If you’re working with sensitive data, it’s important you show you’re adequately handling it. That’s why many governments require companies to have some kind of certification about how they handle data. In this article, I’ll focus on two of these certificates: ISO 27001 and Cyber Essentials.
The International Organization of Standardization developed ISO 27001 to protect and keep information assets secure. The ISO also focuses on the information, regardless of its storage medium. Conversely, Cyber Essentials is newer than ISO 27001. It also only focuses on information, but the ones located within computers and IT networks.
How do you know which one you’ll need for your company? In this article, I’ll compare the two certifications and note their differences. I’ll also show you how to get certified and tell you if you can use ISO and Cyber Essentials together. Firstly, let’s explore ISO 27001 in more detail.
All You Need to Know about ISO 27001
In 1995, the Department of Trade and Industry in the UK Government created ISO 27001. Over time, though, it adapted the benchmark to the changing data security environment. This certificate shows that your business has a strong attitude towards security.
Since this is an international standard, your certification would be valid worldwide. Other international companies will also acknowledge it 100%. The ISO 27001 certificate has 114 controls in 14 groups and 35 control categories. You’ll also notice that the names aren’t IT-specific, rather, they’re general. Take a look at the 14 groups, and you’ll see what I mean.
14 Control Groups
ISO will hold your company accountable according to these 14 groups and sub-categories. Your company should also achieve these 14 values to receive the certification.
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security
- A.8: Asset management
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development, and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance; with internal and external requirements, such as laws
Seeing the 14 groups, you may think it takes ages to complete. Does that hold true, though?
ISO 27001 Certification Process and Timeline
The certification process will take a small to mid-level company about 6-12 months in total. During this time, your company will also have to go through several stages, which I’ve compiled in the following table.
| Stage | Timeframe | Details |
| Company Readiness | 6-10 months | Hardest stage. Your organization needs to get ready and start following the controls |
| Audit 1: Documentation | 1 day | Auditors examine documentation. |
| Audit 2: Certification | 6-10 days | Auditors are on site. They also observe and meet with your team to determine if they’re following controls |
| Remediation | 1 day to 6 months | Auditors ask for changes. Implementation can take as little as a few days to several months depending on the issues |
The certification is only valid for 3 years, so you want to make sure you renew it by then.
Certification Costs for ISO 27001
The costs to become certified depend on the number of days the auditor spent at your company conducting an audit. While the auditor’s daily rates may vary, we can ballpark the fees between $800 and $1600 per day. That’s an average of around $1200.
The number of employees in your organization also directly correlates with the number of days the auditors need to spend on site. Basically, if the number of days is higher, the costs are also higher.
A small company with a handful of employees might pay around $5000 to get the certification. Conversely, a large company with more than 1,000 employees might need to pay at least $25,000 to get certified. That’s also natural because the auditors are going to be onsite for more time.
By now, you’re familiar with the ISO 27001 standard. In the following section, I’ll go over Cyber Security Essentials and what it entails. I’ll also show you what to do to get it.
Cyber Essentials: What It Is and Why It’s Important
Cyber Essentials is a certification scheme created in the UK to implement security controls against 5 technical controls. This certification only focuses on 5 items. It also doesn’t go as in-depth as the ISO 27001, which has broader coverage on things such as finance, risk, and governance.
Technical Controls
Cyber Essentials focuses on IT-related control groups. These groups are also cybersecurity best practices and relate to ISO 27001. You could also think of the Cyber Essentials as a mini ISO 27001 certification.
Cyber Essentials covers the cyber-related criteria. Similar to ISO, your company will also have to adhere to these 5 guidelines to receive the Cyber Essentials certificate.
1. Configure and deploy a firewall. These firewalls prevent unauthorized access between networks. This control is also similar to the ISO 27001 Annex A control section A.13.1 (Network security management).
2. Use secure configurations for devices and software. This involves practices to ensure system configurations are as secure as can be. The comparable ISO 27001 criteria is Annex A control section A.12.1 (Operational procedures and responsibilities).
3. Employ access control and prevent unauthorized access. This ensures that only those who should have access to systems do. This control is also similar to ISO 27001 Annex A control section A.9.2 (User access management).
4. Protect yourself against malware such as viruses. This ensures that you’ve installed protection against viruses and malware and keep it up to date. It also means employees are receiving proper training not to spread malware. The comparable ISO 27001 item is Annex A control section A.12.2 (Protection from malware).
5. Keep devices and software updated. This means you’re using the latest software versions and applied all vendor patches. This also matches ISO 27001’s Annex A control section A.12.6 (Technical vulnerability management).
Cyber Essentials Certification Process and Timeline
The process to receive the Cyber Essentials certification is pretty straightforward. It only consists of a 2-hour questionnaire. Still, the pre-work might take a small company around 2 weeks to implement.
