Is ISO an alternative standard to Cyber Essentials?

Is it possible for an alternative cybersecurity standard to produce comparable results to the NCSC's Cyber Essentials scheme?

As Certifying Bodies, we often hear, "I already adhere to  ISO 27001 certification; do I still require Cyber Essentials?" 

In the realm of cybersecurity, the answer often varies depending on the circumstances.

To revisit the topic, Cyber Essentials was introduced in 2014 to address prevalent cyber threats. It focuses on five controls deemed highly effective in thwarting common cyber attacks, and these controls are relatively straightforward to assess. Cyber Essentials is tailored to a specific risk scenario where attackers utilise readily available tools and techniques.

The controls are outlined in a requirement document, serving as the basis for an independent assessment process. This assessment comes in two tiers:

• A basic level, which involves a combination of self-assessment and independent audit.
• A more rigorous level that includes physical testing of the controls.

It's worth noting that assessments must be conducted by recognised Certification Bodies approved by IASME, the delivery partner of NCSC.

Comparative Analysis with Alternative Standards

When discussing equivalence, certain questions must be considered:

1. Does the standard explicitly address the five controls or the overall outcome, such as resilience against a commodity attack?
2. Does the assessment encompass the systems that Cyber Essentials would typically cover?
3. Is there an independent assessment available?
4. Do the entities conducting the assessment have the necessary expertise and follow established processes?
5. Does the assessment explicitly focus on the controls or the desired outcome?
6. For Cyber Essentials Plus (CE+), does the assessment involve physical testing of controls or outcomes?
7. Is there a governing body overseeing the standard and the assessment process?
8. Does this governing body possess the necessary expertise in cybersecurity to fulfil its role effectively?

It is not as easy as saying ISO is a like-for-like equivalent. If seeking an equivalent to a Cyber Essentials Plus certificate, you would also need to request proof of physical testing conducted against the controls or outcomes and accreditation proof - for example, if compared to ISO, this would be UKAS.

ISO/IEC 27001 and Cyber Essentials are both pivotal frameworks in the realm of cybersecurity, though it is essential to realise that they differ in scope and approach.

ISO/IEC 27001 is an internationally recognised standard that establishes, implements, maintains, and continually improves an Information Security Management System (ISMS). It provides a comprehensive framework for managing and protecting sensitive information, encompassing various organisational processes and controls.

On the other hand, Cyber Essentials is a UK government-backed scheme designed to help organisations protect against common cyber threats. It concentrates on implementing five fundamental controls to safeguard against prevalent cyber attacks, emphasising simplicity and practicality.

While ISO/IEC 27001 offers a broader, more customisable approach suitable for organisations of all sizes and sectors, Cyber Essentials offers a more targeted, entry-level solution primarily aimed at small to medium-sized enterprises (SMEs) or those new to cybersecurity compliance.

It is, therefore, vital that Organisations leverage both frameworks, with ISO/IEC 27001 providing a robust foundation for information security management, while Cyber Essentials offers a specific set of controls to address common cyber threats effectively.