We are often asked, “does a business still need Cyber Essentials certification if they have ISO 27001?”. Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials controls.
The reality is that Cyber Essentials can still be very beneficial for companies who hold ISO 27001.
At its heart, ISO27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials and may decide to accept the risk of not implementing certain Cyber Essentials controls.
This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.
If a business only has ISO 27001 they may have made a risk-based decision on whether to implement the controls and could have taken a management decision to accept a high technical risk without full knowledge of the security consequences. We have seen companies, for example, decide not to patch their systems within 14 days because of a decision made by management.
In the real world we see lots of companies with ISO27001 trying to achieve Cyber Essentials and they often struggle to achieve it.
This is why Cyber Essentials certification is often mandated throughout a supply chain regardless of ISO27001 certification.
For more information or a chat with John, please contact us at B2E.
B2E Consulting is different…
- Our B2E community consists of over 20,000 independent, expert consultants who provide depth of capability – most have trained at big consultancies or blue-chip companies
- Our flexible model ensures the expertise at the right price
- Our team has the insight and experience to bring these elements together
We always welcome the opportunity to discuss your consulting project requirements and our service offerings with you further.