ISO 27001 vs UK Government’s Basic Cyber Hygiene Implementation Profile

My colleague, Michael Shuff, published earlier this week a comprehensive article in relation to the UK Government’s proposed Basic Cyber Hygiene Implementation Profile. His blog post titled Raising UK Cyber Security Standards sheds further light on the timescales for releasing the new profile and the implications for UK businesses.

Whilst the Government’s initiative to strengthen UK’s cyber security profile is respectable, it is likely to cause some confusion in the industry. There are already internationally accepted cyber security frameworks like ISO 27001. Hundreds of organisations in the UK already have an ISO 27001-compliant information security management system (ISMS) in place or are in the process of implementing one.

I have seen evidence this week of people raising questions on the specialist forum www.iso270012013.info. One subscriber has asked if the new profile will replace the ISO 27001 standard for UK organisations.

The answer provided by the experts is simple: The UK Government’s Cyber Hygiene Profile will not replace ISO 27001. ISO 27001 is an internationally recognised standard and ISO 27001-certification gives a company a global recognition. More details are available in the ISO 27001 forum discussion.

It also seems logical that ISO 27001 becomes a prerequisite for demonstrating compliance with the new profile. Yet, it seems we all need to wait until end of March to find out…