ISO 27001 and the Cyber Essentials scheme
Do organisations have to certify to Cyber Essentials if they have already achieved an ISO 27001 certification?
Yes. Although ISO 27001 is considered a much more comprehensive and rigorous standard, organisations wishing to obtain the Cyber Essentials badge will still need to apply for certification to either Cyber Essentials or Cyber Essentials Plus.
Several major companies that are ISO 27001 certified have also sought certification to Cyber Essentials, including Barclays and Vodafone.
According to their certification body, Barclays found the process of achieving certification to Cyber Essentials straightforward because of the existing security processes it already had in place, including its ISO 27001 certification.
Can Cyber Essentials replace ISO27001?
No. IT Governance’s advice is that Cyber Essentials should be adopted in addition to – rather than instead of – ISO27001. The ISO27001 standard offers various additional benefits, such as its international recognition, comprehensive approach and position at the core of cyber resilience.
Because ISO27001 includes controls focusing on information security continuity, it provides an excellent foundation for a more comprehensive cyber resilience posture. “You can use Cyber Essentials to try to stop low level attacks from succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.” – Alan Calder, Founder and Executive Chairman, IT Governance.
According to Steve Watkins, UKAS advisor for ISO 27001:2013, the requirement to account for ‘interested parties’ in ISO/IEC 27001:2013 implies that client, employee and community needs must be considered when implementing and maintaining the ISMS (information security management system).
It is reasonable to assume that at least one of these parties will require the organisation to protect itself against low-level cyber attacks. The Cyber Essentials control profile is designed specifically with these in mind, so it is reasonable to conclude that all ISO 27001-compliant ISMSs will deliver the controls in Cyber Essentials, or equivalent ones that provide the same degree of assurance with regard to the associated risks.
Embarking on certification to ISO 27001 and Cyber Essentials
If you are new to the world of ISO 27001, it will be more resource- and time-effective to initiate certification to both standards at the same time. IT Governance can help you achieve this with an integrated approach. Depending on your current resources, time commitment and budget, however, you may wish to start the process with certification to Cyber Essentials. This will give you an introduction to the world of certification and information security.
When you are ready to take the next step of implementing a robust ISMS, you will be well positioned to continue on to ISO 27001.
According to cyberessentials.org, Cyber Essentials aims to entrench cyber security into an organisation’s approach to information risk management. Cyber Essentials is also aimed at helping smaller businesses to uncover risks that they may not otherwise be aware of.
“Cyber Essentials is complementary to the good work and value across several existing standards and frameworks. The Scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organisations protect themselves from online cyber threats. Its principles apply to organisations of all sizes, from micro enterprises to large corporates. Our main aim is adoption – we want to see Cyber Essentials adopted as far and wide as possible. We want to see a step change in organisational cyber security behaviours.” – Richard Bach, Assistant Director – Cyber Security, Department for Business, Innovation and Skills.
IT Governance offers three unique solutions to certification that will enable you to achieve certification to Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan.
Cyber Essentials Plus
Cyber Essentials Plus certification includes all of the assessments for Cyber Essentials certification, as well as an internal scan and an on-site assessment.
Our ISO 27001 Packaged Solutions provide everything you need to implement ISO 27001 without any of the usual associated complexities and costs.