The education sector is an industry that the Government is putting further pressure on to improve their cyber security measures. One prime example of this is how it was necessary for colleges to have Cyber Essentials for the 2020 – 2021 funding year. For the following funding year, they are then requesting colleges achieve Cyber Essentials Plus. While there has been no definitive timeline given yet, the ESFA has stated that the ultimate aim is to obtain ISO 27001.
The four certifications below work as a framework to help secure your institutes’ IT estate and provide a roadmap. A common misconception we have seen is that establishments believe that it is more cost effective to just gain one of the more complex certifications such as ISO 27001.
However, due to the focuses of the certifications differentiating, this can leave you open to basic vulnerabilities. We refer to the certifications as ‘stepping stones’. One analogy we thought you might like is that for someone wanting to get a degree, they start with GCSEs first and work their way up!
Step 1: Cyber Essentials
Cyber Essentials outlines 5 technical control themes that act as the foundations for your cyber security strategy. The 5 controls are: firewalls, secure configuration, user access control, malware protection and patch management. With these measures, the most common and low skilled cyber attacks are prevented. It is believed that these cyber attacks account for 80% of attacks that occur which shows how much of an impact Cyber Essentials can have.
Step 2: Cyber Essentials Plus
Cyber Essentials Plus is similar to Cyber Essentials, the difference is how they are performed. Cyber Essentials can be a ‘self-assessment’ which relies on going through a questionnaire. The reason for the use of the apostrophes is because many institutes prefer to use Certification Bodies, such as Data Connect, to advise you throughout the questionnaire process. With the Plus certification, a Certification Body must be involved as they will need to perform an audit. The process can differ slightly depending on the Certification Body. At Data Connect we use various tools and techniques so we can better prepare customers for the test and identify any gaps.
Step 3: IASME Governance
Like Cyber Essentials, you have the option between self-assessment and an audit. IASME Governance does include the standard Cyber Essentials certification because IASME Governance involves some of the same core controls. However, this certification focuses more on people and processes; IASME have stated that the other areas include risk assessment and management, monitoring, change management, training and managing people, backup, and incident response. This means that the institute will need to be able to show how they would respond and recover from a cyber-attack which is why this certification is further along the cyber security maturity scale. These additional controls provide third parties, including pupils or parents, the assurance and confidence that their sensitive data is handled securely.
Step 4: ISO 27001
We have heard a lot of contacts refer to ISO 27001 as a ‘minefield’ due to the complexity of the certification. The main premise around this certification is the organisation’s approach to risk. The first 3 certifications largely focus on the technical nature of your cyber security protocols. However, ISO 27001 ensures security becomes part of an education establishments’ culture and provides resilience from cyber threats.
A service we have delivered to multiple education establishments is a Cyber Security Assessment (CSA). Whether you have one small campus or a large school trust, the CSA is bespoke and utilises a strategic approach to improve security. We assess existing controls, make immediate security improvements by removing low hanging fruit and we produce a roadmap to help you move forward strategically. Due to Data Connect being a Certification Body for 3 of the certifications (Cyber Essentials, Cyber Essentials Plus and IASME Governance), we are able to perform a CSA at any point to help you move forward with your institutes’ maturity.
If you are interested in finding out more about the Cyber Security Assessment, please email firstname.lastname@example.org or call on 01423 425 498.