Embarking on certification to Cyber Essentials and ISO 27001
Cyber Essentials is a UK government assurance scheme that sets out five technical cyber security controls that all organisations can implement to achieve a baseline of cyber security.
ISO/IEC 27001:2013 (ISO 27001) is the international standard that provides the specification for an ISMS (information security management system) – a systematic approach to managing information security risk.
ISO 27001 goes considerably further than Cyber Essentials, providing 114 security controls that encompass people, processes and technology.
Although Cyber Essentials and ISO 27001 serve different needs, the two should be seen as complementary rather than competing.
Organisations that have put the Cyber Essentials scheme’s five controls in place should look to ISO 27001 to improve the maturity of their security practices, and take in information in all formats, across a wider scope.
Optimal approach to implementation
If you are new to the world of ISO 27001, certifying to both the Standard and Cyber Essentials at the same time is more resource and time-effective.
IT Governance can help you achieve this with an integrated approach. However, depending on your current resources, time commitment and budget, you may wish to start with certification to Cyber Essentials. This will give you an introduction to the world of certification and information security.
When you are ready to take the next step of implementing a robust ISMS, you will be well positioned to continue to ISO 27001 certification.