Cyber Essentials or ISO 27001?

The official announcement is:

“From 1 October 2014, government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.”

In reality this is primarily for Central Government suppliers, i.e. Dept Heath, Transport, Education, Defence, etc but the unofficial word is that this will be rolled out to local government i.e. councils, hospitals, police, etc over the next few years.

Cyber Essentials covers 5 main areas of vulnerability:

1. Boundary Firewalls and internet Gateways

2. Secure Configuration

3. Access Control

4. Malware Protection

5. Patch Management

Which include the types of controls found in the ISO27001 SOA:

A.13.1 Network Security Management

A.12.1 Operational Procedures and Responsibilities

A.9.2 User Access Management

A.12.2 Protection from Malware

A.12.6 Technical Vulnerability Management

Therefore people with ISO27001 are part way there already, the main difference is that Cyber Essentials in prescriptive and not optional so there is no opt out for any of the questions in Cyber Essentials, and the requirement for control by the 34 questions is much tighter in Cyber Essentials. For example, all software must be licensed and supported – so any PC’s that still use windows XP cannot be included in the scope and would need updating/replacing (this is just one example).

The issues facing the take-up of the standard are:

Lack of awareness of the Standard

Lack of trained practitioners (only 100 or so in the UK)

The trained Practitioners may not be IT savvy enough to implement effectively

Big Headache for large business due to a lack of automated roll out tools to cope with the prescriptive requirements for each device within scope, causing resistance to implementation

Implementation systems/methodology is new and not as efficient as it needs to be yet due to the learning curve.

We do however now have one of our ISO 27001 Consultants fully trained & qualified as a Cyber Essentials Practitioner.

ISO 27001 will continue to be the most recognised & accepted Information Security Standard. However if you do deal in or wish to enter the Gov & Public Sector arena, we would advise you start looking at this.

Leave a Reply

Your email address will not be published. Required fields are marked *