What is Cyber Essentials and how does it compare to ISO 27001?
Cyber Essentials is a scheme supported by the UK Government and managed by the National Cyber Security Centre (NCSC), in partnership with the Information Assurance for the Small to Medium Enterprise (IASME) Consortium.
The objective of the Cyber Essentials scheme is to establish a standard set of IT security requirements designed to minimise the likelihood and impact of commonly known cyber-attacks, regardless of the size of the organisation. It covers devices, applications, and services within its scope that hold or process business data. The requirements are grouped into 5 themes, as stated below:
- Secure configuration
- User access control
- Malware protection
- Security update management
There are two levels of certification for the scheme. These are, Cyber Essentials and Cyber Essentials Plus.
This entry-level (self-assessment) certification encompasses the entire set of controls necessary for attaining certification and showcasing adherence to the foundational level of cyber hygiene, as outlined in the Cyber Essentials standard. Applicants fill out and submit an online questionnaire, which is evaluated by a certified assessor of Cyber Essentials.
Cyber Essentials Plus
This elevated level of certification encompasses the identical set of controls mandated by the Cyber Essentials standard. However, in this case, a certified assessor for Cyber Essentials Plus conducts a physical test on the devices, applications, and services falling within the defined scope. This certification level provides an increased level of confidence that the appropriate controls are in place and functioning as anticipated, benefiting both companies and clients. Applicants are required to achieve Cyber Essentials certification within three months before undertaking Cyber Essentials Plus, to ensure the information remains up to date.
What level of certification do I need?
The required certification level will vary based on the objectives set by your organisation. We have suggested some examples below:
- MOD/UK Government Contracts: Organisations aiming to secure MOD/Government contracts will need certification. This requirement stems from the critical need to safeguard the personal information of UK citizens and government employees.
- Supply Chain: For companies involved in the supply chain, demonstrating compliance with data protection laws, especially when handling personal and sensitive data of customers and employees, is crucial. Obtaining Cyber Essentials and Cyber Essentials Plus certifications strongly indicates that your company prioritises data protection and adheres to fundamental cyber security practices.
- Compliance: Cyber Essentials and Cyber Essentials Plus are effective tools for showcasing to senior executives or board members that your organisation has implemented essential safeguards. The Cyber Essentials Plus certification, in particular, provides an additional layer of assurance through the involvement of specialist third-party companies.
What is ISO 27001?
ISO 27001 is a component of a suite of standards devised to address information security, known as the ISO/IEC 27000 series. Its complete designation is “ISO/IEC 27001 – Information Security, Cyber Security and Privacy Protection — Information Security Management Systems — Requirements.” This standard, formulated by the International Organisation for Standardization (ISO), furnishes a framework and guidance for establishing, implementing, and managing an Information Security Management System (ISMS).
The primary purpose of ISO 27001 is to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. Employing a risk-based approach, it is deliberately crafted to be technology-neutral. The standard refers to a set of 93 safeguards or controls, categorised into four domains or sections: organisational, people, physical, and technical.
These domains cover various topics, including:
- Information security policy
- Organisation of information security
- Risk assessment and treatment
- Asset management
- Access control
- Physical security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Compliance with legal requirements and industry standards
- Information quality management
- Risk monitoring and review
Why would I need ISO 27001?
ISO 27001 stands as the globally embraced information security standard. Its primary objective is to safeguard all information assets, encompassing not only digital entities but also physical formats such as paper and microfiche.
For organisations that have attained ISO 27001 certification, there exists an advantageous position in demonstrating superiority over competitors. This is particularly relevant as organisations increasingly prioritise supply chain management.
What are the differences between ISO 27001 and Cyber Essentials/Cyber Essentials Plus
While Cyber Essentials and ISO 27001 are both technical standards designed for organisations seeking to demonstrate compliance, each standard exhibits some fundamental distinctions.
- Cyber Essentials: Recognised as a technical compliance-based standard within the UK.
- Compliance involves actions necessary for organisations to adhere to the standard, not necessarily with the organisation’s internal rules and regulations.
- Scope is limited to digital information assets only.
- Applies to assets and services connected to the internet.
- Aimed at protecting against the most common types of cyber attacks.
- ISO 27001: A risk-based standard widely acknowledged globally. Risk-based approach involves understanding risks within an organisation and implementing policies, procedures, processes, and technical controls to manage risks to an acceptable level.
- Largely focused on policy and process.
- Applicable to all forms of information assets (physical and digital).
It’s important to note that Cyber Essentials is not an Information Security Management System (ISMS), making it a less rigorous standard to implement compared to ISO 27001. ISO 27001, on the other hand, can be tailored to meet the needs of organisations ranging from small to enterprise-level.
However, it’s worth mentioning that all the controls required for Cyber Essentials are covered within ISO 27001.
Each standard serves a distinct purpose with its specific scope. Organisations aspiring to bid for MOD or Government contracts will need to meet the minimum Cyber Essentials requirement.
For organisations aiming to exhibit a high level of assurance in cyber security, the recommendation is to attain certification for both ISO 27001 and Cyber Essentials Plus.
Cyber Essentials / Cyber Essentials Plus
Type of standard:
Technical compliance-based standard
Based on a set of 5 control themes covering the most common web-based attacks against an organisation’s IT systems and services.
Controls are a subset of those defined in ISO 27002
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS).
Organisations of any size
Organisations of any size
The scope is limited to digital assets.
The scope encompasses physical and digital assets.
All controls required for certification.
Safeguards are applied based on the type of business activities undertaken.
Mandatory for UK Government and MOD contracts.
Implementation and certification are optional.
Typically, 3 years with annual audits
ISO/IEC 27001:2022 and
Organisations should consider becoming certified to Cyber Essentials first to ensure the basics are covered.