Maybe you know somebody who owns and runs a successful little business. This business has probably around 50 employees, but most of them do not require to have access to information or IT systems.

Now, lets say this person seeks your help in understanding and improving the security posture of their business.

The task is now up to you, but how do you approach such a client?

Let's consider a scenario where the business operates outside of highly regulated sectors like finance, aerospace, or defense. This context often means that the business doesn't face the stringent compliance requirements that come with such industries, potentially reducing the immediate pressure to implement complex security standards.

Very small businesses (VSBs) often operate with limited resources, both in terms of financial capital and IT expertise. Adopting and implementing extensive frameworks, such as ISO/IEC 27001 would be an overkill. The challenge, therefore, lies in finding a balanced approach that secures the business effectively without straining its resources.

The Solution: DIN SPEC 27076:2023-05

Recognising this gap, a group of German industry experts has released a new FREE standard called DIN SPEC 27076:2023-05. This standard is specifically designed for small and micro enterprises, acknowledging their unique constraints and security needs. It presents a streamlined process for improving IT security that is both achievable and sustainable for VSBs.

Unlike more comprehensive standards, DIN SPEC 27076 focuses on the most critical aspects of IT security, ensuring that even businesses with minimal resources can understand and improve their security posture.

You can find a link to this FREE standard at the end of this article. Please note that it’s in German but translating into your preferred language should be no big deal.

The Consultation Process

DIN SPEC 27076:2023-05 outlines a precise, four-step consultation process. This process is designed to be accessible and manageable for very small businesses (VSBs), ensuring that improvements to their security posture are both significant and sustainable.

Here’s an overview of each step in the consultation process:

1. Initial Information Session

Objective: To lay the groundwork for the security consultation by establishing a shared understanding of the business's current cybersecurity state and the scope of the consultation process.

• Activities:

  • Introduction to the importance of cybersecurity for the VSB.

  • Discussion of the business's specific context, including any existing cybersecurity measures and perceived vulnerabilities.

  • Overview of the consultation process, expectations, and outcomes.

2. Conducting Current State Assessment

Objective: To systematically identify and assess the business's current cybersecurity practices, vulnerabilities, and threats.

• Activities:

  • Detailed discussion and assessment of the business’s current cybersecurity measures, practices, and procedures.

  • Identification of existing vulnerabilities and potential threats using a predefined set of criteria tailored for VSBs.

  • Engagement with key stakeholders to ensure a comprehensive understanding of the business’s cybersecurity landscape.

3. Evaluation and Report Generation

Objective: To analyze the information gathered during the assessment phase and develop a detailed report with findings and recommendations.

• Activities:

  • Analysis of the assessment data to evaluate the business's cybersecurity risks and vulnerabilities.

  • Development of a prioritized list of recommendations for addressing identified security gaps, tailored to the business’s specific needs and capabilities.

  • Preparation of a comprehensive report detailing the assessment findings, recommendations, and actionable steps for improvement.

4. Presentation of the Report and Recommendations

Objective: To review the findings and recommendations with the business, emphasizing actionable steps for enhancing cybersecurity.

• Activities:

  • Presentation of the results report to the business’s key stakeholders, highlighting critical vulnerabilities and recommended actions.

  • Discussion of the proposed cybersecurity enhancements, including practical steps for implementation and prioritization of actions based on the business’s resources and capabilities.

  • Guidance on how to implement the recommendations, including potential resources, tools, and strategies for achieving improved cybersecurity.

This structured, four-step approach ensures that VSBs are provided with clear, actionable guidance tailored to their unique operational and resource constraints. By following these steps, VSBs can make significant strides in bolstering their cybersecurity defenses, enhancing their resilience against digital threats in a manner that is both achievable and sustainable.

Thanks for reading The GRC Lab! Subscribe for free to receive new posts and support my work.Subscribed

Requirements Catalogue

Besides the consultation process DIN SPEC 27076:2023-05 also contains a requirements catalogue that provides further guidance on how to assess the current state and derive recommendations for improvement.

The requirements are categorised into 6 domains.

1. Organization & Awareness: This domain emphasizes the importance of cybersecurity within the organizational structure and the need for awareness among all members. It addresses the establishment of security policies, the designation of security responsibilities, and the promotion of a security-conscious culture.

2. Identity and Access Management: It focuses on ensuring that only authorized individuals have access to information systems and data. This domain covers user account management, access controls, and the management of special access privileges.

3. Data Backup: This area deals with the strategies and practices for backing up critical data. It includes the frequency of backups, the security of backup data, and the ability to recover data in the event of a loss or breach.

4. Patch and Change Management: This domain emphasizes the importance of keeping systems up to date with the latest security patches and managing changes to systems and software in a controlled manner to avoid introducing new vulnerabilities.

5. Protection Against Malware: It focuses on measures to protect against malware infections, including antivirus solutions, firewalls, and email filtering systems.

6. IT Systems and Networks: This domain covers the security of the organization’s IT infrastructure, including network security measures, the security of servers and endpoints, and the protection of communications.

Result Calculation

The assessment results are calculated based on the VSB’s compliance with the specific requirements outlined in each domain. Here’s how to calculate the results:

• Assessment Against Requirements: Each domain comprises a set of specific requirements that the VSB is assessed against. The assessment involves evaluating the current practices, policies, and controls of the VSB in relation to each requirement.

• Scoring: The VSB receives points for each requirement based on compliance. Full points are awarded for complete compliance, no points for non-compliance. There is nothing in between. Some domains may include "TOP" requirements, which are considered critical and may have a higher point value or impact on the overall assessment score.

• Result Compilation: The total score is compiled from the points awarded across all domains. This score reflects the VSB’s overall cybersecurity posture, identifying strengths and highlighting areas requiring improvement.

• Recommendations: Based on the scoring and specific areas of non-compliance, tailored recommendations are provided for each domain. These recommendations prioritize critical areas identified during the assessment, guiding the VSB on where to focus their improvement efforts.

Here is what the requirements catalogue looks like. Yes, it’s in german, but as I said the standard is free and it should be no big deal to translate it into your language.