The Five Steps of the cyber security ladder.

Whilst there is an excessive amount of information for security standards available to both the public and private sectors, there is no guarantee that all the information will be relevant to your particular business sector. Xpertex’ security consultant, Dean Morgan, believes there is a “cyber-security ladder” that organisations should aim to climb, intending to maintain their position at its highest point. In his opinion, there are five steps to the cyber security ladder, so let us start at the bottom and work our way up:

Step one: Do nothing

In Morgan’s opinion, the idea of doing nothing before an issue arises is still prevalent within both the public and private sectors today. However, there may be a legal obligation to inform relevant authorities when data breaches come to light, which means that doing nothing when an issue occurs may no longer be an option. Some organisations may wish to take ownership of all cyber risks, or they may not identify any risks at all. Morgan states that “newspapers and news outlets often report on these types of organisations, and very rarely cast them in a favourable light”. These companies might have chosen to ignore the steps of cyber assurance, or it could be that they were unaware of the steps that they could take to stay protected. Whatever their reason might be, they should take action to resolve the issue. However, Morgan believes that to do nothing must always be accepted as an option, as an organisation has the right to choose the steps they wish to take – if any. If they choose to do nothing, he feels they must be informed and made aware of the potential consequences if they decide to do nothing.

Step two: Cyber Essentials

If a company does decide to act, attaining Cyber Essentials accreditation should be the first step for most UK companies. This scheme is a simple self-assessment with basic – yet effective requirements that will help you to protect your organisation. Morgan suggests that although this is not the first step of the ladder, it is an indication of where your organisation will initially be placed, in context to cyber, and where you should be aiming for in the future. The definition of the word essentials is “absolutely necessary”, so when referring to cyber essentials, it is important to remember this. Cyber essential is a standard that you should apply; however, it is just the foundation and will not stand alone to protect you from cyber threats.

Step three: Cyber Essentials Plus (CE+)

Cyber Essentials Plus (CE+) is the first part of the journey when climbing the cyber security ladder. The assessment criteria for CE+ are the same as those for the Cyber Essentials scheme above. However, additional requirements include a vulnerability assessment that covers outward-facing systems as well as internal infrastructure. Morgan explains that although “being CE+ is not a gold standard, it does demonstrate an organisation’s commitment to good cyber hygiene and will highlight areas of deficiency and improvement”. If this step is not taken, there is a significantly increased risk that the company would not be able to control and manage future cyber threats.

Step four: The ISO27000 family of information security standards.

ISO27000 is a series of internationally recognised security standards that provide recommendations on information security management. The information it gives is strategic and supplies organisations with policies and procedures that should be embedded into business operations where relevant. With this in place, risks are managed through information security controls. It is relevant to organisations of all shapes and sizes and is deliberately broad in scope, covering IT, technical and cyber security issues, privacy and confidentiality. It actively encourages feedback and continuous assessment that allows an organisation to respond to emerging vulnerabilities and threats. Furthermore, ISO27000 is easy for organisations to follow when responding to vulnerabilities and threats.

Step five: NIST-800

NIST-800 is a US-standards process that has a lot of similarities to the ISO27000 family, however, it also covers more of the technical aspects. This process is more precise than the ISO27000 series. When questions such as “shall I?”, “should I?”, “may I?” are asked, this method will prompt permissible action.

Both steps four and five are achievable by any organisation once they have engaged with an experienced cyber consultancy to guide them on their journey up the cyber-security ladder. Morgan says that without quality management of all the processes above, cyber assurance will always be a struggle to implement correctly.

Xpertex has a team of experts, led by Morgan, who are on hand to help you to understand what it takes to climb the cyber-security ladder with guidance every step of the way. To learn more about this subject, visit and send an enquiry to our team today.


Related articles