Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about different cyber frameworks and standards and the different strengths and weaknesses between them.

If a firm was to try to start thinking about all the things they need to cover when it comes to cyber and information security it would take a long time and very likely key components would be missed. The hard work or at least some of the hard work, has been done for you through a number of different frameworks and standards, which, to varying degrees, cover off all the things a firm needs to think about.

The first and probably the most well known on the Island is the Cyber Essentials or Cyber Essentials Plus scheme, it is backed by the British Government and is intended to the first step on a journey into cyber maturity, rather than being the destination.

It only covers basic technical controls and crucially falls short of the expectations being set by the GFSC in the new cyber rules.

When I conducted the cyber thematic review for the GFSC it was clear that the majority of firms were gapped when it came to monitoring and detection, if you have no visibility of what is going on against your network, you can’t see attacks that are happening, or have happened, and you are blissfully none the wiser.

The takes me on to the second framework, NIST, an international standard and the most widely used amongst firms further along their cyber maturity journey, and certainly the most widely used across larger and multinational organisations.

Adherence or compliance with the NIST standard is at the core of the new GFSC Cyber rules and the GFSC will be looking for evidence that regulated firms are covering off the 5 pillars of NIST Identify > Protect > Detect > Respond > Recover.

Covering all of these areas will provide firms with much better visibility and oversight than many firms currently have in place.

The third standard here is ISO27001 and this standard is often considered to be the gold standard and one that few firms on the Island have achieved because attaining the accreditation does require more of an investment both in time and in some of the processes and the things you need to have in place to support the different policies.

This is all about increasing the maturity and capability of firms in the hopes that nothing bad happens to them.

Many firms unfortunately do not recover from a significant cyber incident, and that incudes some very large firms as well as many smaller firms. Even if the firm does survive it will very often cost a lot more to recover than it would have cost to prevent the problem from happening in the first place.

We can help any firms that want to explore their options when it comes to looking at which of these are best for them and where they are on their journey.