Security Standards comparison & GDPR
Until 2011 the only established Security standard that businesses and organisations could adopt or align to was ISO 27001 and because the cost of not only implementation but also maintenance the standard was not taken up in great numbers by SMEs and even by many larger organisations.
The lack of accessible standards has now been addressed with the launch of IASME in 2011 and Cyber Essentials in 2014. Both standards are accessible from a cost and implementation perspective.
The chart belows shows how each of the three standards cover the business and organisational permutations that generally exist.
The details below give a generalised view of the costs involved.
- Cyber Essentials (Annual assessment) - Online assessment - £300.00
- (To sign up and get started use www.cyberstrategies.co.uk/assessment-login )
- Plus testing & assessment - £1,000 - £5,000 (depends upon scope)
- IASME (Annual review – 3 year external audit)
- Audited option varies depending on organisation size - £3,000-15,000
- ISO 27001:2013 & PCI:DSS (Internal audit & 3 year external audit)
- Varies greatly and dependent upon scope involved
- Minimum investment - £10,000
It is likely that the largest expense will be getting prepared for the assessments or audits in each case which may include technology changes as well as changing established processes.
The table below provides a comparison by requirements of the Security Standards noted above and also includes those required by the EU General Data Protection Regulation (GDPR).
The comparison cannot be made without understanding the different approaches required by the standards. Cyber Essentials has prescribed requirements which are required to met and thus, achieving the Standard is either a Yes or No. The remaining Standards and GDPR are all based around the perception of risk that exists within the business. The risk assessments will determine the nature of the security management system required by the business and which will be determined by the structure requirements of each standard/regulation to be introduced.