In today’s digital world, businesses face growing risks from cyber attacks, making information security more important than ever. Cyber Essentials, backed by the UK Government, offers a foundation to help protect against common threats.
For more robust security, ISO 27001, an internationally recognised management system standard, provides a set of detailed requirements for establishing and maintaining an effective Information Security Management System (ISMS). This article explores their differences to help you choose the right security and compliance pathway for your business.
Cyber Essentials
Cyber Essentials is a UK Government-backed scheme managed and maintained by the National Cyber Security Centre (NCSC) in partnership with the Information Assurance for Small to Medium Enterprise (IASME) Consortium.
The scheme has been developed to promote a standard set of IT Security requirements designed to help minimise the likelihood and impact of commonly known cyber-attacks regardless of the organisation’s size. It covers devices, applications and services within the scope that hold or process business data.
The requirements are grouped into 5 themes shown below.
- Firewall
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
The scheme consists of two levels of certification:
Cyber Essentials
The basic level (self-assessment) certification covers the full set of controls required to achieve certification and demonstrate compliance with the foundational level of cyber hygiene as set out within the Cyber Essentials scheme. Applicants complete and submit an online questionnaire, which is marked by a certified Cyber Essentials assessor.
Cyber Essentials Plus
This enhanced level of certification covers the same set of controls required by the Cyber Essentials scheme; however, this time, a certified Cyber Essentials Plus assessor will perform a physical test on the devices, applications, and services within scope. This level of certification affords a higher level of assurance that the correct controls are implemented and working as expected for both companies and clients alike. Applicants must first attain Cyber Essentials certification within 3 months prior to attempting Cyber Essentials Plus.
Which Level Do I Need?
The level required will depend on what your organisation is trying to achieve:
|
Objective |
Cyber Essentials |
Cyber Essentials Plus |
Why |
|---|---|---|---|
|
MOD/UK Government Contracts
|
Required |
Recommended |
Certification is required due to the importance of protecting the personal information of UK citizens and government employees. Cyber Essentials Plus offers higher assurance |
|
Supply Chain Compliance |
Recommended |
Strongly Recommended |
It is important for companies to demonstrate they comply with data protection laws when handling personal data and sensitive personal data of customers and employees. Complying with Cyber Essentials and Cyber Essentials Plus is a good way to show that your company takes data protection seriously – and is compliant with basic cyber security practices |
|
General Compliance |
Recommended |
Strongly Recommended
|
Cyber Essentials and Cyber Essentials Plus is a good way of demonstrating to senior executives or board members that your organisation has the basic protections in place. Cyber Essentials Plus provides an added level of assurance using specialist 3rd party companies |
ISO 27001
ISO 27001 is part of a set of management system standards developed to handle information security: the ISO/IEC 27000 series. Its full name is “ISO/IEC 27001 – Information Security, cybersecurity and privacy protection — Information Security Management Systems — Requirements.”
It is an information security management system standard created by the International Organization for Standardization (ISO). It provides a set of requirements for establishing, implementing and managing an Information Security Management System (ISMS).
ISO 27001 adopts a risk-based approach and is specifically designed to be technology-neutral. The standard references a set of 93 safeguards/controls organised into 4 categories: Organisational, People, Physical, and Technical, with a number of topics covered, listed below:
- Information security policy and governance
- Risk assessment and treatment
- Asset management
- Access control and identity management
- Cryptography
- Physical and environmental security
- Operations and network security
- Secure system acquisition and development
- Supplier relationship management
- Incident management and compliance with legal and regulatory requirements
Why would I need ISO 27001?
ISO 27001 is the most widely adopted Information Security standard in the world. The standard aims to protect all information assets, not just digital ones.Businesses that have achieved ISO 27001 could demonstrate an advantage against competitors as organisations place more emphasis on supply chain management.
What Are the Differences Between ISO 27001 and Cyber Essentials/Plus?
Whilst both Cyber Essentials and ISO 27001 support organisations in improving their information security posture, they differ significantly in scope and structure. Cyber Essentials is a UK Government-backed certification scheme focused on key technical controls, while ISO 27001 is an internationally recognised management system standard that defines requirements for implementing and maintaining an Information Security Management System.
|
Aspect |
Cyber Essentials |
Cyber Essentials Plus |
ISO 27001 |
|---|---|---|---|
|
Region |
UK Only |
UK Only |
International Standard |
|
Type |
Government-backed certification scheme |
Government-backed certification scheme |
Risk-based management system standard |
|
Definition |
Based on 5 control themes: Firewall, Secure Configuration, User Access Control, Malware Protection, Security Update Management |
Same as Cyber Essentials, with higher assurance through testing |
Involves Information Security Management System (ISMS) framework with 93 safeguards in 4 categories: Organisational, People, Physical, Technical |
|
Scope |
Limited to digital information assets only |
Limited to digital information assets only |
Applicable to all forms of information assets (physical and digital) |
|
Focus |
Aimed at protecting against the most common types of cyber attack |
Aimed at protecting against common cyber attacks with higher assurance |
Largely focused on policy and process for comprehensive risk management |
|
ISMS requirement |
Not required |
Not required |
Requires a detailed ISMS |
|
Implementation rigour |
Cyber Essentials is not an Information Security Management System (ISMS). Therefore, it is a less rigorous standard to implement than that of ISO 27001 |
More rigorous than Cyber Essentials, with independent verification |
Formal audit and certification process involving a detailed ISMS |
|
Recognition |
Recognised within the UK |
Recognised within the UK |
Widely recognised worldwide |
|
Certification requirement |
Self-assessment—Compliance refers to the actions that organisations must take to conform to the requirements, not necessarily with their rules and regulations. |
Requires prior Cyber Essentials certification |
Requires formal audit and certification process |
|
Organisational size |
Suitable for organisations of any size |
Suitable for organisations of any size
|
Can be tailored to meet the needs of any business, from small organisations to large enterprises |
|
Inclusion of Cyber Essentials controls |
All controls required for Cyber Essentials are covered within ISO 27001 |
All controls required for Cyber Essentials are covered within ISO 27001 |
Covers all controls required for Cyber Essentials |
|
Rationale for use |
Basic level of cyber hygiene |
Higher level of assurance for both companies and clients |
Comprehensive framework for managing information security risks |
|
Requirements and recommendations |
Required for MOD/UK Government contracts |
Recommended for supply chain and general compliance |
Recommended for organisations seeking a competitive edge through comprehensive information security management |
|
Frequency |
Annual renewal |
Annual renewal |
Typically 3 years with annual audits |
|
Current version |
Willow question set |
Willow question set |
ISO/IEC 27001:2022 and ISO/IEC 27002:2022 |
Key Takeaways
- Each standard has its own purpose and scope.
- Some organisations wishing to tender for Ministry of Defence or Government contracts will require Cyber Essentials Certification.
- ISO 27001 is a global standard suitable for organisations seeking comprehensive risk management.
- Both standards complement each other, with ISO 27001 encompassing all Cyber Essentials controls.
- Organisations wishing to demonstrate a high level of assurance for cyber and information security should seek to gain ISO 27001 Certification and Cyber Essentials Plus.
Achieve Cyber Security Certifications For Your Business
Get started on your journey to ISO 27001, Cyber Essentials and Cyber Essentials Plus certifications for your business with British Assessment Bureau.
Request a quote today or contact our team to discuss your needs.
