The Information Systems Security Association (ISSA) has published what it says is the first ever guide to best security practice for SMEs, a sector normally seen as beyond the reach of security standards.
Published under the title ‘ISSA-UK 5173’ as the work of 30 expert volunteers in the UK, the draft version is in essence a simpler, SME-oriented and free alternative to the heavyweight and inaccessible standards such as ISO/IEC 27001 that will be familiar to enterprise professionals the world over.
According to the ISSA, the problem with that kind of standard is that it reads like a jumble of meaningless abstractions to smaller businesses. Companies ranging in size from a handful of people to a few hundred, ahve traditionally had nowhere to go to assess the security issues in play let alone working out how these might apply to a company’s operation.
This is despite the fact that small businesses have many of the same problems to worry about, including in the UK, the feared Data Protection Act, the Computer Misuse Act, and card processing standards such as PCI-DSS. The demands are enormous.
“They have the same risks as everyone else,” says ISSA member and standard co-author, David Lacey of the place of SMEs in the economy. “They are part of the same critical infrastructure.”
The 5173 document divides itself into three strands, micro, small and medium, which relate to business size. An interesting quality of the first draft is the simplicity of its language. Some of the concepts it tackles will be familiar to IT professionals, but this document is also one that could be understood by business owners.
Why call it '5173'? According to Lacey, this has no deeper meaning beyond simply approximating the letters 'SME' in number form.
Lacey compares the ISSA offering to efforts elsewhere in the UK to create an ‘ISO 27001 lite’, which he believes is over-ambitious. The ISSA’s approach has been to start again from scratch, Lacey said.
The ISSA is, however, looking at producing some guidelines to help SMEs on the fringes of ISO 27001 – for instance those selling to larger companies that must demonstrate supply-chain compliance – on how to relate its demands to their own businesses.
Feedback on the document is encouraged. Over the next year, Lacey sees the 5173 draft being refined into a set of tailored guidelines for different sectors. This will probably mean that security professionals, bodies, chambers of commerce, and professional groups used by SMEs such as lawyers and banks, will be needed to promote it as a starting point for security practice.