It is a question we are often asked, “does a business still need Cyber Essentials certification if they have ISO 27001?”. Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials controls. The reality is, Cyber Essentials can still be very beneficial for companies who hold ISO 27001.
At its heart, ISO27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials and may decide to accept the risk of not implementing certain Cyber Essentials controls.
This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.
If a business only has ISO 27001 they may have made a risk-based decision on whether to implement the controls and could have taken a management decision to accept a high technical risk without full knowledge of the security consequences. We have seen companies, for example, decide not to patch their systems within 14 days because of a decision made by management.
In the real world we see lots of companies with ISO27001 trying to achieve Cyber Essentials and they often struggle to achieve it.
This is why Cyber Essentials certification is often mandated throughout a supply chain regardless of ISO27001 certification.