Cyber Essentials is a UK Government-backed scheme managed and maintained by the National Cyber Security Centre (NCSC) in partnership with the Information Assurance for the Small to Medium Enterprise (IASME) Consortium.
The scheme has been developed to promote a standard set of IT Security requirements designed to help minimise the likelihood and impact of commonly known cyber-attacks regardless of the organisation’s size. It covers devices, applications and services within the scope that hold or process business data.
The requirements are grouped into 5 themes shown below.
- Firewalls
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
The scheme consists of two levels of certification:
Cyber Essentials
This basic level (self-assessment) certification covers the full set of controls required to achieve certification and demonstrate compliance with the foundational level of cyber hygiene as set out within the Cyber Essentials Standard. Applicants complete and submit an online questionnaire which is marked by a certified Cyber Essentials assessor.
Cyber Essentials Plus
This enhanced level of certification covers the same set of controls required by the Cyber Essentials standard, however, this time a certified Cyber Essentials Plus assessor will perform a physical test on the devices, applications, and services within scope. This level of certification affords a higher level of assurance that the correct controls are implemented and working as expected for both companies and clients alike. Applicants must first attain Cyber Essentials certification within 3 months prior to attempting Cyber Essentials Plus.
Which level do I need?
The level required will depend on what your organisation is trying to achieve:
- MOD/UK Government contracts
- Organisations looking to win MOD/Government contracts will require certification due to the importance of protecting the personal information of UK citizens and UK government employees.
- Supply Chain
- It is important for companies to demonstrate they comply with data protection laws when handling personal data and sensitive personal data of customers and employees. Complying with Cyber Essentials and Cyber Essentials Plus is a good way to show that your company takes data protection seriously—and is compliant with basic cyber security practices.
- Compliance
- Cyber Essentials and Cyber Essentials Plus is a good way of demonstrating to senior executives or board members that your organisation has the basic protections in place. Cyber Essentials Plus provides an added level of assurance using specialist 3rd party companies.
What is ISO 27001?
ISO 27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. Its full name is “ISO/IEC 27001 – Information Security, cybersecurity and privacy protection — Information Security Management Systems — Requirements.”
It is an information security standard created by the International Organization for Standardization (ISO). It provides a framework and guidelines for establishing, implementing and managing an Information Security Management System (ISMS).
It was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
ISO 27001 adopts a risk-based approach and is specifically designed to be technology-neutral. The standard references a set of 93 safeguards/controls organised into 4 domains/sections: Organisational, People, Physical, and Technical, with topics, covered.
- Information Security Policy
- Organisation of Information Security
- Risk Assessment and Treatment
- Asset Management
- Access Control
- Cryptography
- Physical Security
- Operations Security
- Communications Security
- System Acquisition, Development and Maintenance
- Supplier Relationships
- Compliance with Legal Requirements and Industry Standards
- Information Quality Management
- Risk Monitoring and Review
Why would I need ISO 27001?
ISO 27001 is the most widely adopted Information Security standard in the world. The standard aims to protect all information assets, not just those that are digital i.e., paper, microfiche etc.
Is an ideal solution for organisations that have achieved ISO 27001 to be able to demonstrate an advantage against competitors as organisations place more emphasis on supply chain management.
What are the differences between ISO 27001 and Cyber Essentials/Plus
Whilst Cyber Essentials and ISO 27001 are both technical standards aimed at organisations wishing to demonstrate compliance, each standard has some fundamental differences.
- Cyber Essentials is a technical compliance-based standard recognised within the UK
- Compliance refers to the actions that must be taken by organisations for them to conform to the standard and not necessarily with the organisation’s rules and regulations.
- scope limited to digital information assets only
- applies to assets and services that are connected to the Internet
- aimed at protecting against the most common types of cyber attack
- ISO 27001 is a risk-based standard and is widely recognised throughout the world. Risk-based refers to understanding what risks exist within an organisation and how best to implement policy, procedures, processes, and technical controls to manage the risks to an acceptable level.
- largely focused on policy and process.
- applicable to all forms of information assets (physical and digital).
Cyber Essentials is not an Information Security Management System (ISMS). Therefore, it is a less rigorous standard to implement than that of ISO 27001.
ISO 27001 on the other hand can be tailored to meet the needs of small to enterprise-level organisations.
Whilst the above statements are true, all the controls required for Cyber Essentials are covered within ISO 27001.
Key takeaways
Each standard has its own purpose and scope.
Organisations wishing to tender for MOD or Government contracts will require Cyber Essentials at a minimum.
Organisations wishing to demonstrate a high level of assurance for cyber security should seek to gain certification to IS27001 and Cyber Essentials Plus.
Key information
| Key Facts | Cyber Essentials / Cyber Essentials Plus | ISO 27001 |
| Region: | UK Only | International Standard |
| Type of standard: | Technical compliance-based standard | Risk-based Standard |
| Definition: |
Based on a set of 5 control themes covering the most common Internet-originated attacks against an organisation’s IT systems and services. · Firewalls · Secure Configuration · User Access Control · Malware Protection · Security Update Management
Controls are a subset of those defined in ISO 27002 |
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS). ISO 27002 provides guidance on the implementation of 93 best practice safeguards organised into 4 domains · Organisational, · People, · Physical, · Technical |
| Business Size: | Organisations of any size | Organisations of any size |
| Applicability: | Scope limited to digital assets | The scope encompasses physical and digital assets |
| Scope: | All controls required for certification. | Safeguards are applied based on the type of business activities undertaken. |
| Contractual: | Mandatory for UK Government and MOD contracts | Implementation and certification are optional. |
| Frequency: | Annual renewal | Typically, 3 years with annual audits |
| Current Version: | Evandine |
ISO/IEC 27001:2022 and ISO/IEC 27002:2022 |
| Recommendations: | Organisations should consider certifying to Cyber Essentials first to ensure the basics are covered. | |
