Cyber Essentials vs ISO 27001 – key differences and benefits

Practising good cyber hygiene is essential for SMEs. To reduce risk, the UK government has developed guidelines on how to defend against threats.  

But it’s not always easy to know which standard is best for your business. Which should you get and why? To help you decide, let’s look at Cyber Essentials vs ISO 27001.

What is Cyber Essentials?

Cyber Essentials (CE) is a government-backed scheme proven to protect against common cyberattacks. It’s the minimum certification required for any government supplier responsible for handling personal information in the UK.

For SMEs, a CE certification demonstrates you’re serious about security – both to customers and regulators. 

Your security is evaluated across five categories. You must:

1. Configure and deploy a firewall

Your firewall needs to protect all devices – especially those connected to a public or untrustworthy network.

2. Use secure configurations for devices and software

Most devices and software have default settings aimed to make the device as open and available as possible. These can leave you open to attack. 

CE requires you to reconfigure your settings to maximise security. This includes using strong (not default) passwords and introducing extra layers of security such as two-factor authentication.

3. Make use of access control to prevent unauthorised access to data and services

Your employees should have the minimum access needed to perform their role. You’ll need to set up and define access levels for standard and administrative accounts to minimise risk. 

4. Protect yourself against malware such as viruses

Malware, short for malicious software, is any computer program that causes harm to a device or its user. 

You must implement one of the following to meet these requirements:

• Anti-malware solutions such as Windows Defender or Mac OS XProtect
• A sandbox environment with restricted access to the rest of your files and network
• A software whitelist to prevent users from running anything potentially harmful

5. Keep devices and software updated

Device manufacturers and software developers release updates (also known as patches). These are key to fixing known vulnerabilities in the software and must be installed when they become available.

What is ISO 27001?

ISO 27001 is an international standard for information security. It defines what’s required for establishing, implementing, maintaining, and improving an information security system. It’s much more comprehensive than Cyber Essentials. 

Rather than having specific guidelines to follow, ISO27001 has 14 controls that support compliance. 

1. Develop an information security policy

This provides direction to support your people. It should clearly lay out how to manage information in accordance with laws and business requirements. You should regularly review it to check it’s effective.

2. Implement and manage information security within your organisation

You need to provide a mechanism for managing information security, including coordinating responsibilities with employees and maintaining contact with authorities, third parties, and security providers.

The ISO 27001 provides the framework for managing information security in different aspects of your organisation. For example, teleworking or project management.

3. Provide training and awareness to HR

Ensure employees are aware of their responsibilities and given suitable training to fulfil them. You also need make sure any changes in employment conditions don’t affect security standards. 

4. Ensure organisational assets are secure

You should be able to identify and classify information security assets based on the sensitivity of the information they handle. You’ll also need to assign staff responsibilities for keeping devices secure. 

5. Make use of access control to protect information

Employees and third parties should have restricted access to your information. You’ll need formal processes to grant and revoke user rights. 

6. Protect the confidentiality and integrity of information 

Use encryption to protect the confidentiality and integrity of your data. This can help keep you safe by making the data unusable for hackers – even if they do manage to access your network.

7. Prevent unauthorised physical access to your workplace

Protect physical assets from unauthorised access and natural disasters. If these areas are breached, for example by forced entry or extreme weather, it could cause operational issues and expose sensitive data. 

8. Deploy secure configurations for operational infrastructure

You must securely configure devices, software, and operating systems. This might include:

• Using antivirus software
• Changing default settings to security-first ones
• Gathering and recording evidence of security vulnerabilities 

9. Secure configurations for network infrastructure

All routers, switches, services, and software that make up your network must be configured to standards you set in a network services agreement. The agreement should identify security features and management requirements for the network, including: 

• How to monitor and control network traffic
• How to securely use applications and systems, e.g. by using a firewall

10. Prioritise security when acquiring, developing, and maintaining information systems

Consider security at every level of your information system. From the moment you set up a new system, you must have security controls to prevent the loss or misuse of information.

11. Ensure information security for activities by suppliers

Monitor all outsourced activities to confirm that your suppliers comply with the same security requirements you’ve laid out for your own organisation. 

12. Develop an effective approach for managing information security incidents

If an accident occurs or your systems are breached, you need to:

• Communicate the details of the security incident and event quickly
• Gather and preserve evidence for further analysis
• Develop your information security process to prevent a repeat incident

13. Prevent information security failures from interrupting business continuity 

ISO 27001 provides a step-by-step process to continue operations after a breach. A key aspect of this is making sure staff can access information systems. 

14. Ensure compliance with information security policies and standards

Get guidance on how to adhere to standards and abide by the law so you stay compliant.

Cyber Essentials vs ISO 27001 – what are the main differences?

There are five basic differences when comparing the two security standards. 

1. Flexibility – Cyber Essentials is prescriptive. You’ll get detailed guidance on what to do and how to do it. ISO 27001 requirements, on the other hand, are broader and leave more to your discretion
2. Time –  It can take as little as a day to get CE accredited whereas ISO 27001 takes 6-9 months
3. Audits – There’s no audit in the Cyber Essentials assessment, but for ISO 27001 you’ll have yearly maintenance audits and a recertification audit every 3 years
4. Location – Cyber Essentials is only recognised in the UK, whereas ISO 27001 is international
5. Level of difficulty – Cyber Essentials is very much an entry-level qualification that gives you a good foundation of knowledge. ISO 27001 is advanced in subject matter and assessment criteria

Cyber Essentials vs ISO 27001 – the benefits

Cyber Essentials is a great entry-level qualification with simple instructions and a fast certification process. It’s perfect for business that want to show a commitment to cyber hygiene and bid for government contracts.

ISO 27011 is an internationally recognised accreditation that showcases robust security practices – which may give you a competitive edge. 

Choosing your accreditation

The best certification for your business depends on your requirements, size, and infrastructure. Now that you know the key talking points in the Cyber Essentials vs ISO 27001 debate, hopefully you’ll be able to make a more informed decision.