The choice between Cyber Essentials and ISO 27001: which side are you on?


02 Feb 2017

The choice between Cyber Essentials and ISO 27001: which side are you on?

By Steve Mair – Senior Cyber Security Consultant at PGI

Over recent months I’ve heard a lot of discussion about the relative merits of Cyber Essentials (and Cyber Essentials Plus) and ISO27001. I thought I’d write a post outlining those in a structured way so that it’s easier for people to make a choice between them. This post supports a podcast on the same topic which was published on LinkedIn last week

Before we start, according to a recent Federation of Small Businesses (FSB) document, “Cyber Resilience: How to protect small firms in the digital economy”, only 2% of member organisations have either Cyber Essentials or ISO27001. That seems like a very low figure to me. In the same report, only 4% had a documented Incident plan, and less than a quarter (24%) had a password policy. 

These figures would suggest that more needs to be done by SMEs, but this probably because they need more help, education and guidance which is pragmatic and cost effective in nature. 

Cyber Essentials

The road to Cyber Essentials is now over 5 years old, though the requirement for Cyber Essentials is a bit younger. Back in 2011, the UK Government launched a cyber strategy with the aim of “Making the UK a safe place to do business”. 

As part of that cyber strategy, the Ten Steps to Cyber Security were launched by UK Government in 2012.

Cyber Essentials were developed as an extension of the Ten Steps, and you can find out more about them here.

Since October 2014, Cyber Essentials (CE) have been required as a minimum certification for any company wishing to contract directly with UK Government. If you read the documentation in the links provided above, you’ll see that ISO27001 can be accepted instead, but in practice this has been very difficult to get through: I’ve seen government departments require CE on top of ISO27001. 

As a result of this push by UK government, CE are recognised as an industry standard baseline and demonstrate good security practice, particularly for smaller businesses. They help protect your organisation against common cyber threats, and show your customers you take security seriously. Having the CE “badge” on your website can be a selling point. 

It’s important to note that before you start your application for CE, you need to be clear on the scope of systems which will be included in the assessment. A small business with a handful of devices, in one physical location, is likely to include the whole operation in the scope. Larger corporates with multiple sites and services may look to restrict the scope to a single network segment, service line or location: this will have to be done with the assessor. 

Certification against Cyber Essentials are split into five key areas, which are described at a high level below. 

Contact us

Call us now to discuss your requirements with one of our consultants.

Contact us today

Related News

CISMP, CISSP and CISM - what's in an acronym?

20 Mar 2017

There is a wide range of different security courses available, and a mind-boggling array of certific...

Watch Video

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Watch Video

Law Firms and why they need cyber security

06 Mar 2017

Suffering a data breach can be devastating for any company but for law firms the impacts can be part...

Watch Video
Back to the News Hub

Follow us

+44 (0)207 887 2699
©2017 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Registered address: Cascades 1, 1190 Park Avenue, Aztec W, Almondsbury, Bristol BS32 4FP