Following on from my last blog, “Preparing your pharmaceutical company for GDPR: Just what is an “appropriate” level of IT security?” and with less than a month until GDPR comes into force, many of our contacts at pharmaceuticals have been asking me whether it is a requirement under GDPR for them to attain the government’s Cyber Essentials certification.
For those who are not aware, Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:
- Secure Configuration – setting up systems securely
- Boundary Firewalls – preventing unauthorised external access
- Access Control Management – restricting authorised access to the level needed
- Patch Management – keeping systems up to date with security fixes
- Malware Protection – protecting against threats like ransomware
As such, there is not a legal obligation under GDPR to attain Cyber Essentials certification, however many pharmaceuticals companies we work with are choosing to implement Cyber Essentials for a number of reasons:-
- To demonstrate to the ICO that they have in place basic security controls as per the established framework that Cyber Essentials lays down. Indeed, the ICO have suggested in their checklist guidance document on the GDPR security principle, a copy of which can be found here, that putting in place security controls in line with Cyber Essentials or a similar framework would be a good starting point.
- To demonstrate to clients and prospective clients that they have taken the necessary precautions to minimise cyber security risks.
- To demonstrate MHRA and (where applicable) HIPAA compliance around data security, integrity and availability.
- To reduce risk and therefore benefit from reduced insurance premiums.
- To be able to bid for government contracts that involve the handling of certain sensitive and personal information.
I hope this has given you a useful insight into the correlation between cyber essentials certification and the GDPR security principle. Should you need help with assessing your current level of security in readiness for GDPR, or you would like a ready-made Cyber Essentials compliant security solution, please do not hesitate to contact me on (01494) 444065 or email gswanwick@epoq-it.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Epoq IT can help.
For more information about our GDPR services please visit https://www.epoq-it.co.uk/gdpr/
For more information about Epoq IT’s MySecurity service, a suite of technologies and procedures able to fulfil all the 5 key controls needed for Cyber Essentials Certification, please go to https://www.epoq-it.co.uk/service-and-support/mysecurity/
This blog forms part of our series of informational resources for senior pharmaceutical professionals. To read more articles, please visit my blog, IT in Pharmaceuticals.
For more information about Epoq IT’s services for pharmaceuticals, please visit our website.
No comments:
Post a Comment