I was talking to a friend about a requirement to “measure” cyber essentials compliance. Now if you know a thing or two about standards and applying standards to complex technology environments you might come up with:
- Can’t we just script a checker?
- Don’t we have all the audit data in the *checks notes* 1000 inventory systems we have?
Well sure, you could write a massive set of rules which ignore any context and try and cater for a huge number of different scenarios. You could use the Q&A approach as well (which is how the standard workbook works anyway so that already exists). But let’s say you are an IT manager, and you want to KNOW how your environment stacks up!
The question is simple, it’s easy to ask, look:
- “How compliant are we against Cyber Essentials?”