Cyber Essentials vs ISO 27001 – Which is the best for my organisation?
Whether you are completing an audit, responding to an RFI, or getting a quote for Cyber insurance, you will notice that everyone wants an answer to the same question – which security accreditations do you have?
The two most prominent IT Cyber Security Accreditations in the UK, and the two most commonly requested, are Cyber Essentials and ISO 27001. Both have financial and time commitments to them, and in a world where there is never enough time in the day, it is important to understand the difference, the benefits and the investment that is required to help you meet your Cyber and compliance goals.
This guide aims to demystify the differences between both Cyber Essentials and ISO 27001, give a balanced overview of why they are needed, what’s involved and where to start.
What are the benefits to your organisation for accreditation?
Many businesses see accreditation as unnecessary evil due to the cost and time commitments they require, so before you embark on your accreditation journey, it’s important to understand the benefits of being accredited to your organisation as this can help support your goals, timings and give you firm justification of the costs and time to your board.
Having either of these Cyber Security accreditations means that:
- Your data and cyber security position is strengthened
- Your credibility and reputation will be improved
- You can win more business when completing tenders and RFIs
- You can impress and reassure your existing clients
- Ensure your processes are continually improved and refined
- You will get cheaper Cyber insurance premiums
- They can help avoid fines and penalties by lowering your data loss risk
What are the core differences between Cyber Essentials / Cyber Essentials Plus and ISO 27001
Whilst both certification types aim to meet the same goal – to protect your data and security from common cyber threats - both Cyber Essentials / Cyber Essentials Plus and ISO 27001 have different ways of achieving these.
Cyber Essentials focuses on your technological measures and controls – that is what security processes you have put in place across your organisation to protect data. Their 5 core controls include; secure configuration, firewalls, user access controls, malware protection and patch management. You will be expected to meet these in a variety of ways, such as having MFA policies enabled, anti-virus monitoring or remote access control.
ISO 27001 focuses on your information security management system (ISMS), including which policies and procedures you have in place, security training, risk reviews, audits and much more. Completing ISO 27001 means that security becomes the core of your businesses operations and processes, and helps to integrate information security into the core culture of your business.
What will I need to complete Cyber Essentials or Cyber Essentials Plus?
Standard Cyber Essentials is managed by the IASME Consortium and involves completing a self-assessment report. Once you have paid for the certification, you will receive the report and have 6 months in which to complete it.
This could be completed by anyone in your organisation responsible for IT, such as your IT Director or Operations Manager. If your IT is outsourced, then you should be able to reach out to your provider for assistance in completing the certification.
Once you have completed the assessment, your report will be assessed on a pass/fail basis usually within 24 hours. If you have failed, you will have 48 hours to remediate your answers or evidence for resubmission. If you fail again, then you will have to repurchase the certification.
You can purchase Cyber Essentials Here: Cyber Essentials Verified Self-Assessment - Iasme
Cyber Essentials Plus involves completing the self-assessment spreadsheet, and then having this audited by a credited 3rd party assessor.
If you have completed your standard Cyber Essentials in the last 3 months then you will not need to do it again. Many organisations will wrap standard cyber essentials into their cyber essentials plus offering to complete everything at once.
To get Cyber Essentials Plus, you can find an assessor here Certification Bodies - Iasme
What will I need to complete ISO 27001?
As ISO 27001 is a larger system audit, you will need to assign a member of your organisation to help manage and steer the project. This will usually be the person in your organisation responsible for compliance or information security. ISO 27001 also has a large focus on management involvement, so it is key to ensure your management and leadership team is on board.
Once you have reached out to ISO 27001 assessors in your country, and decided upon a quote to proceed with, then they will usually recommend that you purchase a copy of the standard which your organisation will need to comply with to achieve your certification.
Usually, the assessors will do a 2 stage audit, with the 1st stage assessing where you currently are in relation to the standard and offering advice and recommendations to get there. The 2nd stage will be the full audit, normally completed a few months after the initial analysis.
Whilst you are completing ISO 27001, you will undoubtably be getting your policies and procedures in order, and updating your systems and processes to meet the standard, which will involve time from not only your information security officer, but also your HR, IT team, operational team and your upper management team.
Although the ISO 27001 certification lasts for 3 years, you will be reaudited on an annual basis to ensure you are still complying with your ISMS that was accredited. The assessor should give you pricing for this as part of your initial quote.
Your Accreditation Journey Starts Today!
We hope that this information has been useful to help you decide which path to take on your journey to accreditation, and the benefits and rewards that being accredited can bring. Completing these types of assessments don’t have to be a thorn in your growth and cyber plans. With clear goals, a clear path and a clear priority it means that you can make positive steps towards bringing Cyber security into the centre of your organisation and reap the rewards of being ahead of the curve.
If you would like any further help or advice, or just to run through your available options, contact us today for a free 30 minute cyber consultancy session.