Last updated: 05.10.17

ISO 27001 and the Cyber Essentials Scheme

With cyber crime now an everyday part of both personal and business life, there are many different ways in which individuals and corporations alike are looking at to guard themselves against it. From theft of sensitive details, to damage to computer systems, there are a great many ways in which cyber crime can cause harm. There are many initiatives now in place to help businesses get their cyber security right. In this article, we’re going to look at both ISO 27001 certification, which is a standard that could benefit a great many businesses, and the Cyber Security Essentials Scheme, a UK government initiative. Both are designed to help businesses meet a minimum standard of cyber security. Read on to find out more.

If you’re looking for a broad introduction to cyber security and the efforts you can make to keep your business safe in the digital world, then you may find the Virtual College course on the subject useful. Click here to find out more.

What is ISO 27001?

In short, ISO 27001 is an international standard that explains the core things that a business should be doing in regards to its ISMS. This stands for Information Security Management System, and refers to all of the policies a business has in place to look after its data. If you meet the criteria of ISO 27001 then your business will meet a good standard of information security. There are a considerable number of requirements to meet in order to be compliant with ISO 27001, and businesses often choose to use external help to get them set up in accordance with the standard.

What is the Cyber Essentials Scheme?

The Cyber Essentials Scheme is the UK government’s framework of criteria that set out a basic but quality standard of information security. This scheme is intended to be usable by just about any business in any industry, and indeed, any business that intends to hold a government contract must meet the Cyber Essentials requirements. Documentation on this scheme is easily available, and the government has approved a number of accreditation bodies to award your business with this badge.

What Are the Benefits of Implementing these Standards and Schemes?

Becoming ISO 27001 accredited, or receiving the Cyber Essentials badge, are not just about having basic requirements to meet certain obligations. They carry significant benefits to your business too. Let’s cover some of the biggest benefits here:

  • Accreditations can often help you win bigger and better contracts, as larger organisations often mandate some kind of accreditation for the companies that they work with
  • In some cases, proper information security policies are a legal requirement, and ensuring that you meet a certain standard can help you avoid penalties and fines
  • The very fact that you are meeting the criteria set out in schemes such as Cyber Essentials of ISO 27001 means that you are going to be far better protected against data breaches and other forms of cyber crime, which can save you very large sums of money
  • Being accredited is a good way of showing your customers that you are serious about information security, and can help boost these relationships
  • Having an external verifier come into your business and give you accreditation can be extremely reassuring, as you can be confident that you, your employees, your policies and your software/hardware are working as they should be

How These Accreditations Can be Achieved

There are two steps to achieving all kinds of cyber security accreditations; firstly, you need to ensure you do everything to meet the criteria, and secondly, you need the accreditation body to come in to assess your business.

The requirements for ISO27001 are more complex, but the main points in the Cyber Essentials Scheme are handily condensed into five points.

The five areas of competence include the following:

  • Secure Configuration - which includes the correct set up of web servers
  • Firewalls and Gateways - which means ensuring that there is a level of protection between users and the internet
  • Access Controls - which means ensuring only the right people have access to the right areas of the network
  • Patch Management - which means keeping on top of updates to ensure that everything is-up-to-date and guarded against exploits
  • Malware protection - which means taking steps to guard against viruses, trojans and other malicious software

Once you have met the criteria set out, whether by yourself or through a consultant, then you should contact the governing body of your desired accreditation to complete the process.

Related resources