Cyber Essentials vs ISO 27001

Cyber Essentials (CE) is a UK Government scheme set up to try and reduce the impact of “routine” cyber attacks on small and medium sized enterprises (SMEs).  It is a set of basic cyber security controls that, if implemented effectively, will prevent most everyday attacks on a company from being successful.  It has gained significant popularity because it is relatively easy to explain and undertake, fairly low cost in terms of the certification and can be achieved within a few days online by most SMEs.

ISO/IEC:27001:2013 (ISO27001) by contrast is an international standard developed over a number of years and based on a British standard from the 1990s.  It is a comprehensive assessment of a whole organisation’s ability to look after information securely in all contexts. The very nature of any international standard is that it must be able to address all circumstances in which the standard might be used.  This means it has to be very extensive and comprehensive, and this in turn leads to complexity and expense.  It is therefore likely that the type of organisation that would choose to implement the standard would be, for example, large in business function or personnel, and/or would have major quantities of sensitive information they want to protect, and/or need to prove they are looking after other people’s information appropriately.

When the scheme was first launched in 2014 it was linked by some to the basic Ministry of Transport (MoT) test that all vehicles in the UK over three years old must pass.  No one would suggest that the MoT tests every possible part of the vehicle or that it means that vehicle is safe to use on the roads for the next twelve months.  All it says is that on the day the vehicle was tested, those components that were checked met the required standard.  The components checked are those that are deemed essential for the vehicle to be considered “road-worthy”, those parts most likely to cause the vehicle to fail in some serious/dangerous way whilst in “normal use” thereby endangering the user or others or both.  They would include items such as the driving controls, tyres, brakes, safety equipment, indicators and exhaust system.  The test would not check the radio or other entertainment system, the satellite navigation system, the comfort of the seating and other similar “luxury” components.

CE is very similar.  No one has suggested that if an organisation gets the CE certification that they will never suffer a cyber attack again.  All that is stated is that the five basic controls, checked by the CE process, will reduce the risk of 80% of common attacks being successful.  Like a vehicle though, the controls must be maintained and updated as necessary if the protection is to be sustained. If a vehicle having passed an MoT test was then used for a journey from the UK to China, then it would be a foolish person who did not have a much more comprehensive check made, by a suitably qualified motor technician, to ensure the vehicle was in the best possible condition for the trip.  Even then it would not be surprising for the vehicle to need repair during the lengthy, arduous journey and there would certainly be further maintenance required throughout the journey.

This is where ISO27001 comes in. Undertaking the significant amount of work that is required to determine the areas where security should be in place, the type of controls to implement and then to regularly check it is all working effectively, is the equivalent of the more extensive vehicle serving. This additional work should then provide assurances that, not only is the organisation well prepared to deal with the standard cyber-attacks, but that they have in place the mature controls required to deal with most eventualities and to ensure that business disruption caused by any attack is kept to a minimum. 

Effective cyber security is a journey rather than a destination. CE is the first step along a path that might well lead on to ISO27001 implementation but could equally lead on to other certifications or simply the implementation of the CE basic controls even more effectively. If an organisation is considering implementing ISO27001 then they should gain CE first because if they aren’t doing those basic controls appropriately, the money spent on the wider ISO27001 measures could well be misspent. The five CE controls are the very minimum any organisation of any size or sector should be doing. Anything more complex, in terms of cyber security, is built on those fundamental beginnings.

The difference in the certifications is reflected in the time required to gain them.  To achieve CE is likely to take no more than a few hours answering the questions the scheme sets out.  This will be followed by a short clarification and validation check by an assessor usually by phone and, assuming the assessor is satisfied, the certificate will be awarded with an overall cost of around £350.  Clearly there is some time required to implement, maintain and check the necessary controls appropriately, but this is probably being done by the IT staff anyway, perhaps without realising it.  If the slightly more expensive Cyber Essentials Plus certification is required, then an independent audit (called a vulnerability scan) would be carried out to check that the controls covered in the basic check are actually working effectively.  The additional cost for this would be related to the type, size and location of the organisation since it would usually involve a physical visit to the site(s) operated by the organisation.  Both of these assessments would normally be achieved within about a month of application.

In contrast, the implementation of ISO27001 is likely to take several years and cost many thousands of pounds in effort for even the smallest organisation.  It is common for the initial administrative information, which forms the basis of the Information Security Management System (ISMS), to take several months to put together.  Deciding on the boundaries of the implementation (undertaken in a document called the Statement of Applicability) can be a way of reducing the commitment and workload, but the standard requires that the main business activities of the organisation are the bare minimum that can be certified. With all the necessary polices being drafted and then the actual technical controls being implemented and checked, it can take at least 12 months for any significant size of organisation to have all the elements in place for a comprehensive ISMS, and it could take twice as long.  Even then, that is only the beginning because in order for the system to work effectively the ISMS must be audited by both internal and external (independent) auditors and the issues found by these teams must be addressed before the final certification is achieved.  After that, to retain the certification, ongoing auditing and maintenance activities are required.  This should, over a period of several years, lead to a system operating at the highest level of maturity where measurement data and feedback from all the parts of the ISMS are routinely used to enhance and improve the security overall.