Cyber Essentials or ISO27001? Or both?
Welcome to our first Blog! We are regularly asked by our Clients – shall I implement ISO27001 or Cyber Essentials or both? The answer depends on the Organisation, their Business goals, compliance requirements, resources and of course budget!
So let’s recap – what is Cyber Essentials? Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks. Cyber Essentials helps Organisations of all shapes and sizes to guard against the most common cyber threats and demonstrates their commitment to cyber security – to customers, partners, suppliers and regulators. It’s not new, and has been around since June 2014, and from October 2014, the UK government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.
So what’s covered? The Cyber Essentials certification covers the following 5 areas:
- Network Security
- Secure Device Configuration
- User Access Control
- Malware Protection
- Patch Management
What is ISO27001? ISO 27001 is the international standard that describes best practice for implementing information security management system (ISMS). An ISO27001 ISMS is a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your organisation’s information security. It helps you manage all your security practices in one place, consistently and cost-effectively. Cyber Essentials focuses solely on the technical controls and approaches that should be adopted for an Organisation to improve their Cyber defences. They complement each other perfectly.
Cyber Essentials certification is achieved by performing a Gap Analysis of your Companies Cyber Security posture against the Cyber Essentials Audit questionnaire. Where gaps are identified, action must be taken to make the required changes to comply with the Audit controls. Once completed the questionnaire is submitted to a Certification Body and reviewed. Many of our customers are terrified of Cyber Essentials, but with a little hand holding and guidance can become certified in a relatively short period of time. Cyber Essentials Plus provides a higher level of assurance whereby an independent assessor examines the same five controls, testing that they work in practice by simulating real world hacking attacks.
Cyber Essentials and Cyber Essentials Plus is a well worth investment for Organisations of all shapes and sizes, and in some cases it is only when schemes like these are embraced and implemented, Organisations actually realise that their level of Cyber Security defence is weak – whether this be default administrator passwords on internet facing gateways or a number of File and Application Servers that haven’t been patched for over 12 months!
Another question we often get is, isn’t Cyber Essentials for small Organisations? The answer is No! Cyber Essentials/Cyber Essentials Plus is something which has been designed for any size of Organisation – even the largest Banks such as Barclays are Cyber Essentials and Cyber Essentials certified!
If you would like to hear more on how Cyber Security Specialists can help your Organisation achieve Cyber Essentials, Cyber Essentials Plus or ISO27001 – please email firstname.lastname@example.org or call 0161 706 0244 to speak to a member of the team.