ISO 27001 vs Cyber Essentials: Which One Is Right for Your Organization?

Image of a modern open-concept office with lots of people working at computers.
Before everything, get certified!

If you’re working with sensitive data, it’s important you show you’re adequately handling it. That’s why many governments require companies to have some kind of certification about how they handle data. In this article, I’ll focus on two of these certificates: ISO 27001 and Cyber Essentials

The International Organization of Standardization developed ISO 27001 to protect and keep information assets secure. The ISO also focuses on the information, regardless of its storage medium. Conversely, Cyber Essentials is newer than ISO 27001. It also only focuses on information, but the ones located within computers and IT networks.

How do you know which one you’ll need for your company? In this article, I’ll compare the two certifications and note their differences. I’ll also show you how to get certified and tell you if you can use ISO and Cyber Essentials together. Firstly, let’s explore ISO 27001 in more detail. 

All You Need to Know about ISO 27001 

In 1995, the Department of Trade and Industry in the UK Government created ISO 27001. Over time, though, it adapted the benchmark to the changing data security environment. This certificate shows that your business has a strong attitude towards security. 

Since this is an international standard, your certification would be valid worldwide. Other international companies will also acknowledge it 100%. The ISO 27001 certificate has 114 controls in 14 groups and 35 control categories. You’ll also notice that the names aren’t IT-specific, rather, they’re general. Take a look at the 14 groups, and you’ll see what I mean.

14 Control Groups

ISO will hold your company accountable according to these 14 groups and sub-categories. Your company should also achieve these 14 values to receive the certification

  1. A.5: Information security policies 
  2. A.6: Organization of information security 
  3. A.7: Human resource security 
  4. A.8: Asset management 
  5. A.9: Access control 
  6. A.10: Cryptography 
  7. A.11: Physical and environmental security 
  8. A.12: Operations security 
  9. A.13: Communications security 
  10. A.14: System acquisition, development, and maintenance 
  11. A.15: Supplier relationships 
  12. A.16: Information security incident management
  13. A.17: Information security aspects of business continuity management 
  14. A.18: Compliance; with internal and external requirements, such as laws 

Seeing the 14 groups, you may think it takes ages to complete. Does that hold true, though? 

ISO 27001 Certification Process and Timeline

The certification process will take a small to mid-level company about 6-12 months in total. During this time, your company will also have to go through several stages, which I’ve compiled in the following table. 

StageTimeframe Details 
Company Readiness 6-10 monthsHardest stage. Your organization needs to get ready and start following the controls
Audit 1: Documentation 1 dayAuditors examine documentation. 
Audit 2: Certification 6-10 daysAuditors are on site. They also observe and meet with your team to determine if they’re following controls 
Remediation 1 day to 6 monthsAuditors ask for changes. Implementation can take as little as a few days to several months depending on the issues 
An overall simple process!

The certification is only valid for 3 years, so you want to make sure you renew it by then.

Certification Costs for ISO 27001

The costs to become certified depend on the number of days the auditor spent at your company conducting an audit. While the auditor’s daily rates may vary, we can ballpark the fees between $800 and $1600 per day. That’s an average of around $1200

The number of employees in your organization also directly correlates with the number of days the auditors need to spend on site. Basically, if the number of days is higher, the costs are also higher.

A small company with a handful of employees might pay around $5000 to get the certification. Conversely, a large company with more than 1,000 employees might need to pay at least $25,000 to get certified. That’s also natural because the auditors are going to be onsite for more time. 

By now, you’re familiar with the ISO 27001 standard. In the following section, I’ll go over Cyber Security Essentials and what it entails. I’ll also show you what to do to get it. 

Cyber Essentials: What It Is and Why It’s Important

Cyber Essentials is a certification scheme created in the UK to implement security controls against 5 technical controls. This certification only focuses on 5 items. It also doesn’t go as in-depth as the ISO 27001, which has broader coverage on things such as finance, risk, and governance. 

Technical Controls

Cyber Essentials focuses on IT-related control groups. These groups are also cybersecurity best practices and relate to ISO 27001. You could also think of the Cyber Essentials as a mini ISO 27001 certification. 

Cyber Essentials covers the cyber-related criteria. Similar to ISO, your company will also have to adhere to these 5 guidelines to receive the Cyber Essentials certificate.

1. Configure and deploy a firewall. These firewalls prevent unauthorized access between networks. This control is also similar to the ISO 27001 Annex A control section A.13.1 (Network security management). 

2. Use secure configurations for devices and software. This involves practices to ensure system configurations are as secure as can be. The comparable ISO 27001 criteria is Annex A control section A.12.1 (Operational procedures and responsibilities).

3. Employ access control and  prevent unauthorized access. This ensures that only those who should have access to systems do. This control is also similar to ISO 27001 Annex A control section A.9.2 (User access management). 

4. Protect yourself against malware such as viruses. This ensures that you’ve installed protection against viruses and malware and keep it up to date. It also means employees are receiving proper training not to spread malware. The comparable ISO 27001 item is Annex A control section A.12.2 (Protection from malware).

