Photo of Luke Peach

Luke Peach

Training Team Leader

3rd December 2021

Getting started with compliance

For a lot of companies, ‘getting compliant’ with something in cybersecurity or data protection usually means people’s eyes roll. It’s often believed that it will take time, money and resource to cover the ‘what if’ scenarios that may or may not ever happen. We’re not denying that this is pretty much the truth – but it can also lead to new business opportunities, protecting your business from data breaches, better technology adoption and an increase in your brand reputation with both customers and other businesses alike. So, it’s not all bad.

Now we know why compliance is important beyond the box checking, the other question to tackle is where do you start? There’s all sorts of numbers, acronyms and standards out there and it can be hard to get a clear projection path. Fear not though and allow me to introduce you to my ‘Ladder of Compliance’.

First Step – Tackling the GDPR

What’s the GDPR?

The General Data Protection Regulation is a set of data protection rules concerning the privacy of personal data. Its goals are to validate an individual’s rights, establish how personal data is collected, handled and processed by businesses to enhance privacy, and to give data subjects more rights over what can and cannot be done with their personal data.

Why start with the GDPR?

GDPR compliance is a lot easier if you start it early, so that’s why I put it as the first step. If you embed GDPR compliant processes into your business, it can help you work towards achieving all the standards that come after. It will also save you having to go back to make existing processes GDPR compliant, a process that can be met with internal resistance and general difficulties. To get started, it helps to address these 3 things:

Records of Processing

Article 30 of the GDPR requires companies to hold a formal document with an overview of the company’s data processing activities around personal data. Records of processing activities (ROPA) should include data processing information, data categories, data subjects, the purpose of processing that data and its data recipients.

Data Breach Processes

The GDPR requires organizations to report personal data breaches to the relevant supervisory authority within 72 hours of discovering a data breach. A simple checklist can help businesses formulate an incident response plan and document actions taken since discovering a breach. This should contain key information such as the date and time of discovering the breach, finding out what types of data have been jeopardized, how many records have been affected, who needs to be notified, and how many individuals will the data breach impact.

Data Protection Impact Assessments

A process to help organizations identify and minimize data protection risks. A DPIA must describe the nature of the data processing, its necessity and compliance measures, assess possible risks to individuals and how those risks could be minimized.

Second Step – Start small, with Cyber Essentials (Basic)

What’s Cyber Essentials?

Cyber Essentials is a self-assessment questionnaire that can also be used as a cybersecurity checklist. It focuses on the five basic elements of cybersecurity:

  • Passwords
  • Patch Management
  • Access control
  • Anti-virus
  • Secure configuration

Why is Cyber Essentials an important step?

Achieving Cyber Essentials not only opens up working with government-based businesses, but it also allows you to demonstrate to customers that you take cybersecurity seriously. By going through the certification process, you begin documenting and thinking about the control of the data and devices in use throughout your business. In comparison to other security controls, it’s relatively cheap to undertake Cyber Essentials, and you can even get a copy of the assessment in advance so you can see what you’re in for.

Third Step – Take Cyber Essentials ‘one step’ further – see what I did there

What’s Cyber Essentials Plus?

Cyber Essentials Basic is a self-assessment which means not a lot of evidence or checks are carried out to validate your answers. It’s why the Basic scheme is fairly cheap to obtain and why some contracts/customers of yours may not deem it enough to satisfy their security controls. For that reason, Cyber Essentials Plus exists.

Why Cyber Essentials Plus?

It involves an assessor scanning networks and workstations as well as stress testing devices with anti-malware related tests. Essentially, they are validating that the basic assessment wasn’t a pack of fibs! Quick facts about Cyber Essentials Plus: you must achieve Cyber Essentials Basic first, and you can only achieve Plus within 90 days of achieving the basic version. There’s a little more to it, so feel free to check out our Cyber Essentials/Plus offerings and get in touch if you have any questions.

Step four – It is more of a jump than a step – ISO 27001

What is ISO 27001?

ISO 27001 is the daddy of Information Security standards. It contains 114 controls (controls are basically ‘things you must do/demonstrate’) focusing on the Confidentiality, Integrity and Availability of data.

Why is ISO 27001 Important?

It requires a lot of documentation, investment, and dedication, but it is proven that organizations that achieve ISO are far less likely to suffer a data breach and if they do, they are far more equipped and ready to handle the situation. A quick look up suggests that only 1,523 UK businesses have and continue to achieve ISO 27001, which in the grand scheme of things, is a relatively small number. So, achieving this standard will put you in an elite bracket of businesses. Of those businesses that are ISO 27001 compliant, most of them are small-micro sized firms, which shows the bigger you are, the harder it can be to implement.

Step five – Get dates in diaries!

Except for the GDPR (which should be subject to continuous internal audits and work), the rest of these standards need to be maintained on an annual basis. Why? Because a lot can change in 12 months. Systems can go out of date, processes can change, companies shrink and grow, and new threats come out every day. The standards themselves also get regularly reviewed and you may find (particularly in Cyber Essentials) that the questions you were asked last year, are not the same you’re asked this year – or a requirement may have changed.

The ladder can get a little longer if you start looking at ISO 9001, PCI compliance, HIPAA (Health Insurance Portability and Accountability Act) or even PECR (Privacy and Electronic Communications Regulations) as well, but wherever you are on your ladder of compliance, get in touch with us here at Bulletproof. We can help no matter what step you find yourself on!

Affordable SMB cybersecurity with Defense.com

Try all these security quick wins and more with Defense.com™. Start a free trial today!