Expert insights into the benefits of each, misconceptions, timelines, and more
Ashley ‘Ash’ Brett is an experienced cyber security advisor, who has carried out hundreds of Cyber Essentials Plus assessments.
He also providesCyber Essentialsconsultancy, helping customers become compliant.
On top of that, Ash is a product evangelist for IT Governance, creating and sharing interesting content related to Cyber Essentials on social media.
Previously, Ash talked about some high-level differences between Cyber Essentials and ISO 27001. Today, we’re delving deeper.
In this interview
- Cyber Essentials misconceptions
- Benefits of Cyber Essentials and ISO 27001
- The differences between Cyber Essentials and ISO 27001
- Which framework/standard is better for smaller organisations
- How to prepare for Cyber Essentials and ISO 27001 implementation
Someone recently asked me whether Cyber Essentials can be anything other than high level. What’s your response?
They were presumably referring to the basic nature of the Cyber Essentials controls. That much is true – the scheme concentrates on simple, high ROI [return on investment] controls.
However, the technical requirements for each control are very specific.
This is what I was saying last time, about how Cyber Essentials is very black and white. You either pass or fail the tests, with little ‘grey’ area.
This is totally different to ISO 27001, which offers a lot of flexibility due to its risk-based approach. ISO 27001 is very pragmatic in that way – it’s easy to tailor to your specific requirements, although its control set [in Annex A] is far larger than the one in Cyber Essentials.
So, yes, Cyber Essentials takes a basic, cost-effective approach to security. But it’s not at all ‘high level’ in terms of implementation, because you have to meet very specific requirements.
Are there any more common misconceptions to Cyber Essentials you’d like to debunk?
A big one is that because the testing for Cyber Essentials isn’t as rigorous as a penetration test, it isn’t worth pursuing.
However, the scheme’s simplicity makes it a very accessible starting point for smaller and medium-sized organisations looking to establish a secure baseline for their current security controls. Not just because of its technical requirements, but also through the basic Cyber Essentials certification process: completing the SAQ [self-assessment questionnaire] can help you identify gaps in your security.
Plus, keep in mind that the most common threats tend to exploit basic security weaknesses – not rely on sophisticated techniques. For example, criminal hackers often target unpatched software –one of the tests in Cyber Essentials Plus accounts for this. Specifically, we [assessors] carry out a vulnerability scan to identify unpatched software.
Something as simple as applying the latest software patches eliminates the risk of these types of attacks.
What are the benefits of Cyber Essentials and Cyber Essentials Plus?
Achieving certification, whether to just Cyber Essentials basic or to both tiers, has five main benefits:
1. Quite simply, you improve your cyber security posture.
Again, Cyber Essentials provides good baseline security – a basic framework you can build on. One that’s maintained well too, as your certification will be reassessed annually.
2. The Cyber Essentials controls protect you against common cyber attacks.
I already gave one example: exploiting known vulnerabilities in unpatched software. Then you get malware infections, phishing attacks, and unauthorised access via password-based attacks – brute forcing, for example, or data scraping.
These are basic, but extremely common, and can cause a lot of damage if successful, so implementing a cost-effective framework like Cyber Essentials offers a good ROI.
3. More confidence from customers, partners and other stakeholders.
Achieving Cyber Essentials certification demonstrates to other parties that you’re taking security seriously, because you’ve implemented the necessary measures to protect sensitive data.
4. Winning new business.
UK government contracts usually require Cyber Essentials, and MoD [Ministry of Defence] contracts require Cyber Essentials Plus. Certification is also becoming a more common prerequisite for other lucrative contracts from large UK businesses.
5. Cyber Essentials is a great stepping stone for achieving other security standards.
ISO 27001 is a good example. While the Standard is more expensive to achieve certification against, it’s still cost-effective.
Speaking of which, what are the benefits of ISO 27001?
Compared to Cyber Essentials, a major benefit of ISO 27001 is that it’s a universally recognised standard. [Cyber Essentials is mostly recognised within the UK only.]
But ISO 27001 has all sorts of other benefits too. For instance, it covers a much wider range of security controls than Cyber Essentials. Most notably, ISO 27001 doesn’t limit itself to technical controls – it also requires various policies and other documentation, as well as other organisational measures.
ISO 27001 also places a strong emphasis on risk management, particularly in comparison to Cyber Essentials, which, as we already established, is more black and white. ISO 27001 is very flexible in what controls to implement, so long as they reduce relevant risks to an acceptable level.
The Standard also requires regular internal audits to take place, to make sure you’re operating and maintaining your ISMS [information security management system] effectively. Cyber Essentials doesn’t require those, as certification is a ‘snapshot’ assessment.
Then again, you have to renew Cyber Essentials certification annually, whereas ISO 27001 certificates normally remain valid for three years. So, it’s natural for ISO 27001 to be stricter about maintaining compliance.
Finally, like Cyber Essentials, ISO 27001 certification demonstrates a strong commitment to information security. That enhances your organisation’s reputation and credibility. ISO 27001 is also an increasingly common prerequisite for winning new business.
