2024 edition
A guide to cybersecurity certifications in the UK
From Cyber Essentials to ISO 27001 from the UK’s biggest certification body.
Contents
Introduction
The journey to a safer, more productive business
Ever since the Cyber Essentials scheme launched in 2014, companies have used it, and similar cybersecurity certifications, to showcase their trustworthiness and meet industry regulations. Conscientious companies that complete such schemes get listed on a searchable register of certified businesses and organisations.
But the truth is that the journey to cybersecurity compliance isn’t as simple as filling out an application.
The route can wind from the basics of Cyber Essentials to the independent auditing of Cyber Essentials Plus. Some organisations even choose to tackle the challenge of ISO 27001 compliance.
In this guide, we cut through the noise and outline the three most common UK cybersecurity certifications, how to choose the right one for you, and how to get certified.
Cyber Essentials
Good for: Any business
Key features: Self-assessment, accessible to all businesses
Certification requirements: Basic
Cyber Essentials Plus
Good for: Actively growing businesses, industries with higher security requirements
Key features: On-site technical audit
Certification requirements: Detailed
Cyber Essentials
ISO 27001
Good for: Highly-regulated industries
Key features: Processes and policies, internal and external audits
Certification requirements: In-depth
Cyber Essentials
The first port of call
The Cyber Essentials scheme is a UK cybersecurity certification that outlines the security procedures a company should have in place to secure their data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.
The update includes new requirements and clarification for:
Firewalls
Internet gateways
Secure configuration
Access control
Malware protection
Patch Management
Cyber Essentials Plus
The next step
Cyber Essentials Plus has the same simple approach as Cyber Essentials but includes a technical audit of your systems.
The controls you need are the same – the audit just makes sure they’re in place.The audit element of the Cyber Essentials Plus certification requires some more effort, but it offers you the peace of mind that your new protections work effectively.
.
How Cyber Essentials Plus works
- The online assessment is the same as the Cyber Essentials Plus certification
- If you have Cyber Essentials already, you must make your Plus audits within 3 months of your last certification
- New applicants can complete their online certification as part of Cyber Essentials Plus
- Auditors typically review your head office and some of your other offices to carry out the tests on a random sample of your systems
- Many auditors offer remote audits Accredited businesses are certified for 12 months
We recommend Cyber Essentials Plus if..
- …you want a thorough assessment of your cybersecurity measures, plus a certification
- …you work with (or want to work with) high-quality clients and want to show them that data protection is a top priority
- …you work in an industry with higher-than-standard cybersecurity requirements
Businesses with a cybersecurity certification can win more business, making certification a valuable commodity in competitive markets. By showing your commitment to cybersecurity, you can build trust with new customers.For businesses with the budget and ambition to take their accreditations further, we recommend ISO 27001.
A new frontier
ISO 27001
ISO 27001 is the leading international standard for information security. Over 44,000 organisations all over the world use ISO 27001 to protect their data. The basic goal of the certification is to protect three aspects of information:
- Confidentiality: Only authorised people have the right to access information
- Integrity: Only authorised people can change the information
- Availability: The information must be accessible to authorised people whenever it’s needed
Successful implementation of ISO 27001 requires careful planning and project management. Unlike the checklist-style of Cyber Essentials, ISO 27001 is an interlocking framework of policies and processes. So, you’ll need to create process documents and maintain mandatory records of training, internal audits, and more.
How ISO 27001 works
Gap analysis
Before inviting an auditor, perform a gap analysis to identify the status of information security, and an initial expectation of required effort
Process
Produce the relevant documents and processes
Assess
Invite the auditor to assess your efforts.
Accredited
Accredited businesses are certified for 3 years. During this time, the certification body performs surveillance audits to check in on your activity
We recommend
ISO 27001 if…
- Your business specifically needs an ISO 27001 certification
- Your customers and competitors also have ISO 27001
- You work in the health or public sectors
Compliance made easy
How to take your cybersecurity certifications further
The best option is the 360˚ protection route, first choose one certification to implement and then transition to the other. Don’t make the mistake of trying to do everything at once! If you want to cover all bases, you can work towards both the ISO 27001 and Cyber Essentials. Just because you’re ISO 27001 certified, it doesn’t mean that you’re Cyber Essentials compliant or vice versa.
Being certified in both is an excellent way to ensure 360˚ protection, but it requires considerable investment. For most businesses, we recommend starting with Cyber Essentials because it’s a self-serve option, making it a simple way to start your cybersecurity journey. ISO 27001 requires a bigger up-front investment because you must move from general security management procedures to documented and audited cybersecurity processes.
Adapting to ever-changing cybersecurity standards is both a challenge and an opportunity. The Cyber Essentials scheme is a chance to highlight your company’s commitment to protecting client data. At CyberSmart, we’ve helped many clients achieve Cyber Essentials and Cyber Essentials Plus certifications. We offer all the guidance you need to pass your certification – with tips and live support that mean you’ll answer the questions correct first time. If your business is a bit more complex and you need to supply additional info, there’s no charge for resubmissions.
“CyberSmart really helped us on our journey to achieving Cyber Essentials certification. “
The device compliance is a real help, and their support team was always on hand to offer advice relating to both the product and Cyber Essentials. Once we submitted the completed application we were certified within a few hours – having this all in one place was useful.
IT Manager