The choice between Cyber Essentials and ISO 27001: which side are you on?

02 Feb 2017

The choice between Cyber Essentials and ISO 27001:...

By Steve Mair – Senior Cyber Security Consultant at PGI

Over recent months I’ve heard a lot of discussion about the relative merits of Cyber Essentials (and Cyber Essentials Plus) and ISO27001. I thought I’d write a post outlining those in a structured way so that it’s easier for people to make a choice between them. This post supports a podcast on the same topic which was published on LinkedIn last week

Before we start, according to a recent Federation of Small Businesses (FSB) document, “Cyber Resilience: How to protect small firms in the digital economy”, only 2% of member organisations have either Cyber Essentials or ISO27001. That seems like a very low figure to me. In the same report, only 4% had a documented Incident plan, and less than a quarter (24%) had a password policy. 

These figures would suggest that more needs to be done by SMEs, but this probably because they need more help, education and guidance which is pragmatic and cost effective in nature. 

Cyber Essentials

The road to Cyber Essentials is now over 5 years old, though the requirement for Cyber Essentials is a bit younger. Back in 2011, the UK Government launched a cyber strategy with the aim of “Making the UK a safe place to do business”. 

As part of that cyber strategy, the Ten Steps to Cyber Security were launched by UK Government in 2012.

Cyber Essentials were developed as an extension of the Ten Steps, and you can find out more about them here.

Since October 2014, Cyber Essentials (CE) have been required as a minimum certification for any company wishing to contract directly with UK Government. If you read the documentation in the links provided above, you’ll see that ISO27001 can be accepted instead, but in practice this has been very difficult to get through: I’ve seen government departments require CE on top of ISO27001. 

As a result of this push by UK government, CE are recognised as an industry standard baseline and demonstrate good security practice, particularly for smaller businesses. They help protect your organisation against common cyber threats, and show your customers you take security seriously. Having the CE “badge” on your website can be a selling point. 

It’s important to note that before you start your application for CE, you need to be clear on the scope of systems which will be included in the assessment. A small business with a handful of devices, in one physical location, is likely to include the whole operation in the scope. Larger corporates with multiple sites and services may look to restrict the scope to a single network segment, service line or location: this will have to be done with the assessor. 

Certification against Cyber Essentials are split into five key areas, which are described at a high level below. 

Share this article


Your free Global Geopolitical Dashboard

PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.

The Risk Portal gives users up-to-date information and analysis on global affairs.

The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.

Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.

Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.

Visit the Risk Portal

Subscribe to our Cyber Bytes Newsletter

Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.

Get in touch today

For more information on how we can help you or your business, please contact us via:

Related News

CISMP, CISSP and CISM - what's in an acronym?

20 Mar 2017

There is a wide range of different security courses available, and a mind-boggling array of certific...

Read news article

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Read news article

Law Firms and why they need cyber security

06 Mar 2017

Suffering a data breach can be devastating for any company but for law firms the impacts can be part...

Read news article
Back to the News Hub

Follow us

+44 (0)207 887 2699
©2017 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Registered address: Cascades 1, 1190 Park Avenue, Aztec W, Almondsbury, Bristol BS32 4FP