Cyber Essentials and ISO 27001 – where should organisations be looking?

14 Sep, 2016

The National Cyber Skills Centre and ISO Quality Services Limited are collaborating on a 12 week series of articles, made available free their respective websites, to raise awareness for SMEs on how the adoption and adherence to a recognised industry or international standard provides the levels of information security and governance expected in today’s business world.

iso-quality-services-ltd-logoNational Cyber Skills Centre Malvern

With the risk of data loss becoming more and more apparent to organisations of all shapes and sizes, many questions are being raised as to adequate protective layers for policies and processes. What should organisations have in place to protect its staff and customer data and its overall reputation – is there a minimum security level small businesses should adhere to?

With the number of high profile attacks increasing, the security of data is becoming a priority for business leaders and governments alike. There was a 35% increase in the number of attacks from 2014 to 2015 (PWC) in the UK and according to a report by the UK government, 90% of large businesses were affected by a data breach in the last year.

It is still a common misconception that hacks and data breaches only happen to larger businesses, but alarmingly 74% of small businesses in the UK suffered a data breach in the last year. These breaches can cost organisations anywhere between £75,000 – £311,000 to repair, not to mention, can also be accompanied by heavy fines. Organisations, large and small, are collecting, storing and harnessing more information than ever before, and all businesses store potentially sensitive data; whether about your customers, staff or suppliers. This data is all under threat, and by various different means, but what are the ramifications should it be accessed?

What sort of measures should you have in place to minimise the risk? What is out there to help?

The Cyber Essentials Scheme is a Government backed initiative tasked with providing guidance for businesses of all sizes in various sectors, with two tiers of assessment. The scheme helps put companies in a position to protect themselves against basic cyber-attacks through a set of security controls, within their IT systems, which include: Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management. The initiative provides “basic but essential” protections that any business should have in place to minimise threats, to which the business is assessed and certified. This level of protection allows a business to demonstrate to customers that cyber threats are understood and measures are in place to protect their information.

But threats to security aren’t just cyber – what do you do if a data breach is physical not digital. This is where the ISO 27001 Information Security Standard comes in. But what is it and how can it help?

While it is great that a business would be certified to Cyber Essentials, what about the bigger security picture? You could be protecting the business from cyber-attacks, but are you leaving the front door open to other threats? And are you missing ones that could be right under your nose? It’s a bit like the scene in the first Mission Impossible movie, where Tom Cruise lowers himself into the room to access the computer – we’re not saying everyone would go to these extremes, but the idea is there!

The ISO 27001 Information Security Management Standard is an internationally recognised standard that companies worldwide are certified to. ISO, the International Organisation for Standardisation, create standardised business practices that help organisations demonstrate their commitment to their customers.

ISO 27001 incorporates all the requirements of the Cyber Essentials Scheme and much, much more. The standard takes a look at information security as a whole; encompassing people, processes and technologies, forming a complete outlook to securing your confidential information. Ultimately, ISO 27001 is considered a much more comprehensive and all-inclusive standard, which also monitors the risk levels and the after effects of a security threat. Examining and controlling your policies and procedures, helps eliminate the problem at the source, before the threat can escalate.

ISO 27001 also helps you control another potentially volatile variable – your staff. Often over-looked, your staff are one of the biggest risks to the information you hold. Employees should understand the risks and be educated against accidental leaks as well as malicious ones. Email policies, human resource security, key fobs, transferring data and working from home, are all factors that also need to be considered as part of a comprehensive approach. Information is not just data, and attacks are not just cyber!

Best practice advice stipulates that Cyber Essentials should be adopted in addition to, not as an alternative to the ISO 27001 Standard. Having both initiatives in place communicates a strong sense of responsibility to customers and both help to improve governance and enhance your security practices. You can’t eliminate the threats, but both will help you to categorise and minimise them.

The information you collect needs to be safeguarded and secure. For more information regarding Cyber Essentials protection please speak to the team at the National Cyber Skills Centre or learn more at the Department for Business, Innovation and Skills. If you would like to learn more about becoming certified to the all-encompassing ISO 27001 Information Security Management System, we can help!

Worcester-based, ISO Quality Services Ltd is proud to specialise in the implementation and certification of the internationally recognised ISO and BS EN Management Standards.

Do you want to protect the data within your business? Are you seeking training to understand the ISO 27001 further? Contact ISO Quality Services Ltd today on 01905 670303 or email

ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.

Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today on 0330 058 5551 or email

Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.

Related Posts

Reduce, Reuse, Recycle

ISO 14001 Is Just About Recycling… Isn’t It?

19 Sep, 2023

The days of checking bins have gone! Find out how ISO 14001 has changed with the times.

Puzzle piece being put in place in to the center of a circle.

10 Benefits of Implementing Multiple ISO Standards

30 Aug, 2023

In the dynamic landscape of modern business, organisations are constantly seeking ways to enhance operational efficiency, quality, and management practices. A powerful strategy that has gained traction is the implementation of multiple ISO standards.

Multicoloured question marks in a pile with one large green question mark on top

What is the Annex SL Structure?

30 Aug, 2023

Implementing multiple ISO standards may seem daunting, but the Annex SL framework simplifies this process significantly. So, what is the Annex SL Structure, and what benefits does it bring organisations who want to implement multiple standards?

What are the business benefits of implementing ISO 9001?

10 Aug, 2023

For any business to survive, continual improvement is vital.  However, we all know that improvements can be costly.  Deciding on the right way to spend any budget you do have can be difficult including new equipment, extra staff or training existing staff to name but a few.  In this article, we look at why ISO 9001 can be a big boost to any business and why we believe it is the best way to ensure continual improvement for your business.