For a UK company looking to become more secure (or to show that they are) there are a couple of obvious choices for certification schemes, namely the ISO27001 standard and Cyber Essentials. But what’s the difference between the two schemes which one should you choose to tackle first?
This blog article by CertiKit’s CEO Ken Holmes will give you an idea of what each of them are, and how they compare to help you make the best choice.
The Cyber Essentials scheme is a UK government initiative and it’s managed by the National Cyber Security Centre (NCSC) via their partner IASME. It consists of a set of five controls which an organisation must implement and then complete a self-assessment (which is reviewed by the certification body) in order to become certified. The five controls cover:
These are basically the five areas the NCSC believes are the highest priority and the ones which an organisation will get the most benefit from addressing. This belief is based on an understanding of the most common threats that are out there, such as phishing by criminal gangs.
On the IASME website there is a free downloadable spreadsheet which lists the questions you will need to be able to answer positively in order to meet the criteria for certification. If there are any areas where you need to change your working practices, then some work may be involved.
The way that certification operates for Cyber Essentials is that you pay your money (£300 to £500 depending on your number of employees), answer some questions via a portal, respond to any issues raised and then you get the badge to show that you’re certified.
If you’re feeling adventurous then you can go for the Plus version of Cyber Essentials. This involves a scan to verify that your systems are set up correctly and comes at an additional cost.
ISO27001 is an international standard for an information security management system (ISMS). This is a document which is published by the ISO and defines the requirements for putting an ISMS in place. In essence, ISO27001 is in two parts. The first is the management system, which includes items such as objectives, risk assessments, management reviews and internal audits. The second is the list of reference controls which cover most areas of information security fairly comprehensively. The idea of the ISO27001 standard is that you assess your own risks yourself and then use appropriate controls to reduce your exposure down to an acceptable level.
Certification to the ISO27001 standard is offered by a wide range of certification bodies such as BSI and is a two-stage process. Stage one is an initial readiness review and stage two is the certification audit itself, which goes into more detail. If the auditor judges your ISMS to meet the requirements then you will become certified, and can advertise that fact.
There are a number of ways in which Cyber Essentials and ISO27001 are similar.
There are key differences between the two standards, including:
If you’re trying to decide which standard to go for first, there are a number of factors to consider. Go for Cyber Essentials initially if:
But ISO27001 may be your best bet if:
It’s worth emphasising that this is not an “either-or” situation. Many organisations (including CertiKit ourselves) are certified to both Cyber Essentials and ISO27001. It’s really a decision about whether you want to start small with Cyber Essentials first and then grow towards ISO27001, or whether you’re ready to go straight for the main event.
Either way, you’ll be improving your cyber security and that’s got to be a Good Thing.
Whether you’ve decided to opt for ISO27001 or Cyber Essentials, we can help.
For Cyber Essentials and Cyber Essentials Plus certification, our Cyber Essentials Toolkit includes all the guidance, policies, plans, forms and other documentation you need to put in place the five controls, and has recently been updated for the 2022 requirements.
If ISO27001 certification is the right choice, we have a number of ways we can assist. From our award-winning toolkit to consultancy and internal auditing services, whatever level of assistance you need we can help.
And of course, if you’re still undecided we can help there too, contact us today.