There's debate around whether it's worth doing Cyber Essentials if you're doing/have done ISO 27001.

We concluded: "Well, it doesn't hurt", and having put all of the ISO 27001:2022 controls in place, there was very little (and by that, we mean no) additional work required to complete Cyber Essentials aside from completing the application.

What is Cyber Essentials

Borrowing from the National Cyber Security Centre's website:

"Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks."

It's a suite of "technical controls" (that's "stuff you should do"), that help to reduce the chance of your organisation being the victim of an internet based threat.

Is it any good?

Well, yes and no.

If you're a smaller organisation (<20 employees), and you've not done much around information security, then yes, it's a really good thing to do.

Cyber Essentials is full of mandates. It insists on the application of a set of technical controls covering things like firewall configuration, securing devices, malware protection etc. These are good things to do if you haven't already done them, and for that, YES, Cyber Essentials is good.

If you're a medium or larger business (>20 employees) you have probably already put at least some of the technical controls in place, and there may be good reason why you haven't applied others and in that scenario, we'd say NO, Cyber Essentials is not good.

Confused yet?!

Which is better?

Well, that's a difficult question to answer in a hurry!

For larger businesses, we'd argue that the Risk Based Approach of ISO 27001 is a superior/more appropriate approach to managing information security. In fact, some of the requirements of Cyber Essentials may not actually be achievable for larger entities, largely because Cyber Essentials doesn't consider risk, it just mandates controls.

That said, for smaller entities, Cyber Essentials is less work, less management overhead, less cost, and more achievable - and for that, we like it! It makes organisations think about and apply technical controls in a black-and-white manner which, (particularly for smaller organisations) is a good thing, as those controls may otherwise not be in place.

Should we do it?

Well, if you're less than 20 employees, then I'd say yes, almost certainly.

If you're between 20-50 employees, I'd say yes, but you probably should be doing ISO 27001 instead.

If you're more than 50 employees, I'd say no, probably not, do ISO 27001 instead.

Conclusion

We did it (see the badge/link in the footer below), mostly to support confidence with prospective clients.

If you have the capacity, we'd suggest ISO 27001 is the better of the two, but Cyber Essentials is not a bad option!

If you'd like help with either Cyber Essentials OR ISO 27001, let us know!