This is not how it works. You do not collect certificates.
- being certified does not mean you are safe
- customers only care about the certificates they care about
The "best" certification is the one that best serves your business objectives. If you are suing Cyber Essentials, but your customers want BSI Grundschütz, then you have wasted a lot of time and money. And neither guarantee that you are safe.
Company certificates help you to visualize your company, its processes, its employees and its technology through different objectives. Choose the goal that will help you secure your business. Your goal is to be safe, not to be certified.
The "best" case? Examine them all and identify the goal that highlights the gaps that your business should fill right now (no, you don't fill all the gaps at once at the start). Then use this goal to improve yourself. So maybe be certified in this program, but only if it meets the needs of your business.
Here's the approach (for an unregulated industry – for regulated industries, you swap items 1 and 2):
- Get basic skills in your people, processes and technology for obvious / common threats
- Get compliance with what third party stakeholders want (customers, regulators, investors, etc.)
- Develop internal compliance with your own standards to ensure consistency
- Develop a risk-based approach to target non-top-line threats to your business
- Develop a flexible and adaptive approach to security to be able to respond quickly to emerging risks
Here is the ELITE approach:
- Theequal / Legislative (Lender / Allied)