Cyber Essentials vs Cyber Essentials with IASME Governance
When businesses are looking to achieve Cyber Essentials or similar certification, they tend to stumble upon our website and start asking a few questions about how to proceed. This is the first of several blog posts that will hopefully answer the most important questions that people are asking.
InfoSec Governance are a IASME Consortium Certification Body for providing Cyber Essentials and IASME Governance. This allows us to provide not only Cyber Essentials basic and Plus certifications, but also provide a more in-depth certification which aligns with a lot of ISO 27001, this is the IASME Governance. Although IASME Governance has been out for many years, we still get people asking what is this certification? Do I need it? How is it different from Cyber Essentials? Is it worth it? And many more questions.
These are all good questions and hopefully in this blog post, I’ll be putting them all to bed and explain the reasons why I think going with Cyber Essentials with IASME Governance is a better option overall for businesses.
Cyber Essentials has been around since 2014, the scheme is based upon a self-assessment of around 40 questions, which you complete by logging into an online web-based portal. Cyber Essentials is required by the government to be selected as a supplier and many companies are requiring Cyber Essentials as part of the tender process.
Organisations assess themselves against the five basic security controls which are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Once the organisation has completed the questions, they are then assessed by a Cyber Essentials certification body, such as InfoSec Governance, the assessor will then either certify the business or go back to the applicant with recommendations and/or change requirements to allow them to pass.
At the time of writing the cost of achieving the basic self-assessment Cyber Essentials certification is £300 + VAT.
The IASME Governance option adds around an additional 130 questions to the 40 or so Cyber Essentials questions (171 questions in total to be exact at the time of writing), these additional questions are based around your business and look at areas such as business continuity and risk management. The IASME Governance standard has been developed constantly over the years since its conception. Originally, it was a government funded project to help to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001.
As part of this, the IASME Governance standard allows small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers information.
The cost of the basic Cyber Essentials Scheme, including the IASME Governance standard is £400 + VAT. The additional cost is due to the additional number of questions that the company must answer, as well as the assessing company needing to mark.
Benefits of both
Cyber Essentials is a good stepping point for businesses of all sizes, if done properly, it identifies that the business in question is working towards ensuring that safe business practices are in place to help safeguard against cyber related incidents. However, only having Cyber Essentials in place can only guarantee so much, implementing both Cyber Essentials with IASME Governance further helps your business to identify all key areas of operation. From ensuring your backups are working, to identifying risk areas of operation, to ensuring your entire supply chain is checked and secure.
If you are a business and you are looking to ensure that you are doing things right, would like to implement the best practices of ISO 27001, but can’t justify the cost or have the means to put it in place, the IASME governance standard is the one for you.
Having both Cyber Essentials and IASME Governance also ensures that you are doing the basics for protecting your cyber security as well as working to protect your data governance and personal information, which can help businesses win tenders.
Going one step further, Cyber Essentials Plus
Once you have achieved the Cyber Essentials certification you can go one step further and work on obtaining Cyber Essentials Plus. This additional layer of certification builds upon the self-assessment by having an independent third-party assessor come on site and verify your answers as well as reviewing your procedures and performing a vulnerability assessment on your local network. The Plus certification not only helps identify companies who are serious about protecting their data and doing things right but helps put trust in place.
Please note however, that you must achieve Cyber Essentials Plus within three months of achieving Cyber Essentials Basic, otherwise you may have to re-certify the basic at the same time as doing the Plus.
To summarise the above, from personal preference, experience and recommendations, I’d highly recommend that businesses take out the Cyber Essentials certification with IASME governance standard to help show that they are taking the protection of information and their business serious. It not only helps the reputation of the business, but also safeguards the business itself by help the business look at itself from all areas of information security.
If you would like further information on undertaking Cyber Essentials with (or without IASME Governance), visit our website at https://isgovern.com for more information.