In the UK there are two main cyber security certifications available for organisations – the ISO 27001 and Cyber Essentials. Both serve to indicate that the certificate holder is cyber secure to a certain level, which can yield business benefits. However, many professionals argue each represents different standards of cyber security.
Here, we’ll discuss the key similarities and differences between ISO 27001 and Cyber Essentials, along with their usefulness for businesses.
ISO 27001 Standards
The ISO 27001 is a document that sets out standards for information security management systems (ISMS). These are agreed by an international technical committee on information security, cyber security, and privacy protection. ISO 27001 regulations are focused on protecting the information held by a company in three ways – integrity, confidentiality, and availability.
For a business to achieve ISO 27001 compliance, it must provide evidence of its commitment to safe and secure information management. The ISO will examine the business’s ISMS to determine how it is managing security risks and how the business handles data. The aim of the ISO 27001 standards is to provide an incentive for businesses to:
- Be prepared for new cyber threats
- Improve cyber attack resilience
- Have measures in place for organisation-wide protection
- Increase defence efficiency
- Secure information in a variety of forms
The Cyber Essentials Scheme
Cyber Essentials is a government programme designed to ensure UK businesses possess base level cyber security defences. Compliance is achieved by answering a self-assessment questionnaire covering the following control areas:
- Access – user accounts should be secured against unauthorised access. It is advised that users are only given access to the areas of the business which are required to complete their duties.
- Malware protection – anti-malware software should be installed across all business devices to prevent network infection. Employees can be given training to help recognise malware phishing attacks.
- Firewalls – a firewall must be installed on devices used by members of a company to qualify for Cyber Essentials. This creates a layer of defence between external networks and the organisation’s systems.
- Secure configurations – it must be ensured that configuration settings on software, networks, and devices are not left on default. User accounts can also be configured to limit access to valuable business data.
- Update management – many updates are rolled out expressly to remove vulnerabilities. As such, devices and software should be kept up to date to ensure they are secure.
A qualified assessor from the IASME consortium will then determine if the business qualifies for the certification. The aim of the Cyber Essentials scheme is to ensure organisations are protected against a variety of common cyber security threats. This can be used to reassure consumers and partners that the organisation in question can protect user’s personal data.
Read our advice on how to get cyber essentials certification.
Cyber Essentials Plus
Where Cyber Essentials can provide a baseline cyber defence, Cyber Essentials Plus offers a higher level of certification. Here, security infrastructure is examined more thoroughly to determine its effectiveness at combating specific threats. Cyber Essentials Plus can be requirement for businesses to access certain types of government contracts.
Differences between ISO 27001 and Cyber Essentials
It is the case that both ISO 27001 and Cyber Essentials are designed to lead to an improvement in a business’s cyber security. Indeed, both certifications serve as proof of this. However, there are notable differences in how and to what extent compliance is achieved.
Where Cyber Essentials is focused on technical compliance, ISO 27001 standards are concerned with nullifying threats specific to ISMS. This means the controls implemented by Cyber Essentials are quite general, as the government wants to set clear goals for UK businesses. Instead, ISO 27001 standards are focused on the security policies and processes of a business, and how it relates to their activities.
Both standards outline certain areas of concern. Cyber Essentials is relatively broad, seeking to ensure protection against a wide range of common security threats online. On the other hand, the ISO 27001 considers the specific risks faced by an organisation and how they can be managed effectively.
This concerns how compliance is achieved for ISO 27001 and Cyber Essentials respectively. For the latter, there are the five controls detailed earlier. However, ISO 27001 standards consist of twice as many clauses, and over 100 generic security controls.
Cyber Essentials’ compliance measures apply solely to services and assets connected to the internet. Whereas ISO 27001 recommendations can be applied to both digital and physical assets, so long as they are responsible for information processing, gathering, or storage. Also, it should be made clear that the ISO 27001 certification is internationally recognised, where Cyber Essentials is a UK-only scheme.
Although ISO 27001 and Cyber Essentials have many differences, there are also significant areas of overlap. As a result, it is often a more efficient use of resources for organisations to pursue both certifications at the same time.
Cyber security consultancy services
If you don’t know which certification is best for your business, a member of the CyberWhite team will be happy to provide professional advice. Additionally, if you want to acquire Cyber Essentials and ISO 27001 certification simultaneously, we can help with that process too. We believe cyber security standards for businesses are a vital tool in helping the world become a safer place for everyone online. Contact us today.