5. Keep devices and software updated.  This means you’re using the latest software versions and applied all vendor patches. This also matches ISO 27001’s Annex A control section A.12.6 (Technical vulnerability management). 

Cyber Essentials Certification Process and Timeline 

The process to receive the Cyber Essentials certification is pretty straightforward. It only consists of a 2-hour questionnaire. Still, the pre-work might take a small company around 2 weeks to implement. 

You also need to do this before taking the exam. Then, it takes about 3 days for the certification board to give its response. The certificate is valid for 12 months, and after that, you’ll have to renew it. 

Certification Costs for Cyber Essentials

The cost to get the certification is £300 + VAT. This certification isn’t verified, though. That means no auditor ensures your company is actually following guidelines. To get a verification, an audit, you need to opt for Cyber Essentials Plus. The time and costs for the audit also depend on your organization’s size. The auditor will also determine the auditing fee. 

Now that you’ve had a detailed view of both certificates, let’s also see them side by side for a clearer comparative.

ISO 27001 vs Cyber Essentials–Key Differences

The following table will help you visualize the differences between the two certifications.

ISO 27001Cyber Essentials 
What is it?A set of international standards to keep information assets secureA certification with 5 technical controls  to protect from threats
What does it cover?Information, regardless of mediumData, software, programs on networks, servers, computers. IT focus.
Who does it help?Organizations in any industry that need to keep data assets protected Organizations that want to have basic cyber security measures
Structure 10 clauses and 114 generic security controls grouped into 14 sections 5 controls that pertain to IT infrastructure  
Implementation and Certification No requirement, but recommendedRequired for all companies bidding for contracts with the UK government
 These certifications are significantly different!
Image of two office workers giving each other a high five.
Hard work will certainly pay off when you’re certified!

Using the ISO 27001 and Cyber Essentials Together

You can actually use these two certificates together! It depends on your clients. It also has to do with how sensitive your information is.

According to the UK Government website, Cyber Essentials is generally enough to show you’re well-protected from internet-related issues. Keep in mind that Cyber Essentials is also very affordable, while the ISO 27001 is more expensive. If your company also plans on working directly with the UK Government, you must have the Cyber Essentials certification, even if you already have ISO 27001. 

Pro Tips

  • Consider getting ISO 27001 if you’re a large international company with particularly sensitive data
  • Pursue the Cyber Essentials certificate if you’re any size company planning to do business with the UK Government (this is a must)
  • Get the Cyber Essentials certificate if you’re a company in the UK, since it’s at a lower cost than ISO 27001

The Bottom Line 

In conclusion, your company can certainly benefit from both certificates, depending on your information assets and clients. Above all, these certificates also promote peace of mind for you and your clients alike. Consider your company’s location and clients. You should also remember the costs of each certificate. As a result, you’ll make the best decision regarding which certificate your firm should pursue. 

Have more questions about certifications? Check out the FAQ and Resources below!

FAQ

What is the International Organization of Standardization?

The International Organization of Standardization is a non-governmental organization founded in 1947. It promotes international standardization across all industries and works in 167 countries. The ISO has also been helpful in setting international standards. Additionally, it has made it much easier for companies to produce products for worldwide use. 

Does Cyber Essentials have an international standard?

While the certificate is valid in the UK, it isn’t a fully recognized certificate. You can map back all 5 controls to ISO 27001. The Information Assurance for Small and Medium Enterprises Consortium (IASME) has also incorporated Cyber Essentials into the wider realm of certifications. In summary, you’ll certainly see a value from a Cyber Essentials certificate. You must also have it if you want to work with the UK government. 

How long does it take to recertify for the Cyber Essentials?

The Cyber Essentials certificate is valid for 12 months and requires recertification. It also takes the same amount of time every time, around 2 weeks of prep time and a few hours of filling in the questionnaire. Finally, it takes about 3 days of waiting to get a result. The costs are £300 + VAT. In addition, if you want to get the “plus” certification, you’ll need to speak to an auditor. This auditor will then set a charge based on the size of your organization and the complexities associated with testing it. 

How long is ISO 27001 valid?

ISO 27001 is valid for 3 years, but companies must also maintain the standards set forth. Auditors will also come back and conduct audits each year during the certificate’s validity period. In short, failure to uphold the standard may result in it being revoked. 

What is Cyber Essentials Plus?

Cyber Essentials Plus is a verified Cyber Essentials certificate. An auditor will also come to your organization and prove that you’re upholding the certificate’s standards. The regular Cyber Essentials isn’t verified, it’s only questionnaire-based. You also have 90 days from getting the certificate to get it verified. 

Resources 

TechGenix: Guide on ISO 27001 Certification 

Learn the step-by-step approach to getting your company’s ISO 27001 certification.

TechGenix: Article on the Journey to ISO 27001 (Part 1)

Learn how to get started on your path towards certification

TechGenix: Article on What is ISO 27001 and Certification

Learn about the ISO and how to get a certification.

TechGenix: White Paper on 13 Effective Controls for ISO 27001

Find out what the 13 controls are for ISO 27001

TechGenix: Article on ISO Standards Worth Noting

Learn which standards might be important to you in your career

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top