Cyber Essentials is supported by the UK Government and managed by the National Cyber Security Centre (NCSC), in partnership with the Information Assurance for the Small to Medium Enterprise (IASME) Consortium.

The Cyber Essentials scheme establishes a standard set of IT security requirements to minimise the likelihood and impact of common cyber-attacks, regardless of the size of an organisation.

It covers devices, applications, and services that hold or process business data. As listed below, the requirements are grouped into five themes:

Firewalls
Secure configuration
User access control
Malware protection
Security update management

The scheme has two levels of certification. In addition to Cyber Essentials, there is Cyber Essentials Plus.

Cyber Essentials

This entry-level (self-assessment) certification covers all the controls necessary for certification and demonstrates adherence to Cyber Essentials' foundational level of cyber hygiene. A certified assessor of Cyber Essentials evaluates applicants' online questionnaires.

Cyber Essentials Plus

Identical controls are mandated by the Cyber Essentials standard at this higher level of certification. A certified assessor for Cyber Essentials Plus, however, conducts a physical test on the devices, applications, and services included in the scope. With this certification level, companies and clients can be confident that appropriate controls are in place and functioning properly. For Cyber Essentials Plus, candidates must achieve Cyber Essentials certification within three months of enrolling.

Do I need a certain level of certification?

Depending on your organisation's objectives, you will need a different level of certification. Below are a few examples:

MOD/UK Government Contracts:
To be eligible for MOD/Government contracts, organisations must be certified. The requirement stems from the importance of protecting the personal information of UK citizens and government employees.
Supply Chain:
In the supply chain, it is essential that companies demonstrate compliance with data protection laws, especially when handling sensitive and personal information. Your company's Cyber Essentials and Cyber Essentials Plus certifications indicate a strong commitment to data protection and cyber security.
Compliance:
With Cyber Essentials and Cyber Essentials Plus, your organisation can demonstrate to senior executives or board members that it has implemented essential safeguards. Specialised third-party companies provide an additional layer of assurance through the Cyber Essentials Plus certification.

ISO 27001: What is it?

As part of the ISO/IEC 27000 series of standards, ISO 27001 is part of a suite of standards designed to address information security. This standard, formulated by the International Organisation for Standardisation (ISO), provides guidance and a framework for establishing, implementing, and managing an Information Security Management System (ISMS).

Its complete designation is “ISO/IEC 27001 – Information Security, Cyber Security and Privacy Protection — Information Security Management Systems — Requirements.”

Its main purpose is to establish, implement, operate, monitor, review, maintain and improve an information security management system. With a risk-based approach, it is intentionally technology-neutral. It consists of 93 safeguards or controls divided into four categories: organisational, people, physical, and technical.

Some of the topics covered by these domains are:

Information security policy
Organisation of information security
Risk assessment and treatment
Asset management
Access control
Cryptography
Physical security
Operations security
Communications security
System acquisition, development, and maintenance
Supplier relationships
Compliance with legal requirements and industry standards
Information quality management
Risk monitoring and review

What is ISO 27001 and why do I need it?

Information security is governed by ISO 27001, a global standard. As the name implies, it is concerned with safeguarding all information assets, including both digital and physical formats, such as paper and microfiche.

ISO 27001 certification allows organisations to demonstrate superiority over competitors. The importance of supply chain management is becoming more apparent as organisations place a higher priority on it.

Is ISO 27001 the same as Cyber Essentials/Cyber Essentials Plus?

There are certain fundamental differences between Cyber Essentials and ISO 27001, although both standards are designed to assist organisations in demonstrating compliance.

Cyber Essentials:
In the UK, it is recognised as a technical compliance standard.
- Organisations must comply with compliance standards, not necessarily with their own internal rules and regulations.
- Digital information assets are the only assets covered.
- The term applies to assets and services that are connected to the internet.
- Protects against the most common cyberattacks.

ISO 27001:
This is a risk-based standard that is widely accepted worldwide. To manage risks to an acceptable level, organisations must understand risks within their organisations and implement policies, procedures, processes, and technical controls.

Process and policy are primarily the focus.
- Information assets of all types (physical and digital).

Unlike ISO 27001, Cyber Essentials is not an Information Security Management System (ISMS). On the other hand, ISO 27001 can be tailored to meet the needs of any organisation, no matter how large or small.

The ISO 27001 standard covers all the controls needed for Cyber Essentials, however.

What you need to know

Standards serve distinct purposes with specific scopes. Cyber Essentials must be met by organisations seeking government contracts or MOD contracts.

Cyber Essentials Plus certification is recommended for organisations seeking to demonstrate a high level of assurance in cyber security.

View how Temple QMS can support you with ISO 27001 training and consultancy.

What is Cyber Essentials and how does it compare to ISO 27001?