Cyber Essentials vs ISO 27001 Information Security

10 Oct, 2023

Understand the differences between these two well-known certifications: Cyber Essentials and ISO 27001 Information Security.

What is Cyber Essentials? 

Cyber Essentials is a UK government-backed scheme that protects organisations from common online threats. Its primary goal is to establish a foundation of basic cybersecurity measures. The framework focuses on five key areas:

1. Firewalls: protecting your internet connection from unauthorised access.    
2. User Access Control: limiting access and permissions to reduce the risk of unauthorised access. 
3. Malware Protection: implementing measures against malware including viruses, ransomware, and other malicious software.  
4. Updating Software and Devices: keeping software and devices up to date with the latest security updates to address known vulnerabilities.  
5. Secure Configuration: ensuring the most secure settings for your devices and software.    

There are two levels of certifications:

1. Cyber Essentials: This is the basic level of certification and involves you completing a self-assessment questionnaire that demonstrates you have effective cyber security measures in place. This is then reviewed by a certified Cyber Essentials assessor.  

2. Cyber Essentials Plus: This is the enhanced level which encompasses the same set of controls as the basic level. However, a certified Cyber Essentials assessor will conduct an audit to prove your cyber controls are implemented and functioning as expected. This provides additional assurance to both you and your stakeholders.  

Cyber Essentials Plus must be achieved within three months of your self-assessment for Cyber Essentials.  

What is ISO 27001 Information Security? 

ISO 27001 is the internationally recognised standard for information security and considers a broad range of security – not just cyber-related ones. The Standard is developed by the International Organization for Standardization (ISO) and outlines the requirements for establishing, implementing, maintaining, and continually improving your information security management system (ISMS). The Standard has also recently been updated to enhance its relevance in today’s digital landscape.  

The Standard encompasses 93 controls organised into four control groups:

1. Organizational Controls
2. People Controls
3. Physical Controls
4. Technological Controls 

What are the key differences?

Why Implement Both Cyber Essentials and ISO 27001? 

Here are three ways organisations can benefit by implementing both Cyber Essentials and ISO 27001:

1. Comprehensive Coverage: implementing both certificates ensures complete coverage of security measures, from fundamental controls with Cyber Essentials to advanced risk management strategies with ISO 27001.
2. Compliance and Credibility: combining both certificates will enhance your reputation and demonstrate a strong commitment to cybersecurity.  
3. Effective Risk Management: integrating the two certificates can help you manage risks at various levels, further reducing potential vulnerabilities and threats.  

Next Steps…

Implementing Cyber Essentials: Whilst we can’t support you with the implementation of Cyber Essentials, we work closely with both Assure Technical and IASME. Contact the team today on 0330 058 5551 to find out more.  

Implementing ISO 27001: ISO QSL can help you achieve ISO 27001 certification in as little as 6-8 weeks. We will also provide ongoing support with twice-yearly visits to help you maintain compliance. To get a free no-obligation quote, contact our friendly trusted advisors on 0330 058 5551.