By Steve Mair – Senior Cyber Security Consultant at PGI
Over recent months I’ve heard a lot of discussion about the relative merits of Cyber Essentials (and Cyber Essentials Plus) and ISO27001. I thought I’d write a post outlining those in a structured way so that it’s easier for people to make a choice between them. This post supports a podcast on the same topic which was published on LinkedIn last week.
Before we start, according to a recent Federation of Small Businesses (FSB) document, “Cyber Resilience: How to protect small firms in the digital economy”, only 2% of member organisations have either Cyber Essentials or ISO27001. That seems like a very low figure to me. In the same report, only 4% had a documented Incident plan, and less than a quarter (24%) had a password policy.
These figures would suggest that more needs to be done by SMEs, but this probably because they need more help, education and guidance which is pragmatic and cost effective in nature.
The road to Cyber Essentials is now over 5 years old, though the requirement for Cyber Essentials is a bit younger. Back in 2011, the UK Government launched a cyber strategy with the aim of “Making the UK a safe place to do business”.
As part of that cyber strategy, the Ten Steps to Cyber Security were launched by UK Government in 2012.
Cyber Essentials were developed as an extension of the Ten Steps, and you can find out more about them here.
Since October 2014, Cyber Essentials (CE) have been required as a minimum certification for any company wishing to contract directly with UK Government. If you read the documentation in the links provided above, you’ll see that ISO27001 can be accepted instead, but in practice this has been very difficult to get through: I’ve seen government departments require CE on top of ISO27001.
As a result of this push by UK government, CE are recognised as an industry standard baseline and demonstrate good security practice, particularly for smaller businesses. They help protect your organisation against common cyber threats, and show your customers you take security seriously. Having the CE “badge” on your website can be a selling point.
It’s important to note that before you start your application for CE, you need to be clear on the scope of systems which will be included in the assessment. A small business with a handful of devices, in one physical location, is likely to include the whole operation in the scope. Larger corporates with multiple sites and services may look to restrict the scope to a single network segment, service line or location: this will have to be done with the assessor.
Certification against Cyber Essentials are split into five key areas, which are described at a high level below.
Your free Global Geopolitical Dashboard
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.