Achieving certification to a recognised and accredited standard is a credible way for organisations to give their customers, partners and prospective clients a level of assurance about their information security posture. Such standards can also help organisations reduce the likelihood and impact of information security incidents.
There is a wide selection of British and International Standards organisations can certify to, each with their own requirements. Two of the most well-known standards are ISO 27001 (a global standard) and Cyber Essentials(a UK standard). In the US, it is quite common for organisations to demonstrate security assurance by being audited against SOC2, a standard for controls at a service organisation relevant to security, availability, integrity, confidentiality and privacy.
There are also other security standards that you cannot independently certify against but can use to benchmark your security posture or use as part of a security improvement plan. Examples include the NCSC’s 10 Steps guidance and the NIST Cyber Security Framework (“NIST CSF”).
The right approach depends on your goals, and the various standards can be used together (as there is considerable overlap between them). If you are in the UK and want to demonstrate independent assurance to customers and third parties, then Cyber Essentials and ISO 27001 will likely be on your agenda. It can be challenging to decide which standard to certify against, and some organisations (like ourselves) do choose both.
This is because ISO 27001 and Cyber Essentials have their own merits and serve different needs. It is not necessarily a case of choosing to certify in one standard or another. Rather than viewing the standards as competing, we advise looking at them as complementary.
How do Cyber Essentials and ISO 27001 differ?
Cyber Essentials concerns itself with improving data and IT infrastructure protection from internet-borne attacks. By contrast, ISO 27001 counsels a risk-led and holistic approach: it considers information security risks across the organisation, including risks outside the traditional remit of IT, such as those relating to physical security, HR and third-party suppliers.
Achieving ISO 27001 carries a high cost and is often done for business generation reasons. For example, a customer may require your organisation to attain ISO 27001 to become or remain a supplier. The standard is frequently mandated in highly regulated sectors like finance and telecoms.
Both ISO 27001 and Cyber Essentials Plus require an independent audit carried out by a suitably accredited certification body. However, it’s important to note that neither ISO 27001 nor Cyber Essentials Plus will 100% guarantee the security of your information.
To ensure you are following security best practices, you should combine industry standards with efforts to foster a positive security culture in your organisation. We advise engaging a suitably qualified and experienced information security practitioner. For organisations that cannot afford a permanent employee, Evalian offers a security management service.
In choosing between ISO 27001 or Cyber Essentials, you should consider contextual factors like your company’s size, location, supplier relationships and level of cyber security maturity. Before we analyse these in more detail, we will first give an overview of each standard.
What is Cyber Essentials?
Cyber Essentials (“CE”) is a United Kingdom (“UK”) government’s information assurance scheme. It sets out five technical control themes organisations can implement to improve their protection against the most common information security threats while also demonstrating a certain level of commitment to cyber security to suppliers and customers. The standard is well-regarded in the United Kingdom but does not currently have international recognition.
The five technical control themes are:
- Use a firewall to secure your Internet connection
- Choose the most secure settings for your devices and software
- Control who has access to your data and services
- Protect yourself from viruses and other malware
- Keep your devices and software up-to-date
For a more detailed overview, read our guide to Cyber Essentials.
What does Cyber Essentials certification involve?
Organisations may apply directly for Cyber Essentials, although most use a Certification Body to support their application. This is an organisation (like Evalian) trained and licenced to certify to Cyber Essentials. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials: Certification begins with a self-assessment form, featuring questions about your security policies, details about how often you update your systems, and the general security posture of your organisation. Once the form has been completed, you share it with your Certification Body, who will review your answers and provide guidance on whether you have passed or failed the Cyber Essentials certification.
Cyber Essentials Plus: To achieve Cyber Essentials Plus, an organisation must meet the Standard of Cyber Essentials and, in addition, must undergo a vulnerability scan and other technical assessments by their Certification Body.
Threat actors do not always succeed due to complexity when it comes to information security incidents. Sometimes, it’s as simple as a malicious email attachment breaking through spam filters, leading to a ransomware attack or data breach. CE Plus is designed to test out these common attack vectors in a controlled manner to ensure enterprise security controls, practices and processes meet a basic level of security.
