organisations subject to Network and Information Systems (NIS) regulations, and organisations managing cyber-related risk to public safety. 

Advantages for organisations: 

  • Provides a systematic and comprehensive approach to assessing the extent of cyber risk management within your organisation. 
  • Provides guidance for sector-specific assessment.  
  • CAF guidance includes Indicators of Good Practice (IGPs) to assist with assessment.  
  • Achieving the outcomes of the framework principles will help to improve cyber resilience and increase awareness of the importance of effective risk management.  

*A security solution like MDR would be beneficial in supporting the detection of cyber security events. MDR supports organisations with a dedicated Security Operations Centre that monitors and manages risks 24/7. With 26% of public sector organisations having just one person responsible for their cyber security, this would be a great supplementary service for those organisations to support the objectives of this framework. Find out more about MDR from Brightsolid here. 

3. ISO/IEC 27001  

ISO/IEC 27001 is an internationally recognised framework that sets a standard for best-practice Information Security Management Systems (ISMS). It provides requirements for ISMS so organisations can effectively manage the controls and systems that will protect assets such as financial information, intellectual property, employee details and third-party information from threat and vulnerabilities. Made up of two sections, ISO/IEC 27001 is comprised of: 

  1. 11 sections defining the requirements for establishing, implementing and maintaining an ISMS.
  2. Annex A, which outlines a set of control objectives and general security controls, providing guidance on how to treat identified risks through a risk assessment process.  

Who is it for? 

This framework is for any organisation that chooses to implement its standards. It is not obligatory but ISO 27001 certification has already been achieved by over 33,000 organisations worldwide. Due to the focus of this framework being on best-practices for information security management, industries like telecommunications, finance and IT will benefit hugely from ISO/IEC 27001. 

Advantages for organisations 

  • Internationally recognised standard. 
  • Gives your organisation a recognised best-practice for protecting sensitive information. 
  • Certification highlights that your organisation follows information security best-practices which can be influential in securing new customers. 
  • Validates your cyber security program, demonstrating you have the right systems, processes and people in place to effectively manage cyber risk. 

To sum up, your organisation should be considering a range of frameworks, it doesn’t need to be one or the other. There are many available that can help to enhance your cyber security maturity – and many of them are complementary as well. Just remember that some will also be industry-specific frameworks with regulations that those organisations will be expected to adhere to. With the possibility of crossovers in guidance and controls it’s always best to review what frameworks are most suitable – and more importantly beneficial – for your organisation and its cyber security.