Many organisations will have heard of both ISO 27001 and Cyber Essentials but are unsure as to which information security standard they should apply to their organisation. Many organisations are now being challenged on the level of assurance they can give their customers on Information Security, particularly as services extend into online service portals that retain customer information.
Gaining certification to a recognised and accredited Standard has long been accepted as a credible means of assurance, but the choice is open as to which Standard an organisation should achieve. The UK’s own National Cyber Security Centre has developed a simple standard that focuses on 5 key control points that any system should maintain. These five controls are:
|Firewalls||Ensure that only safe and necessary network services can be accessed from the Internet|
|Secure configuration||Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role|
|User access control||Ensure user accounts are assigned to authorised individuals only, and provide access to only those applications, computers and networks actually required for the user to perform their role|
|Malware protection||Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data|
|Patch management||Ensure that devices and software are not vulnerable to known security issues for which fixes are available|
To that end, Cyber Essentials covers the basics of administrative controls required for Information Security. To obtain certification, an organisation needs to supply evidence to a government recognised Certification Body who will review the information and ensure that it is in place. Cyber Essentials can be seen as a useful stepping stone for organisations that need to provide assurance, but potentially long-term will need to provide more assurance as they grow, or risks increase.
ISO 27001 sets out a more comprehensive management system approach, (see 14 controls required for ISO 27001) covering 14 control points with a detailed list of nearly 150 sub-controls that will be investigated and require justification if they are not included. The ISO 27001 management system incorporates the Plan-Do-Check-Act cycle that if used properly, will lead to continual improvement. The audit routines on the ISO 27001 are probably more thorough than for Cyber Essentials, much of which can be done through desktop review. ISO 27001 auditors will visit all sites applicable to the Information Security of the organisation and ensure that the controls are being enacted.
In terms of financial cost, Cyber Essentials will be cheaper to gain certification but recognition may be limited to the UK market. Whilst ISO 27001 will be more expensive as it involves a heavier audit regime, it may provide further benefits contractually for customers and also cost reductions for insurance.
Related Articles14 controls points required for ISO 27001
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525