Estimated Reading Time: 6 Minutes
by Mark Hurley – Managing Director, Spector
With GDPR just around the corner, it’s clear that implementing robust security policies will be essential for every business. Cybersecurity is an ongoing concern for companies everywhere, from SMEs to large multinational corporations. Ensuring your IT environment is secure is important not only for the protection of your own sensitive data but also because of the potential impact on clients and suppliers.
I was pleased to be able to get an insider’s perspective on what the future of cybersecurity will look like when I interviewed the CEO of Certification Europe, Michael Brophy. He has a longstanding career in all matters of international standards and compliance and is considered a leading expert on standardisation in Ireland. Michael has served as an authority on data security for numerous EU Commission committees and was closely involved in the development of electronic signature standardisation.
During our chat, we discussed Cyber Essentials and ISO/IEC 27000, ‘’self-assessment’’ certificates, the impact such certifications have on GDPR compliance and what the future of Certification Europe will look like.
Mark Hurley and Michael Brophy
Mark Hurley: Hi Michael. Welcome to Spector! We cross paths once again. Many thanks for your help with the set-up of our ISO/IEC 27001 certification. Today we have a few questions for you around cybersecurity…
When we look at Cyber Essentials, for example, we approach it from a security policies foundation. The policies and evidence we gather around these policies are what we submit, with the guidance of your team, to Cyber Essentials for our SME clients. But cybersecurity is a continuous event, rather than a single event. I’m wondering, how do you see this approach changing in the future?
That’s right, Cyber Essentials and ISO/IEC 27001 approach cybersecurity as a journey, not a destination. It’s the start of the process, which has to be maintained. But at least now we have a reference point. For 27001, Cyber Essentials provides a marker. It is a grid reference point.
If you are a hard-pressed managing director and you have no internal IT support, the worry is knowing just how exposed you are. How do you determine how good your security is? This is why it’s good to have the likes of Cyber Essentials for peace of mind. They can tell you whether you are doing it right or not; if you’re not, at least you’ll have the resources at hand to quickly get on top of it.
MH: How do people come to you? Do they get in contact directly looking for training or management in cybersecurity, or do they come through managed IT service providers such as Spector?
There are two main ways.
We deal with about a thousand organisations around the world, most of which are SMEs in Ireland. Often, they will have encountered other standards to which they have had to adhere, such as quality or environmental standards, so they are already members of our client base.
The second route to us is very much via companies such as Spector. They are questioning what they should be doing and are now looking for a reference point to anchor this process. Cyber Essentials seems to be the main reference point for SMEs in Ireland.
MH: When we began looking at Cyber Essentials, in particular in the UK, we saw it as a crest that displayed our cybersecurity standards as certified by Europe. When we applied for the certificate, it was a stringent process, but now there is the option of the ‘self-assessment’, which would seem to devalue it. Would you agree with this?
I agree. In general, the idea of self-certification or self-approval is always somewhat lacking. It will always be open to question because it essentially comes down to the company stating ‘We are great!’ Well, who says so? ‘We do!’ That will always be contentious.
Whereas, in the case of an independent assessment, people tend to feel a lot more certain that the security standards are up to scratch.
MH: Regarding the gap between a Cyber Essentials certification and moving up the ranks to ISO/IEC 27001, is this about the size of the company, or something else?
Certainly, ISO/IEC 27001 is a step up. The reason some companies start at this level of certification and others work up from Cyber Essentials might be because of size. Particularly if you’re a large company in the tech sector or financial sector, you would be looking at going straight for ISO/IEC 27001.
Also, it has to do with the type of customers you deal with. Major drivers are customer expectation and supplier-side pressure. It could be that the companies you work with simply expect you to have ISO/IEC 27001. In certain sectors, it is virtually mandatory, especially for data centre hosting, online hosting or cloud-based services.
On the other hand, SMEs that are simply wondering if their security is up to standard and whether they are leaving themselves exposed, tend to go for Cyber Essentials.
MH: We’ve found that ISO/IEC 27000 series seems to go a very long way when it comes to GDPR compliance. Do you find people are taking this route because of GDPR?
I think you’re spot on. We find that clients who have had ISO/IEC 27000 (especially for a few years, as they are quite mature systems) not only experience a cultural change within the company, but it also provides a framework that can be used for things other than IT security.
For these companies, GDPR is a natural progression as there are a lot of areas they will already be able to tick the box for. Of course, some elements are very specific to GDPR and will still need attention, but our ISO/IEC 27000 clients say that they have 75%-80% of the compliance already done, so they are just making up that 20% difference to be assured they have met the requirements.
MH: Is Certification Europe providing any services to fill that gap?
That’s a good question and very pertinent at the moment. It’s a case of watch this space! Once GDPR comes into effect in May, one of the first things we can expect is that the EU will make a pronouncement on what certification schemes are recognised. I think it is unlikely they will say that any sort of certification is compliant. But what we have seen in other fields is that certification will be given due recognition, particularly from a risk point of view.
One could assume that when the Data Protection Commissioner or the Information Commissioner’s Office are looking at organisations to possibly audit, and assessing risk profiles they need to regulate, companies that have voluntarily sought certification will be further down their lists.
MH: How much interest is there about GDPR from your current client base?
At the moment, the clamour is getting louder and louder! What’s interesting is that there are already moves for potential certification schemes. There is a standalone management system, called ISO 10012, which is especially for data privacy. It is a standalone standard, so you can go for it without previous certifications.
Another interesting development is a current working document called 27225, which is a bolt-on to the 27000 world series. It’s still in draft format but is specifically about managing the privacy of information. For a company that already has 27001, rather than going for another certification which sits in isolation, this will allow you to build on to 27001 and bring in data privacy requirements – in line with GDPR. It will be an integrated management system. I’d say a lot of 27001 clients will be keen to look at this in the future.
MH: My final question is, what does the future look like for Certification Europe?
In a general sense, I think independent verification is going as a business. Information security continues to grow in importance. In many sectors, it is now mandatory. Clients are aware that this is a crucial question to ask of providers and vendors, and they know to question the standards that are in place. That’s why certifications such as ISO/IEC 27000 matter and will continue to grow.
There are three areas that we are focusing on. They may be two, three, four years down the line, but sectors such as artificial intelligence, blockchain technology (it will be very interesting when it moves out of the financial services sector) and the fintech sector are developing rapidly. They haven’t reached our purview yet, but soon enough there will be new discussions to be had around acceptable standards and certifications. It’s something we are already preparing for and will be a fascinating area of development.
MH: Fascinating stuff! Thanks very much for your time, Michael. We look forward to working with you into the future.
[Featured image shows (l-r) Aaron Nolan and Mark Hurley of Spector, with Michael Brophy, CEO of Certification Europe]