The adoption of ISO 27001 has steadily risen since its launch in 2005, driven by it being mentioned in Pre-Qualification Questionnaires for contracts where exchange or management of data is part of the requirement.
Depending what controls and processes you already have in place as an organisation, ISO 27001 is comprehensive and, whilst straightforward, takes some planning to implement.
The standard also requires you to integrate information security into the company’s strategy and demonstrate involvement from top management, not just your IT guy. You do however have the choice of deciding what your ISO 27001 management covers, be it the whole organisation, or just a department or service.
On a practical level, ISO 27001 asks you to consider your risks and plan appropriately to mitigate them. These include:
- How you control security throughout your staff’s employment (e.g. who has access to what)
- Your physical security measures (e.g. a clear desk policy, or locks on doors)
- Your operational security measures (e.g. backing up data, or keeping software up-to-date)
- Security of communication (e.g. transfer of information, or network security).
- Managing of suppliers and what access they have
- How you will deal with any information security incidents
- Ensuring you meet relevant laws
Whilst not exhaustive, the above list demonstrates why ISO 27001 is not simply an ‘IT standard’. You may have fantastic anti-virus software, but if you undermine security by allowing anyone access to sensitive client data, you’re not a secure business.
However, government recognises that cyber security is becoming an increasingly big problem, and wants to improve accessibility for even the smallest of companies to demonstrate some kind of compliance.
Inspired by ISO 27001, Cyber Essentials can be viewed as an ‘entry level’ version. It covers:
- Boundary firewalls
- Secure configuration
- Access controls
- Malware protection
- Patch management
As a result, Cyber Essentials is not directly comparable because it is not as broad in scope as ISO 27001. It neither looks at information security as a whole, nor takes into account how you may recover from an information security incident.
Instead, Cyber Essentials was launched with the aim to focus singularly on achieving a step change in the adoption of cyber security. As a result, the basic version of the standard is self-certified. There is then a more thorough Plus version that involves an accredited body assessing you, in a similar process to that of achieving ISO 27001 certification.
Another key factor in the increase of ISO 27001’s popularity is the upcoming GDPR. This new regulation, which will replace the Data Protection Act, is all about keeping client’s information safe. ISO 27001 helps with just that.
Article: All you need to know about GDPR
Already have ISO 27001?
Then Cyber Essentials should be straight-forward to achieve, as similar policies are required by both standards. It is common for organisations to have both standards in place, as ISO 27001 covers all bases, whilst Cyber Essentials focuses on physical security to a greater degree. The Plus version will involve the likes of penetration testing; something you may have deemed necessary whilst assessing your risks with ISO 27001.
You may, of course, have no choice. With many people implementing both standards due to contract requirements, you may find one or both standards are necessary to qualify. If both are mentioned, it is first worth clarifying with the buyer if you definitely need to have both certifications, especially if you have ISO 27001 in place already.
Already have Cyber Essentials?
As Cyber Essentials is an entry-level standard, you will find that higher value (or higher ‘risk’) contracts will become more stringent, with ISO 27001 being more widely asked for. Given ISO 27001 has been around far longer, it is generally mentioned more often in tenders.
However, having Cyber Essentials in place gives you a head start over anyone starting from scratch. Given the standard is based on ISO 27001 to begin with, adopting its ‘big brother’ will be relatively straightforward.