Understanding ISO 27001-2013 and Cyber Essentials Plus: A Comparative Study
Two cybersecurity standards often come to the forefront: ISO 27001-2013 and Cyber Essentials Plus. Both are designed to fortify an organisation's cybersecurity measures, but their focus and scope differ. This article aims to elucidate these differences, particularly in risk and rules.
Cyber Essentials Plus: The Rule-Based Approach
Cyber Essentials Plus is a UK Government-backed scheme managed by the National Cyber Security Centre (NCSC) in partnership with the Information Assurance for Small to Medium Enterprise (IASME) Consortium. It promotes a standard set of IT Security requirements designed to help minimise the likelihood and impact of commonly known cyber-attacks.
The scheme is centred on five technical controls for fundamental cybersecurity:
- Firewalls
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
These controls form the rules that organisations must follow to achieve certification. The scheme consists of two levels of certification: Cyber Essentials (self-assessment) and Cyber Essentials Plus. The latter involves physically testing the scope's devices, applications, and services. This level of certification affords a higher level of assurance that the correct controls are implemented and working as expected.
ISO 27001-2013: The Risk-Based Approach
ISO 27001-2013, on the other hand, is an international standard developed to handle information security. Unlike Cyber Essentials Plus, which is limited to IT, ISO 27001 offers a more comprehensive framework, covering all information, whether online or offline.
ISO 27001 is very pragmatic—it's easy to tailor to your requirements. It incorporates critical risk assessment and mitigation controls, allowing organisations to identify and address potential vulnerabilities based on their unique risk profiles. This risk-based approach provides flexibility, enabling organisations to implement controls most relevant to their operations.
Risk vs Rules: The Key Difference
The primary difference between Cyber Essentials Plus and ISO 27001-2013 lies in their approach to cybersecurity: one is rule-based, and the other is risk-based².
Cyber Essentials Plus provides a set of specific rules that organisations must follow to protect against common cyber threats. It's a more prescriptive approach with precise pass-or-fail criteria. This makes it a very accessible starting point for smaller and medium-sized organisations looking to establish a secure baseline for their current security controls.
ISO 27001-2013, in contrast, adopts a risk-based approach. It allows organisations to assess their specific risk environment and implement controls accordingly. This flexibility makes ISO 27001-2013 suitable for organisations of all sizes and types, providing a comprehensive framework for managing information security.
In conclusion:
Cyber Essentials Plus and ISO 27001-2013 are crucial in fortifying an organisation's cybersecurity measures. While Cyber Essentials Plus provides a rule-based framework for fundamental cybersecurity, ISO 27001-2013 offers a risk-based comprehensive information security management approach. The choice between the two will depend on an organisation's specific needs and objectives.
Additional Cyber Security Information/Stats:
Phishing is the most common breach or attack on a business, accounting for 84% for companies and 83% for charities. Another area of growth is the impersonation of a company, which now accounts for 35% (and 37% for charities).
Only 22% of businesses have a formal incident response plan (19% for charities).
Businesses with Cyber Essentials are 92% less likely to claim Cyber Insurance.
Source of information:
Gov UK: Cyber Security Breach Survey 2024 [read more]
National Cyber Security Centre: Cyber Essentials [read more]
Citation (QMS): ISO 27001 Certification Information Security Management [read more]
Certified Information Systems Security Professional – Chris Blunt [LinkedIn]
Leave a Comment