The cost of a Cyber Essentials verified self-assessment is typically £300 plus VAT. The price of a Cyber Essentials Plus assessment will vary, depending on the size and complexity of the company’s network. Once certified, all certifications have a 12-month expiry date, meaning organisations will need to be reassessed annually. Hereon in we will refer to the two standards using the umbrella term of ‘Cyber Essentials’.
What is ISO 27001?
ISO 27001 is the international standard for an information security management system (“ISMS”). It is internationally recognised as industry best practice. Achieving ISO 27001 provides assurance to clients both domestically and across the globe that your organisation prioritises information security.
ISO 27001 aims to protect the confidentiality, integrity, and availability of information in an organisation. This is achieved by discovering potential risks to data (i.e., by completing a risk assessment) and then identifying how to prevent such risks from becoming actuality (i.e., by implementing risk mitigation or treating the risk appropriately). The approach follows the Deming Cycle’s phases of ‘Plan-Do-Check-Act’ to achieve continuous improvement in security management.
The standard is divided into two segments; the first features 11 clauses (0 to 10). Clauses 0 to 3 (Introduction, Scope, Normative References, Terms and definitions) give an overview of the standard, while clauses 4 to 10 detail the standard’s mandatory requirements. The second part is Annex A, featuring 114 control objectives and controls.
The standard lets organisations determine their own risk acceptance criteria and their approach to managing risks, subject to considering the needs and expectations of interested parties (such as clients, employees and regulators). Whereas one business might consider a risk unacceptable unless treated and reduced using controls, another company may consider the same risk acceptable.
What does ISO 27001 certification involve?
ISO 27001 sets out a number of policies, procedures, plans, records, and further documents that must be completed before certification. Following this, an organisation can liaise with an independent certification body to assess whether it meets the standard’s requirements. This process occurs in two stages and is conducted by a qualified auditor.
The auditing process of ISO 27001 is more intensive than Cyber Essentials and Cyber Essentials Plus. This is because ISO 27001 is inherently more complex and thorough than Cyber Essentials as a Standard. Typically, it can take organisations anywhere from six months to a year or more to complete ISO 27001 certification.
Once certified, certification lasts for three years but is subject to maintenance audits during this period to ensure the ISMS is being maintained and the organisation is progressing. Maintenance audits are not as in-depth as certification audits – although should the organisation’s scope change during the period, then they will need to recertify.
The cost of ISO 27001 certification will vary depending on factors such as your organisation’s geographical expanse, number of employees and the sector you operate in.
Should I certify in ISO 27001 or Cyber Essentials?
Organisations can choose to certify to both ISO 27001 and Cyber Essentials as the standards complement each other. However, from a financial perspective, we appreciate it can be difficult for SMEs to invest in both standards simultaneously.
At the start of their journey to information security maturity, we often encourage organisations to begin with the basics, as recommended with Cyber Essentials Plus. This standard enables organisations to start their relationship with standards and compliance. We then accompany them and support them in achieving ISO 27001 when it makes business sense.
While Cyber Essentials is less expensive to implement, its recognition as a means of assurance is currently limited to the UK market. However, Cyber Essentials is undoubtedly a good starting step towards achieving a security-minded culture for small and medium-sized enterprises. Moreover, suppliers to the UK Government are mandated to achieve CE as part of their contractual obligations.
Cyber Essentials requirements concerning patching may make it harder for larger organisations to achieve. Cyber Essentials Plus is a binary standard – if you don’t have the mandated control in place, you fail. ISO 27001 can provide more flexibility. The risk associated with not having a specific control in place might be below your risk acceptance threshold because you have other controls in place to mitigate the risks as part of a ‘defence in depth’ approach.
Ultimately, the standard you choose will depend on your organisation’s size and the amount of investment you have to spend on information security. While both standards take time and effort, they are a great way to improve your security posture and boost assurance in supplier relationships.
If you’re thinking of gaining Cyber Essentials or ISO 27001 accreditation, we’re here to help wherever you are on your decision path.
If you’d like to understand more about our services, we’d be delighted to hear from you. You can learn more about our ISO 27001 services and Cyber Essentials services here.