ISO 27001 and the Cyber Essentials scheme
Do organizations have to certify to Cyber Essentials if they have already achieved an ISO 27001 certification?
Yes. Although ISO 27001 is considered a much more comprehensive and rigorous standard, organizations wishing to obtain the Cyber Essentials or Cyber Essentials Plus badge still need to apply for certification.
Several major ISO 27001-certified companies, including Barclays and Vodafone, have also sought certification to Cyber Essentials.
According to their certification body, Barclays found the process of achieving certification to Cyber Essentials straightforward because of the existing security processes it already had in place, along with its ISO 27001 certification.
Can Cyber Essentials replace ISO 27001?
No. Cyber Essentials should be adopted as well as – not instead of – ISO 27001. The ISO 27001 standard offers various additional benefits, such as its international recognition, comprehensive approach and position at the core of cyber resilience.
Because ISO 27001 includes controls focusing on information security continuity, it provides an excellent foundation for a more comprehensive cyber resilience posture.
“You can use Cyber Essentials to try to stop low-level attacks from succeeding, but, realistically, some will get through your defenses. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.” – Alan Calder, Founder and Executive Chairman, IT Governance.
According to Steve Watkins, UKAS advisor for ISO 27001:2013, the requirement to account for “interested parties” in ISO/IEC 27001:2013 implies that client, employee and community needs must be considered when implementing and maintaining the ISMS (information security management system).
It is reasonable to assume that at least one of these parties will require the organization to protect itself against low-level cyber attacks. The Cyber Essentials control profile is designed specifically with these in mind, so it is reasonable to conclude that an ISO 27001-compliant ISMS will deliver the controls in Cyber Essentials, or equivalent ones that provide the same degree of assurance with regard to the associated risks.
Embarking on certification to ISO 27001 and Cyber Essentials
If you are new to ISO 27001, it will be more resource- and time-effective to initiate certification to both standards at the same time. IT Governance can help you achieve this with an integrated approach. Depending on your current resources, time commitment and budget, you may wish to start the process with certification to Cyber Essentials. This will give you an introduction to the world of certification and information security.
When you are ready to take the next step of implementing a robust ISMS, you will be well positioned to continue on to ISO 27001.
According to cyberessentials.org, Cyber Essentials aims to entrench cybersecurity into an organization’s approach to information risk management. Cyber Essentials is also aimed at helping smaller businesses to uncover risks that they may not otherwise be aware of.
“Cyber Essentials is complementary to the good work and value across several existing standards and frameworks. The Scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organizations protect themselves from online cyber threats. Its principles apply to organizations of all sizes, from micro enterprises to large corporates. Our main aim is adoption—we want to see Cyber Essentials adopted as far and wide as possible. We want to see a step change in organizational cybersecurity behaviours.” —Richard Bach, Assistant Director, Cyber Security, Department for Business, Innovation and Skills.
IT Governance offers three unique solutions to certification that will enable you to achieve certification to Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan.
Cyber Essentials Plus
Cyber Essentials Plus certification includes all of the assessments for Cyber Essentials certification, as well as an internal scan and an on-site assessment.
Our ISO 27001 Packaged Solutions provide everything you need to implement ISO 27001 without any of the usual associated complexities and costs.