Browse our certifications
Find training
Open page navigation
Cyber Security

Comparing two of the most popular security certifications

Introduction

Cyber Essentials (CE) is a UK Government scheme set up to try and reduce the impact of “routine” cyber attacks on small and medium sized enterprises (SMEs).  It is a set of basic cyber security controls that, if implemented effectively, will prevent most everyday attacks on a company from being successful.  It has gained significant popularity because it is relatively easy to explain and undertake, fairly low cost in terms of the certification and can be achieved within a few days online by most SMEs.

ISO/IEC:27001:2013 (ISO27001) by contrast is an international standard developed over a number of years and based on a British standard from the 1990s.  It is a comprehensive assessment of a whole organisation’s ability to look after information securely in all contexts. The very nature of any international standard is that it must be able to address all circumstances in which the standard might be used.  This means it has to be very extensive and comprehensive, and this in turn leads to complexity and expense.  It is therefore likely that the type of organisation that would choose to implement the standard would be, for example, large in business function or personnel, and/or would have major quantities of sensitive information they want to protect, and/or need to prove they are looking after other people’s information appropriately.

Purpose of Cyber Essentials

When the scheme was first launched in 2014 it was linked by some to the basic Ministry of Transport (MoT) test that all vehicles in the UK over three years old must pass.  No one would suggest that the MoT tests every possible part of the vehicle or that it means that vehicle is safe to use on the roads for the next twelve months.  All it says is that on the day the vehicle was tested, those components that were checked met the required standard.  The components checked are those that are deemed essential for the vehicle to be considered “road-worthy”, those parts most likely to cause the vehicle to fail in some serious/dangerous way whilst in “normal use” thereby endangering the user or others or both.  They would include items such as the driving controls, tyres, brakes, safety equipment, indicators and exhaust system.  The test would not check the radio or other entertainment system, the satellite navigation system, the comfort of the seating and other similar “luxury” components.

CE is very similar.  No one has suggested that if an organisation gets the CE certification that they will never suffer a cyber attack again.  All that is stated is that the five basic controls, checked by the CE process, will reduce the risk of 80% of common attacks being successful.  Like a vehicle though, the controls must be maintained and updated as necessary if the protection is to be sustained. If a vehicle having passed an MoT test was then used for a journey from the UK to China, then it would be a foolish person who did not have a much more comprehensive check made, by a suitably qualified motor technician, to ensure the vehicle was in the best possible condition for the trip.  Even then it would not be surprising for the vehicle to need repair during the lengthy, arduous journey and there would certainly be further maintenance required throughout the journey.

ISO27001

This is where ISO27001 comes in. Undertaking the significant amount of work that is required to determine the areas where security should be in place, the type of controls to implement and then to regularly check it is all working effectively, is the equivalent of the more extensive vehicle serving. This additional work should then provide assurances that, not only is the organisation well prepared to deal with the standard cyber-attacks, but that they have in place the mature controls required to deal with most eventualities and to ensure that business disruption caused by any attack is kept to a minimum. 

Effective cyber security is a journey rather than a destination. CE is the first step along a path that might well lead on to ISO27001 implementation but could equally lead on to other certifications or simply the implementation of the CE basic controls even more effectively. If an organisation is considering implementing ISO27001 then they should gain CE first because if they aren’t doing those basic controls appropriately, the money spent on the wider ISO27001 measures could well be misspent. The five CE controls are the very minimum any organisation of any size or sector should be doing. Anything more complex, in terms of cyber security, is built on those fundamental beginnings.

Timescales for implementation

The difference in the certifications is reflected in the time required to gain them.  To achieve CE is likely to take no more than a few hours answering the questions the scheme sets out.  This will be followed by a short clarification and validation check by an assessor usually by phone and, assuming the assessor is satisfied, the certificate will be awarded with an overall cost of around £350.  Clearly there is some time required to implement, maintain and check the necessary controls appropriately, but this is probably being done by the IT staff anyway, perhaps without realising it.  If the slightly more expensive Cyber Essentials Plus certification is required, then an independent audit (called a vulnerability scan) would be carried out to check that the controls covered in the basic check are actually working effectively.  The additional cost for this would be related to the type, size and location of the organisation since it would usually involve a physical visit to the site(s) operated by the organisation.  Both of these assessments would normally be achieved within about a month of application.

In contrast, the implementation of ISO27001 is likely to take several years and cost many thousands of pounds in effort for even the smallest organisation.  It is common for the initial administrative information, which forms the basis of the Information Security Management System (ISMS), to take several months to put together.  Deciding on the boundaries of the implementation (undertaken in a document called the Statement of Applicability) can be a way of reducing the commitment and workload, but the standard requires that the main business activities of the organisation are the bare minimum that can be certified. With all the necessary polices being drafted and then the actual technical controls being implemented and checked, it can take at least 12 months for any significant size of organisation to have all the elements in place for a comprehensive ISMS, and it could take twice as long.  Even then, that is only the beginning because in order for the system to work effectively the ISMS must be audited by both internal and external (independent) auditors and the issues found by these teams must be addressed before the final certification is achieved.  After that, to retain the certification, ongoing auditing and maintenance activities are required.  This should, over a period of several years, lead to a system operating at the highest level of maturity where measurement data and feedback from all the parts of the ISMS are routinely used to enhance and improve the security overall.

Conclusions

Cyber Essentials is the very minimum that any organisation should be doing to protect itself from the standard cyber-attacks being launched every day from around the world.  These measures are akin to locking all the doors and windows, closing the store cupboards, filing cabinets and safes and checking the locks, and setting the burglar alarm on the office buildings.  If these fundamentals are not done regularly, then no amount of high-tech CCTV is going to prevent the burglar from gaining access to the secret papers in the files. 

Similarly with cyber criminals, they will do the bare minimum to access the valuable information they can use as collateral for blackmail, to sell for hard cash, or to use to gain access to a client or other parties with which the organisation might have business links.  If the fundamental controls of Cyber Essentials are in place and working effectively, this is a warning sign to the criminal that perhaps this is not such an easy and desirable target and they might go elsewhere.  It is the cyber equivalent of having a burglar alarm on the wall outside – caution this organisation has taken appropriate steps to protect itself from criminals.

ISO27001 is the equivalent of employing guards on the gates in the perimeter fence, having the technical resources in place for CCTV and its 24/7 monitoring, active patrols around the premises and perhaps even floor sensors and space sensors to trigger should someone be able to enter the building.  If the information being protected is worthy of such extensive security, then the price must be paid.

Get Certified

 

RELATED PRODUCTS

Leopard

CDCAT® - Cyber Defence Capability Assessment Tool

Unrivalled in the NIST Cybersecurity Framework maturity, cyber risk quantification and much more

View more
Hot air balloons ascending into the clouds

Cloud Computing

Smooth ascension into the cloud

View more
Large pile of timber logs perfectly stacked

ISO/IEC 27001

Demonstrate exemplary management of information security

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Select any filter and click on Apply to see results