Over recent months I’ve heard a lot of discussion about the relative merits of Cyber Essentials (and Cyber Essentials Plus) and ISO27001. I thought I’d write a post outlining those in a structured way so that it’s easier for people to make a choice between them.
Before we start, according to a recent Federation of Small Businesses (FSB) document, “Cyber Resilience: How to protect small firms in the digital economy”, only 2% of member organisations have either Cyber Essentials or ISO27001. That seems like a very low figure to me. In the same report, only 4% had a documented Incident plan, and less than a quarter (24%) had a password policy.
These figures would suggest that more needs to be done by SMEs, but this probably because they need more help, education and guidance which is pragmatic and cost effective in nature.
The road to Cyber Essentials is now over 5 years old, though the requirement for Cyber Essentials is a bit younger. Back in 2011, the UK Government launched a cyber strategy with the aim of “Making the UK a safe place to do business”.
As part of that cyber strategy, the Ten Steps to Cyber Security were launched by UK Government in 2012.
Cyber Essentials were developed as an extension of the Ten Steps, and you can find out more about them here.
Since October 2014, Cyber Essentials (CE) have been required as a minimum certification for any company wishing to contract directly with UK Government. If you read the documentation in the links provided above, you’ll see that ISO27001 can be accepted instead, but in practice this has been very difficult to get through: I’ve seen government departments require CE on top of ISO27001.
As a result of this push by UK government, CE are recognised as an industry standard baseline and demonstrate good security practice, particularly for smaller businesses. They help protect your organisation against common cyber threats, and show your customers you take security seriously. Having the CE “badge” on your website can be a selling point.
It’s important to note that before you start your application for CE, you need to be clear on the scope of systems which will be included in the assessment. A small business with a handful of devices, in one physical location, is likely to include the whole operation in the scope. Larger corporates with multiple sites and services may look to restrict the scope to a single network segment, service line or location: this will have to be done with the assessor.
Certification against Cyber Essentials are split into five key areas, which are described at a high level below.
- Boundary firewalls and internet gateways – This looks at rulesets and protocols, documented change control and password management, to protect against unauthorised access to and from your network.
- Secure configuration – This covers removal of unwanted software, appropriate password management, personal firewalls and user account management, to help ensure that endpoints are protected.
- Access control – This set of controls is all about making sure that only those who need access to a system are given access, that passwords are managed appropriately and that accounts are removed when no longer needed.
- Malware protection – These controls cover anti-virus software, updates to that software and regular scanning.
- Patch management – In some ways this is similar to malware protection, but covers updates to all software, the removal of unsupported software and appropriate licensing.
Across those 5 domains, there are 26 controls in total. These controls are what the assessment is carried out against.
In order to attain certification for CE, a self-service questionnaire is the most popular route. The business can complete this at their leisure and submit it to a Certification body, who will review the results and grant certification if appropriate. Typically, this will take 1 – 2 days.
Cyber Essentials Plus follows much the same route, though an external penetration test of the relevant internet connections / points of presence is required: this is the “Plus” bit. The penetration test is carried out to determine whether any critical or serious vulnerabilities exist in the systems which are accessed from the internet. This process will take around 3 – 5 days, depending on the complexity and results of your penetration test(s).
Note that it would be expected that any high risk vulnerabilities would be fixed (and another penetration test carried out to prove this) prior to certification being granted.
CE Plus therefore gives potential clients (and you as a business) a higher level of assurance, because an external Third Party is involved and your point(s) of connection to the internet has been tested.
CE and CE Plus need to be renewed on an annual basis, and that recertification has a cost, though that is likely to be less than the initial fee, assuming that the scope has not changed in any significant way.
This Standard is significantly older than Cyber Essentials, as you’d expect. It has its origins in the British Standard, BS7799, which was originally published in 1995 and revised in 1998. In 2000, it was adopted by the International Standards Organisation (ISO) as ISO/IEC 17799 “Information Technology - Code of practice for information security management”. That document was revised in June 2005 and finally adopted as ISO/IEC 27002 in July 2007 with a further revision in 2013. Its full title is Information Technology – Security Techniques – Code of Practice for Information Security Management.
Eagle-eyed readers may have spotted that the document was adopted as 27002 – yet we all talk about 27001. The reason for this is that ISO 27002 sets out the actual controls which must be met for the Standard. ISO 27001 is actually a specification for an Information Security Management System (ISMS), and is used as a shorthand description for all the ISO 270xx Standards, which are all related to Information Security.
