Show me desktop version
CALL US +1 (646) 759 9933

The ISO 27001 & ISO 22301 Blog

ISO 27001 vs. Cyber Essentials: Similarities and differences

In the Internet environment, big, medium, and small businesses all face similar risks, and many regulatory demands enforce information protection, but differences in resources and knowledge often result in data breaches because of the failure to implement basic security measures. To help handle such situations, the government in the United Kingdom came up with the Cyber Essentials program.

This article presents an overview of the relationship between ISO 27001, an ISO standard focused on information security management, and Cyber Essentials, a British government program that protects information from common Internet-based threats, considering information protection, and how they can be used together to increase the benefits to an organization’s business.

General facts

Here is some information you may find useful for an initial understanding of ISO 27001 and Cyber Essentials:

ISO 27001Cyber Essentials
International standardGovernment program in the U.K.
Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS)Defines a set of controls that cover the basics of cyber security related to common Internet-originated attacks against an organization’s IT systems, and a mechanism to demonstrate that these precautions have been taken
Applicable to any type and size of organizationApplicable to any type and size of organization
Implementation and certification are optional.Implementation and certification are mandatory for UK government suppliers contracted for handling sensitive and personal information. For other purposes, they are optional.
Current version: ISO 27001:2013Current version: Cyber Essentials 2015

As you can see, both ISO 27001 and Cyber Essentials aim for information protection, but while ISO 27001 considers information regardless of where it is found (e.g., paper, information systems, digital media, etc.), Cyber Essentials focuses on protection of data and programs on networks, computers, servers, and other elements of an IT infrastructure.

ISO 27001 structure

blogpost-banner-22301-en

ISO 27001 consists of 10 clauses and 114 generic security controls grouped into 14 sections (called “Annex A”). For more information, see: A first look at the new ISO 27001 and An overview of ISO 27001:2013 Annex A.

One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls; it only tells you what you need to achieve. For implementation details, you can use ISO 27002 as guidance. For more information, see: ISO 27001 vs. ISO 27002.

Cyber Essentials structure, and similarities and differences with ISO 27001

On the other hand, the Cyber Essentials program consists of only five controls:

Boundary firewalls and Internet gateways: These are devices with the function to prevent unauthorized access between networks. This control can be related to ISO 27001 Annex A control section A.13.1 (Network security management). For more information, see How to use firewalls in ISO 27001 and ISO 27002 implementation.

Secure configuration: This involves practices to ensure that systems are configured in the most secure way considering the organization’s requirements. This control can be covered by ISO 27001 Annex A control section A.12.1 (Operational procedures and responsibilities).

Access control: This is a method of ensuring that only those who should have access to systems, actually do have access, and at the appropriate levels. This control can be related to ISO 27001 Annex A control section A.9.2 (User access management). For more information, see How to handle access control according to ISO 27001.

Malware protection: This ensures that protection against viruses and malware is installed and up to date. This control can be related to ISO 27001 Annex A control section A.12.2 (Protection from malware).

Patch management: This involves ensuring that the latest supported versions of applications are used, and that all the necessary patches supplied by the vendor have been applied. This control can be related to ISO 27001 Annex A control section A.12.6 (Technical vulnerability management). For more information, see How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1.

These controls are subject to two certification levels:

Cyber Essentials: a certification awarded based on a self-assessment questionnaire regarding compliance with the Cyber Essentials control themes, approved by a senior executive (e.g., CEO), which is verified by an independent certification body. This option offers a basic level of assurance and can be achieved at a low cost.

Cyber Essentials Plus: a certification awarded based on external testing of the organization’s cyber security approach, performed by an independent certification body. This option costs more than the Cyber Essentials certification, but offers a higher level of assurance.

In terms of a PDCA cycle, ISO 27001 and Cyber Essentials can be compared as follows:

PDCA CycleISO 27001:2013 clausesCyber Essentials
PlanClause 4 – Context of the organization
Clause 5 – Leadership
Clause 6 – Planning
Clause 7 – Support
Cyber Essentials Requirements for basic technical protection from cyber attacks
DoClause 8 – OperationCyber Essentials Requirements for basic technical protection from cyber attacks
CheckClause 9 – Performance evaluationCyber Essentials Assurance Framework
ActClause 10 – Continual improvement

So, in short, while ISO 27001 lacks the “how to” details on how the controls should be implemented, Cyber Essentials provides more detailed information. You can think of Cyber Essentials as a specific set of ISO 27002 controls, which also provides details regarding how to implement the controls mentioned at the beginning of this section.

How can we use Cyber Essentials and ISO 27001 together?

There is no exact answer for this question, because it depends on the organization and its requirements. One approach is to start the ISO 27001 implementation first, because it covers general information security management (of which cyber security is only a part), and then covering Cyber Essentials’ controls in the organization’s cyber environment, but this will be a longer and more expensive path.

Another alternative is to consider Cyber Essentials first and, after that, to make arrangements to include the program in the ISO 27001 implementation project. This way, you will ensure that the ISMS’s continual improvement activities will also cover the Cyber Essentials requirements according to the organization’s security needs.

For more information about ISO 27001 implementation, see: Diagram of ISO 27001:2013 Implementation.

The important thing here is that you see both ISO 27001 and Cyber Essentials as complementary materials that can help an organization to provide customer services with proper security.

To learn more about how to implement ISO 27001, see this free ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
ISO 27001 implementation: How to make it easier using ISO 9001
Wednesday - October 25, 2017

OUR CLIENTS

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933