For smaller organisations, which framework would you recommend?
Cyber Essentials is much more suitable for smaller organisations, as it covers far fewer areas than ISO 27001.
It can be difficult for smaller companies to demonstrate their compliance with ISO 27001, as implementing an ISMS can involve a lot of complexity. Any management system requires many different policies and procedures.
ISO 27001 is no exception: it’s very policy [and other documentation] driven, as these function as evidence in audits. That said, the Standard offers a lot of flexibility in how to meet its requirements – even if you’re, say, a fully remote, micro organisation.
However, it would be a much easier path for this type of company to achieve Cyber Essentials certification, as it focuses on essential security controls alone. This government scheme is just far less overwhelming if you’re a smaller business.
How can organisations prepare for Cyber Essentials implementation?
Before seeking Cyber Essentials certification, ensure you have the five main controls in place:
- Firewalls
- User access control
- Patch management
- Malware protection
- Secure configuration
Many SAQ questions are about these five controls. So, I’d thoroughly go through the technical requirements – they detail how to implement these controls so you can pass Cyber Essentials.
Assuming you completed your SAQ truthfully, this will also put you in a good position to schedule your Cyber Essentials Plus assessment, if you want to achieve certification to both tiers.
What about ISO 27001 implementation?
ISO 27001 covers a wider range of controls, categorised into four themes:
- People
- Physical
- Technological
- Organisational
In total, the Standard contains 93 controls [in Annex A], on top of its main ISMS requirements [in Clauses 4–10].
I’d conduct a gap analysis to determine which requirements you’re already meeting, and where you have to take action.
The same goes for the controls: establish which you’ve already implemented. Where you’re falling short, determine whether you need those controls, or whether you can justify not implementing them.
For example, if your organisation is fully remote, you can probably exclude all physical controls. Just make sure you justify the exclusions in your SoA [Statement of Applicability].
If an organisation is planning to implement both, should they start with Cyber Essentials, then move on to ISO 27001?
Yes, organisations typically start with Cyber Essentials, then move on to bigger standards such as ISO 27001.
By implementing Cyber Essentials first, you get a head start on meeting certain requirements in ISO 27001. Cyber Essentials establishes a solid foundation for your information security practices – it works as a good first step in the journey towards ISO 27001 certification.
How long does it take to implement Cyber Essentials? And what’s the ideal interval between Cyber Essentials and Cyber Essentials Plus assessments?
IT Governance offers leading turnaround times for both Cyber Essentials and Cyber Essentials Plus. We can:
- Complete Cyber Essentials assessments on the day of purchase; and
- Schedule Cyber Essentials Plus assessments as quickly as a week after purchase.
On the interval between implementing Cyber Essentials and Cyber Essentials Plus, that depends on your state of readiness and your experience with the assessment process.
That said, even if you’ve never undertaken the assessments, you can be ready for Cyber Essentials Plus within a few weeks of your Cyber Essentials assessment. It comes back to the SAQ again: if you answered the questions truthfully, nothing should catch you out in the Cyber Essentials Plus audit.
Typically, customers have a pre-engagement call one week before the assessment date. That call goes through the assessment process to help you prepare. With that in mind, in most cases, I recommend organising the ‘Plus’ assessment two weeks after the Cyber Essentials assessment. That should give enough time between the pre-engagement call and the ‘Plus’ assessment.
And how long does it take to implement ISO 27001?
With ISO 27001, it can take at least 3–6 months to implement an ISMS due to the wide range of different controls covered. Particularly if you’re new to ISO 27001 certification, it’ll take a lot of time and effort to determine how you’re going to meet the Standard’s requirements.
Again, start with a gap analysis to assess your current state of readiness and identify any gaps. Once your ISMS is up and running, you’ll be carrying out regular internal audits [an ISO 27001 requirement], which will also prepare you for external audits.
Do you have any final words of advice?
Whichever option you pursue, ensure you have carried out the necessary preparation.
My smoothest Cyber Essentials Plus tests [as an assessor] are with customers that regularly engage with me via email. All IT Governance assessors are more than happy to answer any questions or address any concerns before the assessment day!
So, before the pre-engagement call, I encourage preparing a list of questions for your assessor.
The same goes for ISO 27001. I’ve previously helped prepare for external audits by ensuring all policies are easy to search for, and even created a spreadsheet that hyperlinked out to different policies.
Good internal communication is also key. Making sure the correct people are available on the day to demonstrate certain controls is very important. There’s nothing worse than finding out the person who needs to show how access control has been implemented is on holiday that day!
Want to learn more about our Cyber Essentials solutions?
We have a range of cost-effective packages, for both Cyber Essentials and Cyber Essentials Plus, offering one-to-one support with assessors such as Ash.
Find out more
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert with GRC International Group.
In the meantime, why not check out our previous interview with Ash on our Cyber Essentials solutions?
Alternatively, explore our full index of interviews here.
