For Information Security – Cyber Essentials or ISO 27001?

What is the difference between ISO 27001 and Cyber Essentials?

Cyber Essentials is great if you want to stop low level cyber-attacks from succeeding. But if you want a more robust system that can also help you protect from physical threats and recover when an attack happens, then this is where ISO 27001 can help.

Typically organisations which are required to adopt Cyber Essentials are advised to do this in addition to, rather than instead of, ISO 27001.

 

What is Cyber Essentials?

The Cyber Essentials Scheme came into effect on 1st October 2014. Its objective was to make the UK a safer place to conduct business online. Suppliers bidding for government contracts which involve the handling of sensitive and personal information, and the provision of certain technical products and services, will need to show conformance with this scheme.

Cyber Essentials provides organisations with basic, but essential, protection from Internet-borne threats. It covers five main areas of vulnerability:

  1. Boundary Firewalls and internet Gateways
  2. Secure Configuration
  3. Access Control
  4. Malware Protection
  5. Patch Management

These controls have been identified as those that, if they had been in place, would have stopped the majority of successful cyber-attacks in the last five years.

There are two levels of badges in Cyber Essentials – Cyber Essentials (Self-assessment questionnaire, to which the responses are independently reviewed by certifying body) and Cyber Essentials Plus (Includes system tests which are carried out by an external certifying body).

 

What is ISO 27001 in comparison?

While it is great that a business would be certified to Cyber Essentials, it is important to note that ISO 27001 offers the same basic protection, but it also looks at information security as a whole.

ISO 27001 encompassing people, processes and technology. By achieving ISO 27001 you will also be able to:

  • Examine and control policies and procedures in order to minimise risk threats before they happen.
  • Manage the after effect of a data threat.
  • Ensure staff are educated on risks as well as accidental and malicious data leaks.
  • Manage how data is accessed.
  • Demonstrate that you meet international standards of information security best-practice.

 

ISO 27001 will continue to be the most robust, recognised and accepted Information Security Standard worldwide. But if your organisation plans to enter the Government or Public Sector arena, we would advise that you achieve both systems at the same time.  Compliance with ISO 27001 will almost certainly mean that you are compliant with the requirements of Cyber Essentials.  You will also be compliant with most of the requirements of Cyber Essentials Plus, but this involves an element of technical testing which is not included in ISO 27001.

 

How do I become certified?

The ISO 27001 certification process can take as little as 45 days to complete, consisting of a gap-analysis, production of a documented management system and certification, and the contents of the management system implemented through ISO 27001 will help you to quickly satisfy the requirements of the Cyber Essentials Scheme.

Having both initiatives in place will help you to demonstrate to customers and interested parties that you take information security seriously and you have a strong sense of responsibility to them. Together, they will help you to minimise threats, improve governance and enhance your security practices.

So if you are interested in becoming ISO 27001 Certified please speak with one of our experienced information security specialists today by calling 0333 344 3646 or by emailing [email protected].  For more information regarding how to obtain Cyber Essentials protection, please visit the Cyber Essentials website.