Do I need Cyber Essentials if I have ISO 27001?
When it comes to certifying your business to cyber security frameworks it is often difficult to understand which certification is right for you. In many conversations we have we often hear that a client has ISO 27001 which covers ‘everything they need so why do we need a baseline certification?”
Before we answer that question let’s explore what both certifications are:
What is ISO 27001?
ISO 27001 is an international standard covering the governance aspects of securing data; policies and processes to establish, implement, maintain, and continually improve an information security management system (ISMS).
It asks an organisation to systematically examine their information security risks, and guides the design and implementation of a comprehensive suite of information security controls and other forms of risk prevention. A management process is put in place to ensure that the controls continue to meet the organisation’s information security needs on an ongoing basis.
Gaining ISO 27001 can be a significant undertaking for most organisations, taking several months to complete with a considerable use of internal/external resources. Small to medium-sized organisations should expect certification to cost upward of £10,000.
What is Cyber Essentials?
Cyber Essentials, is a UK scheme covering the technical aspects of securing data. It is designed to prevent the most prevalent form of data breach/loss in the UK, automated attacks via the internet.
The Cyber Essentials program offers two levels of certification. The first, called simply Cyber Essentials, is a verified self-certification, where organisations complete an online assessment of around 80 questions, with feedback provided by a Cyber Essentials Assessor.
The second level, Cyber Essentials Plus, validates the responses at Cyber Essentials by carrying out tests on an organisation’s laptops and other devices including vulnerability scans and ensuring that anti-malware measures are effective.
The scheme focuses five areas:
- Firewalls (either on laptops or hardware, such as routers)
- Secure configuration of devices, e.g., strong passwords, not using admin accounts
- Access control, limiting user’s access to data necessary
- Malware protection
- App & operation systems updates
Cyber Essentials and Cyber Essentials Plus were designed to be achievable and affordable cyber security certifications. Gaining both costs from around £2,500. As with any cyber security check you should review and renew annually to ensure protection against developing threats.
Comparing ISO 27001 and Cyber Essentials
ISO 27001 and Cyber Essentials are both integral to maintaining a robust information security posture, but they differ in scope and focus. ISO 27001 provides a comprehensive framework covering all aspects of an organisation’s information security management system. It is a risk-based approach that requires management to identify and treat information security risks systematically. On the other hand, Cyber Essentials is more focused on specific technical controls to protect against internet-based threats.
In summary, ISO 27001 and Cyber Essentials complement each other. ISO 27001 addresses the broad information security needs of an organisation, while Cyber Essentials provides a more targeted defence against cyber threats.
Having ISO 27001 does not eliminate the need for Cyber Essentials, as the latter provides an additional layer of security that addresses specific technical vulnerabilities.
What does Cyber Essentials provide over ISO 27001?
Even if your organisation is ISO 27001 certified, obtaining Cyber Essentials certification still provides significant value. Here are several reasons why:
Cyber Essentials focuses on a specific set of technical controls designed to protect against the most common internet-based threats. This focused approach ensures your organisation is protected against the vast majority of common cyber threats.
Recognition and winning tenders
Having a Cyber Essentials certification is essential for any organisation wishing to bid for UK government/NHS/MoD contracts.
Achieving Cyber Essentials certification is a cost-effective way of implementing essential cyber security controls. It demonstrates to your stakeholders, including customers, investors, and insurers, that you have taken steps to secure your organisation against the majority of cyber threats. Often businesses assume they need to purchase expensive security technology to reduce risk, often missing the more cost effective step of implementing frameworks and best practices first.
Compliance with Changing Business Practices
Certifying each year means you continue to assess your security posture. Cyber Essentials is continually adapted to the changing business environment. For example, in 2022, the Cyber Essentials certification began bringing all cloud services into scope, reflecting the growing reliance on cloud computing in modern businesses. Such updates ensure that Cyber Essentials stays relevant and effective as technology and business practices evolve.
Choosing who to certify with
So we have now established that ISO 27001 is an important standard for information security management, but it is not a substitute for the specific, technical-focused controls that Cyber Essentials provides. By achieving Cyber Essentials certification with ISO 27001, you can confidently show your stakeholders that you are committed to protecting your organisation from cyber threats, while also opening up opportunities for government contracts and potential insurance benefits.
There are many companies who can help you achieve ISO 27001 and Cyber Essentials certifications. Our advice would be to understand the level of support each company provide and what their process is before deciding who to work with.
Forensic Control provide unlimited support to help organisations achieve Cyber Essentials to ensure the process is simple, straight forward and stress free!
Contact us today if you require Cyber Essentials and ask us about our ISO 27001 partners.