The five core principles (Identify, Protect, Detect, Respond & Recover) that the GFSC outlines are most often associated with the NIST* framework but ISO 27001 and the IASME Governance Standard** are broadly equivalent.
Many companies in Guernsey and Jersey now have Cyber Essential accreditation, which assures compliance with many of the technical elements required by the GFSC, but as they correctly state, this certification will not result in full compliance.
The goals of NIST, ISO 27001 and IASME Governance are the same, with the emphasis on identifying, evaluating and managing the acceptable risks to information systems. All three frameworks require an Information Security Management System (ISMS).
The GFSC state that “accreditation alone is unlikely to result in full compliance” and from a technical perspective they are correct. Robust Cyber Security requires an ISMS built on three pillars: people, processes and technology. An ISMS developed in accordance with the IASME Governance Standard and which also incorporates technical controls can and will demonstrate compliance to the Cyber Security Rules published by the GFSC.
The new requirements are extensive and far-reaching and it would be no exaggeration to say that many, or most, licensed institutions do not comply with the new Cyber Security rules.
Cyber Security Rules, 2021
Cyber Rules and Guidance, 2021
How can Clarity help?
We can help your business by undertaking Cyber Essentials Plus audits, or simply providing consultation based on both the Cyber Essentials Plus or IASME Governance standards by our IASME accredited personnel.
We can help you develop an ISMS and in doing so you will be able to clearly demonstrate compliance with the requirements of the newly released Cyber Security Rules by gaining the IASME Governance Standard.
*National Institute of Standards and Technology – part of the United States Department of Commerce.
** The IASME Governance standard was developed over several years during a UK Government funded project to create a cyber-security standard which would be an affordable and achievable alternative to the international standard, ISO 27001.