“Does a business still need Cyber Essentials certification if they have ISO 27001?” is a question that’s often asked, and businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials controls.
The reality is, Cyber Essentials can still be very beneficial for companies who hold ISO 27001.
At its heart, ISO 27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials and may decide to accept the risk of not implementing certain Cyber Essentials controls.
This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.
If a business only has ISO 27001 they may have made a risk-based decision on whether to implement the controls and could have taken a management decision to accept a high technical risk without full knowledge of the security consequences. We have seen companies, for example, decide not to patch their systems within 14 days because of a decision made by management.
In the real world we see lots of companies with ISO27001 trying to achieve Cyber Essentials and they often struggle to achieve it.
This is why Cyber Essentials certification is often mandated throughout a supply chain regardless of ISO 27001 certification.
Why should you certify to (or renew) Cyber Essentials?
Cyber Essentials is a Government backed certification introduced following their concern that organisations were not putting the basic technical controls in place to protect themselves against the most common internet-based attacks.
The Cyber Essentials scheme was developed to show organisations howNational Cyber Security Strategy 2016-2021
to protect themselves against low-level “commodity threat”. It lists five technical controls (access control; boundary firewalls and Internet gateways; malware protection; patch management and secure configuration) that organisations should have in place. The vast majority of cyber attacks use relatively simple methods which exploit basic vulnerabilities in software and computer systems. There are tools and techniques openly available on the Internet which enable even low-skill actors to exploit these vulnerabilities. Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats.
Cyber Essentials is a simple yet effective scheme that will help protect an organisation against some of the most common cyber threats, such as:
- Phishing attacks
- Password guessing
- Network attacks
A flexible certification that is applicable to organisations of all sizes and all sectors
Cyber Essentials certification reassures your current and potential clients that you take cyber security seriously. It is also becoming mandated, or actively encouraged, across an increasing number of government and private sector contracts. For example, for MoD contracts, it is required throughout the supply chain. And regulators such as the Financial Conduct Authority, say ‘Gaining (a certification), such as Cyber Essentials, could improve the security of your firm.’ The Information Commissioner’s Office also recognises the Cyber Essentials scheme and its ability to provide certain security assurances and help protect personal data in an organisation’s IT system. ‘Get in line with Cyber Essentials’ is a section in the ICO’s ‘A practical guide to IT security’ publication.
On top of all that, Cyber Liability insurance is included for organisations under £20m, achieving verified self-assessed certification covering the whole of their organisation.
So why re-certify?
- Once you have certified once, it should be much easier to re-certify unless you have had major infrastructure changes or your software has gone out of support.
- An up-to-date certificate reassures your current and potential clients that you take cyber security seriously.
- You will only be listed as Cyber Essentials certified on the government website for one year from the date of your certification unless you renew.
- A requirement in the majority of government tenders and an increasing number of non-government tenders. These tenders often specify that the certificate must have been awarded within the last year.
- Having a Cyber Essentials certificate issued within the last year will be taken into account by the ICO in the case of a data breach
- The Cyber Insurance which is awarded to all UK SMEs when they achieve Cyber Essentials only lasts for a year and cannot be renewed unless the organisation re-certifies to Cyber Essentials.
So if you need to get certified or re-certified, see our page on Cyber Essentials and get in touch with us today.