Cybersecurity Guidance for Small and Medium-Sized Enterprises

Cybersecurity is rapidly becoming a critical activity in many enterprises, due to the increasing number of cyberattacks and cybercrime. Cyberattacks often target small and medium-sized enterprises, because cybercriminals expect information in SMEs to be less protected than in large enterprises. Protection against cyberattacks is an important element in ensuring that SMEs can protect their economic interests, reputation and intellectual property, and the information assets of their customers and business partners.

Sound cybersecurity is a growing need for all types and sizes of enterprises. Although various international and national cybersecurity strategies and other initiatives address enterprise cybersecurity needs and measures, Cybersecurity Guidance for Small and Medium-sized Enterprises specifically addresses the SME scenario and its typical resources, budget and technical-skills limitations. It offers SMEs a practical and manageable tool for planning, implementing and maintaining good cybersecurity at affordable cost.

The publication provides additional guidance for multinational enterprises that have business interests outside of their home country, regardless of enterprise size. It is not designed to be binding or definitive, and is based on the COBIT 5 framework and its family of products from ISACA.

Cybersecurity is a topic of interest for most enterprises, regardless of their size. Cybercrime and cyberwarfare are not restricted to large, multinational enterprises. Increasing numbers of small and medium-sized enterprises (SMEs) are being targeted. In an SME context, information security and cybersecurity are often difficult to implement in a satisfactory and cost-effective manner. SMEs need hands-on guidance for affordable and effective cybersecurity. The ISACA Cybersecurity Standard for Small and Medium-Sized Enterprises and this Cybersecurity Standard for Small and Medium-Sized Enterprises Guidance for Implementation are designed to meet the needs of typical SMEs: reasonable security at affordable cost. These publications help SMEs to prepare for, and manage, typical cybersecurity issues, risk and threats.

This guidance for implementation publication provides practical advice on how to implement cybersecurity governance, risk management, assurance and compliance using the Cybersecurity Standard for SMEs and its COBIT 5 foundation. SMEs do not need to apply to the full extent the recommendations in this guidance for implementation publication. Examples and cases give SMEs insights into implementing the standard. However, the implementation guidance should not be read as prescriptive.