>

ISSA 5173 - A new, draft for information security standard for SMEs


In 2010 David Lacey, ISSA UK’s Director of Research,  presented to the ISSA on the need to provide good guidance and best practice for information security for Small and Medium Enterprises (SMEs) in the UK and beyond. His presentation reflected the experience and views of many ISSA members, and was very well received. As a result, a working group was set up in the ISSA comprised of vendors, directors, consultants and advisors to look at this issue and produce both a draft standard and guidance.


SMEs  (250 employees or less) account for 99% of the workforce in the UK, yet SMEs often regard security purchases as a “grudge purchase” or think that “information security does not apply to me”. The thinking behind this reflects the different attitudes between large corporate (long-term focus, driven by corporate policy and compliance) and small businesses (frugal spending, cash-flow and the need to win new customer business focus). Legislation such as the Data Protection Act applies equally to an SME as it does to large corporate in the UK. Any vendor offering payment via credit card also needs to think about PCI-DSS compliance.


Even if the SME owner is inclined to do something about information security, where do they go for up to date guidance? There is a lot of information out there, but it is spread across numerous websites; it is focused primarily at large corporates or government bodies where huge processes and large amounts of paperwork are the norm; and is often out of date and does not address current threats and security issues.


The aims of the ISSA-5173 workgroup therefore have been:

 

  • To produce a draft standard for consultation with the SME and information security communities
  • To produce a (free) standard in a language that is easy to understand for SME owners who most likely will have little to no IT experience
  • To provide best practice documents on a number of areas that are applicable to the scale of the SME
  • Address current threats and issues applicable to the SME

 

The ISSA-5173 workgroup has been comprised of around 30 ISSA members, and have met across the last 12 months in working on and developing a draft standard and best practice guidance.

 

Our draft standard, launched Thursday 10th March 2011 is available to download.


Over the coming months , we encourage you to take a look at our draft standard and provide feedback to us on the draft standard: SMEsecurity@issa-uk.org . We will publish our findings in the summer.