Proving your business is cyber-secure

Having established a cyber security policy, you and quite possibly your customers and suppliers will want to be sure it works.

You can be audited against your policy, either by yourself or an independent person or organization (this is called certification). If you audit yourself it is called a ‘declaration of conformity’ or ‘self-certification’. If a customer audits you, they can award an inspection certificate (i.e. a declaration that their specified requirements have been met).

Even if you were shown to meet your cyber security policy on the day of auditing, it doesn’t mean you had effective cyber security previously or that you will still have effective security in the future. For longer-term confidence, you need an information security management system (ISMS), however rudimentary, which will provide feedback on present as well as future use.

If you don’t think you want or need a formal information security management system, you can still perform a gap analysis to identify shortcomings in your current cyber security provisions.

Certification standards

BS ISO/IEC 27001 is the most widely used standard for cyber security certification (according to a survey conducted by ISO in 2011 more than 17,500 businesses had an ISMS certified against ISO/IEC 27001). There are many recognised Certification Bodies whose 27001 audit certificates are accepted internationally. 

As identified on our standards for managing cyber security page, there are other cyber security standards that can be used for certification or self-certification. In many cases the organizations or consortia sponsoring those standards also provide auditing and certification services. For example, there are certification schemes to support the Government’s Cyber Essentials initiative.