A number of standards such as EU GDPR simplify the amount of Cyber Security an entity should have by using the term “appropriate security”. Others say you need good cyber security or adequate cyber security. But what does this mean? How do you achieve it?
From an attacker’s perspective good or appropriate cyber security makes it too hard to be successful in a cyber attack. Therefore if we knew the details of every cyber attack couldn’t we just protect against all of those?
The list of known attacks, exploits and vulnerabilities is in the millions. This is too large. We need a filtered list which has found the patterns and applied it to a list of cyber security protections (controls).
The good news is a group of over 100 people have already done this! They have used their experience and their list of vulnerabilities to identify the patterns and the appropriate controls that could have prevented past attacks as well as known attacks. They have built it into a standard called ISO27001.
Rather than re-invent the wheel, we can just say appropriate security is a budget and risk based implementation of ISO27001. The budget and risk based approach means that you can accept to skip some things until you have the budget for it. There is no reason any company can’t be ISO27001 aligned with a budget and risk based approach.
There are other Cyber Security standards but their history was built for different reasons and without as many people. I’d say stick with ISO27001 unless there is a very big reason not to do so.
Vertex helps companies every day achieve ISO27001 alignment and certification so if you need some help with this approach feel free to contact us.