You also need to do this before taking the exam. Then, it takes about 3 days for the certification board to give its response. The certificate is valid for 12 months, and after that, you’ll have to renew it.
Certification Costs for Cyber Essentials
The cost to get the certification is £300 + VAT. This certification isn’t verified, though. That means no auditor ensures your company is actually following guidelines. To get a verification, an audit, you need to opt for Cyber Essentials Plus. The time and costs for the audit also depend on your organization’s size. The auditor will also determine the auditing fee.
Now that you’ve had a detailed view of both certificates, let’s also see them side by side for a clearer comparative.
ISO 27001 vs Cyber Essentials–Key Differences
The following table will help you visualize the differences between the two certifications.
| ISO 27001 | Cyber Essentials | |
| What is it? | A set of international standards to keep information assets secure | A certification with 5 technical controls to protect from threats |
| What does it cover? | Information, regardless of medium | Data, software, programs on networks, servers, computers. IT focus. |
| Who does it help? | Organizations in any industry that need to keep data assets protected | Organizations that want to have basic cyber security measures |
| Structure | 10 clauses and 114 generic security controls grouped into 14 sections | 5 controls that pertain to IT infrastructure |
| Implementation and Certification | No requirement, but recommended | Required for all companies bidding for contracts with the UK government |
Using the ISO 27001 and Cyber Essentials Together
You can actually use these two certificates together! It depends on your clients. It also has to do with how sensitive your information is.
According to the UK Government website, Cyber Essentials is generally enough to show you’re well-protected from internet-related issues. Keep in mind that Cyber Essentials is also very affordable, while the ISO 27001 is more expensive. If your company also plans on working directly with the UK Government, you must have the Cyber Essentials certification, even if you already have ISO 27001.
Pro Tips
- Consider getting ISO 27001 if you’re a large international company with particularly sensitive data
- Pursue the Cyber Essentials certificate if you’re any size company planning to do business with the UK Government (this is a must)
- Get the Cyber Essentials certificate if you’re a company in the UK, since it’s at a lower cost than ISO 27001
The Bottom Line
In conclusion, your company can certainly benefit from both certificates, depending on your information assets and clients. Above all, these certificates also promote peace of mind for you and your clients alike. Consider your company’s location and clients. You should also remember the costs of each certificate. As a result, you’ll make the best decision regarding which certificate your firm should pursue.
Have more questions about certifications? Check out the FAQ and Resources below!
FAQ
What is the International Organization of Standardization?
The International Organization of Standardization is a non-governmental organization founded in 1947. It promotes international standardization across all industries and works in 167 countries. The ISO has also been helpful in setting international standards. Additionally, it has made it much easier for companies to produce products for worldwide use.
Does Cyber Essentials have an international standard?
While the certificate is valid in the UK, it isn’t a fully recognized certificate. You can map back all 5 controls to ISO 27001. The Information Assurance for Small and Medium Enterprises Consortium (IASME) has also incorporated Cyber Essentials into the wider realm of certifications. In summary, you’ll certainly see a value from a Cyber Essentials certificate. You must also have it if you want to work with the UK government.
How long does it take to recertify for the Cyber Essentials?
The Cyber Essentials certificate is valid for 12 months and requires recertification. It also takes the same amount of time every time, around 2 weeks of prep time and a few hours of filling in the questionnaire. Finally, it takes about 3 days of waiting to get a result. The costs are £300 + VAT. In addition, if you want to get the “plus” certification, you’ll need to speak to an auditor. This auditor will then set a charge based on the size of your organization and the complexities associated with testing it.
How long is ISO 27001 valid?
ISO 27001 is valid for 3 years, but companies must also maintain the standards set forth. Auditors will also come back and conduct audits each year during the certificate’s validity period. In short, failure to uphold the standard may result in it being revoked.
What is Cyber Essentials Plus?
Cyber Essentials Plus is a verified Cyber Essentials certificate. An auditor will also come to your organization and prove that you’re upholding the certificate’s standards. The regular Cyber Essentials isn’t verified, it’s only questionnaire-based. You also have 90 days from getting the certificate to get it verified.
Resources
TechGenix: Guide on ISO 27001 Certification
Learn the step-by-step approach to getting your company’s ISO 27001 certification.
TechGenix: Article on the Journey to ISO 27001 (Part 1)
Learn how to get started on your path towards certification.
TechGenix: Article on What is ISO 27001 and Certification
Learn about the ISO and how to get a certification.
TechGenix: White Paper on 13 Effective Controls for ISO 27001
Find out what the 13 controls are for ISO 27001.
TechGenix: Article on ISO Standards Worth Noting
Learn which standards might be important to you in your career.
