CYBER ESSENTIALS MYTHCONCEPTION 7: Policy Controls are as Good as Technical Controls
This post in our series on Cyber Essentials "Mythconceptions", tackles the myth:
"You can achieve Cyber Essentials compliance just by writing compliant corporate policies."
Many organisations who do not have many technical controls in their environment to technically enforce the Cyber Essentials controls, have attempted to compensate by writing corporate policies and provided training to act as equivalent controls. This was allowed in limited ways in the past, but since this is contrary to the spirit and intent of the Cyber Essentials scheme, this is no longer permitted.
There is, however, one specific area where corporate policies and training can be a compliant equivalent to technical controls. Organisations with fewer than 50 employees (i.e. Small and Micro organisations, according to the Cyber essentials pricing scheme) that do not have a Mobile Device Management (MDM) solution, can compensate for this lack of control by issuing compliant policies and training their employees on the policy. Mobile devices will still be assessed during a Cyber Essentials Plus assessment and must be compliant.
Organisations larger than 50 employees (i.e. Medium and Large organisations) are expected to implement and enforce technical mobile device controls as normal.
The intent of Cyber Essentials is to apply relevant and effective technical controls to combat the most common cyber attacks. It makes sense that these controls should be applied technically and not left to human discretion.
Barrier's "Securely Compliant Tip" for Technical Controls
The following tips are offered as inspiration to help you devise a strategy for technical controls in your organisation for compliance and beyond:
There are probably a wide range of technical security controls already available through the systems and services you already use. Explore those options or bring in an expert to find easy ways to become more secure, and compliant.
For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,
or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.