scope:

The present document provides SMEs with the main concepts of cybersecurity and introduces a five-step process for establishing cybersecurity using standards and frameworks in language that is easy for SMEs to understand. Five widely used standards and frameworks for SMEs from different countries and sources for reducing cybersecurity risks are introduced. The security controls present in these standards and frameworks are compared and unified in 17 control categories to provide SMEs with a quick reference. Since cybersecurity is closely associated with the roles of the SMEs in the digital ecosystem, four different SME categories are discussed (digital enablers, digitally based, digitally dependent, and start-ups) and SMEs are provided with tailored guidance on the implementation of the controls. Although the selection of controls should be based on the risks that are specific to the organization, the basic controls that are applicable to almost every organization can also be considered for direct implementation. The present document uses a holistic approach by integrating the main concepts, processes, security controls derived from the standards and frameworks, and a focus on different SME categories to present the cybersecurity essentials for SMEs.

Although the present document aims for providing SMEs anywhere in the world with cybersecurity standardization essentials, additional information relevant to European SMEs is provided in Annex A.