Data breaches and cyber attacks haunt everyone running a business or IT department.
This can be particularly true if you are a smaller business, as not only are you often more vulnerable to attack, but you are less likely to recover in the aftermath. It’s been reported that 60% of small companies go out of business after a breach.
With this in mind, cyber security is obviously hugely important. Not only does a robust security standard protect your business and the personal information in your care, but it can give others the confidence to invest in you.
Meeting an official security certification encourages your business to meet a high standard of security, and allows you to display your achievement on your website for potential clients and associates.
If you’ve been looking around for which certification would best benefit your business, it’s likely you’ve found yourself wondering which is better: Cyber Essentials or ISO 27001? These are both popular and well recognised standards, but their requirements and the benefits they bring are very different.
What is Cyber Essentials?
Cyber Essentials certification covers a basic level of IT security, which is estimated to reduce the risk of most cyber attacks by 80%. The scheme was introduced by The National Cyber Security Centre in 2014.
Your business is required to have Cyber Essentials if it’s working with the government, handling personal data, or providing certain technical services. It’s also increasingly becoming expected when becoming involved with other supply chains and organisations.
The scheme is set around 5 technical controls which need to meet a certain standard to pass. These include: Malware Protection, Boundary Firewalls and Internet Gateways, Patch Management, and Access Control.
There are two levels of certification - Cyber Essentials Basic is based on a self assessment questionnaire, which is then reviewed by IASME (The Information Assurance for Small and Medium Enterprises Consortium). On the other hand, with Cyber Essentials Plus, your systems are scanned and audited by a third party to assess whether they comply with the standards.
Businesses should renew their Cyber Essentials certification every year to ensure they still meet the standard.
What is ISO 27001?
The ISO 27001 is an alternate set of standards for handling IT security. Its extended name is “SO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements”, but we’ll be sticking with ISO 27001.
Two international organisations developed the standards: the International Organization for Standardization and the International Electrotechnical Commission. It aims to protect the “confidentiality, integrity, and availability” of the information held by companies by helping them to adopt an Information Security Management System (ISMS). The first version was released in 2005, but the standards are reviewed every few years.
The main document for IS0 27001 is split into two parts. The first part is centred around 11 clauses - 6 of which lay out the requirements for the standard. These cover:
- The Context of the Organisation
- The Leaders of the Organisation
- Planning (Particularly risk assessments and security objectives)
- The Support in Place for the ISMS
- Operation and Processes
- Performance Monitoring and Evaluation
The second, “Appendix A”, is a list of control objectives and controls which might be helpful to refer to.
ISO 27001 also has its own list of controls - 114 to be exact. These don’t just cover technical controls, but also controls relating to areas of the business such as Human Resources and Legal Compliance.
Organisations can get certified by having at least the minimum amount of documents laying out the appropriate policies, records, and procedures. These should then be audited by an accredited certification body. Recertification audits are required every 3 years.
Individuals can gain an ISO 27001 certification by taking a course and passing an exam.
What’s the difference?
While Cyber Essentials is a UK Government program, ISO 27001 is an international standard. There are British industries and organisations, particularly related to the government, which require the partners and agents they work with to be CE compliant. Internationally, some countries have chosen to make ISO 27001 a legal necessity in some industries.
ISO 27001 is more comprehensive, covering more areas of a business which may leave companies vulnerable. It covers all information security and accessibility, instead of specifically having an IT focus. This means it takes significantly more time to build towards than Cyber Essentials.
Even when no changes are requested by the auditor, it takes an average of a year for most companies to gain ISO compliance. However, the scheme also comes with some flexibility as it doesn’t have specific control requirements for compliance.
Cyber Essentials certification is comparably much quicker to achieve and laser focused on cyber security specifically. Most businesses can receive their certificate within a month of starting pre-work for compliance. There’s also a fast track option which can help things to move even more quickly. Within the UK, some industries prefer it over ISO 27001 and customers choosing where to take their business may be more familiar with it.
The certification process is also different. You can qualify for basic Cyber Essentials compliance through a self-assessment. For the advanced version, your systems will also be scanned and assessed by a secure third party.
In contrast, to qualify for an ISO 27001 certificate, your company will need to undergo an in-depth audit of your documents and procedures. This can cost upwards of thousands of euros, depending on your business size.
There is a perception that Cyber Essentials is more directed at small and medium businesses. You can gain certification for as little as £300 per year (depending on the size of your company) and the standards are achievable for businesses of this size while also giving them significant protection from cyber attacks.
In short, Cyber Essentials covers what you need to create a solid foundation of cyber security practices in UK businesses. ISO 27001 is bigger in scale and scope, but also in price and the amount of time investment needed.
Which do I need?
If you’re primarily dealing with other businesses in the UK and your company isn’t centred on storing sensitive information, Cyber Essentials should cover you in most cases. It’s a quick, relatively low cost process which will give you a base protection from cyber crime that you can build on yourself over time. It will also clearly show your customers and associates that you prioritise the protection of information.
If you’re dealing with mostly international clients or associates, or if you are a larger business with security concerns you want to dig into, ISO 27001 is generally a good choice. If you routinely store sensitive information as a part of your business model, it can also give prospects confidence that you are going above and beyond to take its security seriously.
Why can’t we have both?
It’s a good question and, other than it being a larger investment, there’s no real reason why you shouldn’t.
Many companies treat Cyber Essentials as a short term goal while they’re establishing themselves. It’s quick and easy to do, and can serve as a great induction to cyber security for the uninitiated. Depending on your industry, it might also open up opportunities for government contracts.
Once they have the resources to dedicate to it, some businesses choose to pursue ISO 27001 accreditation. This may come at a time when they’re hoping to expand to an international market.
Completing the Cyber Essentials scheme first can mean there’s less pre-work to do when it comes to the IT element of the standards. Leaving ISO until later can also mean the company is more likely to have already built up a bank of the processes and records which are needed for compliance, although they may still need a few tweaks.
If you’re looking to get support with Cyber Essentials or Cyber Essentials Plus, we’d be excited to help.
SpiderGroup are a Bristol-based company with a range of options for helping businesses get their certificate. From a portal only service, to our consulting package, to arranging your Plus assessment for you. Find out more here about how we can make the whole process as stress free as possible.