Written by Maritz Cloete, Director, CS Risk Management & Compliance
Cyber Essentials and ISO 27001 are two of the most talked about schemes and standards in cyber security.
Both have the same ultimate aim, to protect an organisation against common cyber security threats, but they differ in their approach. This guide is a handy comparison tool to help you understand the certification process, costs, benefits and use cases and select the right certification for your organisation.
Cyber Essentials is a government-backed certification scheme designed to protect organisations from 80% of common cyber-attacks and increase cyber security within organisations. The certification covers 5 main technical controls designed to protect; devices, internet connection, data and services.
ISO 27001 (ISO/IEC27001:2013) is the international standard for best practice of an ISMS (information security management system). The ISO 27001 standard is designed to help organisations, of all sizes manage their information security processes and protect their data and assets.
|Cyber Essentials||ISO 27001|
|What is it?||Cyber Essentials is a government-backed scheme made up of 5 controls which are designed to protect organisations devices, internet connection, data and services from common cyber-attacks. There are 2 levels to certification: Cyber Essentials and Cyber Essentials Plus.||ISO 27001 is an internationally recognised information security standard and is best practice for an ISMS. The standard contains 114 controls which can be selected and implemented to tighten overall information security and protect data systems and assets. The ISMS will need to be continuously managed and audited in-house.|
|Who is it applicable for?||A Cyber Essentials certification is suitable for organisations of any size, and any industry. This certification helps to tighten overall cyber security within an organisation.||ISO 27001 compliance can be obtained by any organisation of any industry. However, it is typically suited to organisations with 5+ employees as it will need to be maintained and audited in-house by various stakeholders.|
|What are the benefits?||Protect organisation from 80% of cyber attacksIncreased credibility and reputation to clientsWin government contracts and new business opportunities Eligibility for free cyber insurance coverGain competitive edge in demonstrating you can prevent common cyber attacks||Keep confidential data secureAvoid fines and penalties associated with handling of customer/client dataImprove company security cultureIncreases customer/ client confidence that you are committed to information security Gain competitive edge in demonstrating to clients and customers you are taking information security seriously|
|Implementation and certification process||Cyber Essentials consists of 2 types of certification: Cyber Essentials and Cyber Essentials Plus. All 5 controls and a self-assessment questionnaire need to have obtained a pass to achieve certification at basic level. A consultant can work with you during this process to provide any additional expertise which may be needed. Cyber Essentials Plus consists of an external and on-site security vulnerability assessment to provide additional assurance that the criteria have been met and is seen as more credible. Cyber Essentials will have to be renewed each year to maintain compliance.||To achieve ISO 27001 compliance, there will need to be an implementation of an ISMS (information security management system), a practical management tool to help organisations protect confidentially and integrity of information. The scope will need to be defined, and a risk assessment will need to be conducted, followed by a selection of the 114 security Annex A controls to secure any gaps identified from the risk assessment. The selection of the Annex A controls will need to be recorded on a Statement of Applicability (SOA). This will then need to be maintained alongside frequent ISO 27001 audits within your organisation to ensure continual compliance with ISO 27001.|
|What’s the cost?||A Cyber Essentials on-line self-assessment is £310.00, and a Cyber Essentials Plus certification is £1,895.00.||The cost for ISO 27001 will vary accordingly based on organisation, size and scope of project. It is best to get in touch with one of our consultants for a quote.|
|Can I certify to both standards/certifications?||Yes, it is possible to achieve a Cyber Essentials certification and become ISO 27001 compliant as the standard requirements differ.|
The key difference between Cyber Essentials certification and ISO 27001 compliance is that they have different requirements and controls which need to be implemented to achieve certification or compliance. They both share the same goal which is protecting your organisation’s assets from common cyber threats. Cyber Essentials focuses on 5 internal security controls such as user access control on certain devices and keeping software up to date. The scheme is designed to help organisations of any size protect from common cyber threats, for an affordable cost. A Cyber Essentials certification can be used as a competitive edge when bidding for new business tenders as it demonstrates commitment to cyber security.
ISO 27001 focuses highly on information security and developing an ISMS (information security management system). The certification plays an overall important role in improving an organisations information security defence as opposed to Cyber Essentials which is focused on internal technical controls. ISO 27001 also has many more controls (114), which will need to be selected as applicable and relevant to the organisation, compared to Cyber Essentials’ 5 controls which must be implemented. ISO 27001 also meets some of the requirements to comply with the GDPR, but ISO 27701 will need to be implemented along side to achieve full compliance with the regulation. Complying with the ISO 27001 standard helps your organisation avoid fines or penalties associated with the handling of customer and client data.
Both certifications bring benefits in strengthening cyber security, but each certification’s applicability will depend on the organisation. It is important to define your organisation’s security needs as well as considering requirements of business, size of your organisation and budgets.
Not sure which certification to implement? Get in touch!