Given that ISO27001 has such a long pedigree, and has been refined through use over the years, it is recognised globally as industry best practice. It demonstrates a strong commitment to Information Security, and provides reassurance to potential clients, both domestically and abroad, that data is likely to be well protected. For multinational businesses, it’s pretty much expected that in order to operate in multiple jurisdictions an international standard is adopted. ISO is one, but there are others e.g. the NIST framework.
As with CE, before setting out on the path to certification, it is important to clearly define the scope of operation and systems to be certified. (As an aside, when dealing with a business that says they have ISO27001, ask to see their statement of applicability, or SOA. I have seen cases where this only applied to their HR system, or a data centre, but not the service I was using.)
ISO 27001 is measured against 14 domains, which are described briefly below:
- Information Security Policies – Covers the existence of policies, and confirms they are available for review
- Organisation of information security – Includes roles and responsibilities, segregation of duties, inclusion in project management, mobile devices and remote working
- Human resources security – Covers the joiners, movers and leavers processes
- Asset management – This section covers asset ownership and inventory, classification and handling, transfer and disposal, including removable media
- Access control – This looks at the access control policy from a business perspective, user provisioning and deprovisioning, restrictions on access and user responsibilities
- Cryptography – Covers encryption key management and control
- Physical and environmental security – This section looks at secure areas, protection of equipment and cabling, maintenance and removal, security off-premise, secure disposal and reuse, clear desk policy etc.
- Operations security – Includes operational procedures and responsibilities, protection from malware, backups, logging and monitoring, installation of software, patch management and audit controls
- Communications security – Covers network controls and segregation, information transfer and confidentiality
- System acquisition, development and maintenance – Looks at security requirements of information systems including services on public networks, protecting transactions, including security in development and support processes, and protecting test data
- Supplier relationships – Ensures that information security considerations are met when setting out Third Party relationships and service delivery management
- Information security incident management – Covers the management of information security incidents and lessons learned / improvements
- Information security aspects of business continuity management – Looks at continuity and availability of information security related services and controls
- Compliance – This covers compliance with legal and contractual requirements and regulations, and information security reviews
It has 114 controls in total, though these are not spread evenly across those 14 domains.
ISO27001 is, by its nature, much more complex than CE and certification therefore takes a lot longer. Typically, it’ll take between 6 and 9 months, but that will depend on resource availability, skills, knowledge, experience and perhaps bringing in a Third Party to help.
Once certified, there will be maintenance visits every 12-18 months by the assessor, just to ensure that processes are still in place and that the business is progressing. The maintenance visit is not a full audit: that is done during recertification, which is every 3 years. If your scope changes in the meantime, you will need to recertify against that new scope.
Due to the time taken, the relative complexity of certification and the effort required to maintain it, it’s likely that smaller business will not pursue certification, unless they have a client which specifically requires it.
Making a Choice
This all seems like a lot of information to take in, but it’s reasonably straightforward. In terms of deciding whether you should pursue CE, CE Plus or ISO 27001, there are a number of factors to consider. Some of these factors are described below.
Legal, contractual or regulatory obligations may force you to have one or the other. Suppliers into UK Government have to have CE at least, and as the focus moves down the supply chain, this could affect businesses which are sub- sub- sub-contractors to main providers.
Your business may store lots of personal data e.g. financial records, health records etc., and you may find that insurers look favourably on those with certification: potential clients might do the same.
If you carry out business in several countries, with different laws etc., having an internationally recognised and accepted standard may set you apart from your opposition: does the cost of implementing it stack up against the cost of trying to do something locally each time, or of not doing anything?
Carry out a cost-benefit analysis to see whether the rewards outweigh the costs. Consider the risks to your business if you don’t have even the basics in place. Can you afford to be one of the 66% of FSB members that were subject to an attack last year? If you think that only 2% of FSB members had either certification, statistically that 2/3 of them were attacked, but in reality they are likely to have been in the 1/3 that were not.
Perhaps most compelling, and not mentioned so far, is the effect that GDPR will have. With a maximum penalty of 4% of global turnover in the event of a breach, this is a significant piece of legislation. If your business demonstrates that it complies with one or more standards through certification, it reduces the risk of a maximum fine being applied. It becomes a compelling financial argument for the adoption of one of the above standards, rather than a reason to do nothing.
PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.