What are some issues with ensuring compliance with policy?
- Lack of awareness or training
- Inconsistent enforcement
- Complex or unclear policies
- Limited management support
- Resource constraints
- Rapid technological change
- Poor communication and reporting
These issues can hinder effective compliance and create gaps in adherence.
What are the advantages of the ISO/IEC 27000 Series for small businesses?
- Structured and internationally recognized approach to information security
- Certification (ISO/IEC 27001) enhances credibility
- Clear, prescriptive controls guide implementation
These advantages help small businesses establish a solid foundation in information security.
What are the disadvantages of the ISO/IEC 27000 Series for small businesses?
- High cost and resource burden
- Documentation and audit requirements may be too complex
- Less flexibility, may feel overly formal
These disadvantages can deter small businesses from pursuing certification.
What are the advantages of the NIST Cybersecurity Framework (CSF 2.0) for small businesses?
- Free and flexible
- Easy to adapt proportionally to organizational risk
- Focus on governance, supply chain, and resilience
These advantages make it accessible for small businesses to implement cybersecurity measures.
What are the disadvantages of the NIST Cybersecurity Framework (CSF 2.0) for small businesses?
- Lacks certification, may offer less assurance
- Requires in-house expertise
- May feel too broad or abstract without guidance
These disadvantages can limit its effectiveness for small organizations.
What are the advantages of Cyber Essentials for small businesses?
- Low-cost entry point to cybersecurity best practices
- Simple checklist for easy implementation
- Boosts customer trust and credibility
- Reduces risk from common cyberattacks
These advantages help small businesses establish basic cybersecurity measures.
What are the disadvantages of Cyber Essentials for small businesses?
- Only covers basic technical controls
- No guarantee against sophisticated attacks
- May give a false sense of full security compliance
These disadvantages highlight the limitations of the framework.
What is the importance of standards and frameworks in cybersecurity?
- Provide common processes and best practices
- Help deploy security controls in context
- Enable certification
- Support transition to an Information Security Management System (ISMS)
Standards and frameworks are essential for establishing effective cybersecurity practices.
What are the key frameworks covered in the document?
- ISO/IEC 27000 series
- NIST Cybersecurity Framework
- UK Cyber Essentials
These frameworks provide structured approaches to cybersecurity.
What does the ISO/IEC 27002 provide?
- 93 information security controls across four categories:
- Organizational
- People
- Physical
- Technological
These controls guide organizations in implementing effective security measures.
What are the types of controls included in ISO/IEC 27002?
- Preventative
- Detective
- Corrective
These types of controls focus on maintaining confidentiality, integrity, and availability.
What is the focus of the NIST Cybersecurity Framework 2.0?
- Governance and supply chain security
- Comprehensive and scalable for complex architectures
- Continuous improvement and integration with ERM
This framework is designed to enhance organizational cybersecurity resilience.
What are the five primary controls of UK Cyber Essentials?
- Firewalls and routers
- Secure configuration
- Security updates
- User access control
- Malware protection
These controls form the baseline for cybersecurity in the UK.
What is required for a security policy to be effective?
- Approved, published, communicated, and reviewed regularly
- Reflects business strategy and legal requirements
- Supported by topic-specific policies
- Distinct from procedures
- Interlinked, owned, and accepted
A well-structured security policy is crucial for effective security management.
What are the categories of organizational controls?
- Security policies
- Roles and responsibilities
- Segregation of duties
- Supplier agreements
- Compliance with privacy laws
- Information classification
These controls help establish a secure organizational framework.
What do people controls emphasize?
- Terms and conditions of employment related to security
- Manage remote working security
- Awareness programs
- Mechanisms for reporting security incidents
These controls focus on the human aspect of security management.
What are the key aspects of physical controls?
- Secure work locations
- Asset and equipment protection
- Infrastructure security
- Environmental threat protection
These controls help safeguard physical assets and personnel.
What do technological controls include?
- Access rights management
- Network service security
- Secure system engineering principles
- Vulnerability management and prevention
These controls focus on the technological aspects of security.
What is the purpose of an ISMS?
- Manage security through best practice and measurement
- Align security objectives with organizational risk ownership
- Requires dynamic and resilient systematisation
An ISMS is essential for effective security management in organizations.
