By Steve Mair – Senior Cyber Security Consultant at PGI
Over recent months I’ve heard a lot of discussion about the relative merits of Cyber Essentials (and Cyber Essentials Plus) and ISO27001. I thought I’d write a post outlining those in a structured way so that it’s easier for people to make a choice between them. This post supports a podcast on the same topic which was published on LinkedIn last week.
Before we start, according to a recent Federation of Small Businesses (FSB) document, “Cyber Resilience: How to protect small firms in the digital economy”, only 2% of member organisations have either Cyber Essentials or ISO27001. That seems like a very low figure to me. In the same report, only 4% had a documented Incident plan, and less than a quarter (24%) had a password policy.
These figures would suggest that more needs to be done by SMEs, but this probably because they need more help, education and guidance which is pragmatic and cost effective in nature.
The road to Cyber Essentials is now over 5 years old, though the requirement for Cyber Essentials is a bit younger. Back in 2011, the UK Government launched a cyber strategy with the aim of “Making the UK a safe place to do business”.
As part of that cyber strategy, the Ten Steps to Cyber Security were launched by UK Government in 2012.
Cyber Essentials were developed as an extension of the Ten Steps, and you can find out more about them here.
Since October 2014, Cyber Essentials (CE) have been required as a minimum certification for any company wishing to contract directly with UK Government. If you read the documentation in the links provided above, you’ll see that ISO27001 can be accepted instead, but in practice this has been very difficult to get through: I’ve seen government departments require CE on top of ISO27001.
As a result of this push by UK government, CE are recognised as an industry standard baseline and demonstrate good security practice, particularly for smaller businesses. They help protect your organisation against common cyber threats, and show your customers you take security seriously. Having the CE “badge” on your website can be a selling point.
It’s important to note that before you start your application for CE, you need to be clear on the scope of systems which will be included in the assessment. A small business with a handful of devices, in one physical location, is likely to include the whole operation in the scope. Larger corporates with multiple sites and services may look to restrict the scope to a single network segment, service line or location: this will have to be done with the assessor.
Certification against Cyber Essentials are split into five key areas, which are described at a high level below.