In the Internet environment, big, medium, and small businesses all face similar risks, and many regulatory demands enforce information protection, but differences in resources and knowledge often result in data breaches because of the failure to implement basic security measures. To help handle such situations, the government in the United Kingdom came up with the Cyber Essentials program.<\/p>\n
This article presents an overview of the relationship between ISO 27001<\/a>, an ISO standard focused on information security management, and Cyber Essentials, a British government program that protects information from common Internet-based threats, considering information protection, and how they can be used together to increase the benefits to an organization\u2019s business.<\/p>\n Here is some information you may find useful for an initial understanding of ISO 27001 and Cyber Essentials:<\/p>\n As you can see, both ISO 27001 and Cyber Essentials aim for information protection, but while ISO 27001 considers information regardless of where it is found (e.g., paper, information systems, digital media, etc.), Cyber Essentials focuses on protection of data and programs on networks, computers, servers, and other elements of an IT infrastructure.<\/p>\n ISO 27001 consists of 10 clauses and 114 generic security controls<\/a> grouped into 14 sections (called \u201cAnnex A\u201d). For more information, see: A first look at the new ISO 27001<\/a> and An overview of ISO 27001:2013 Annex A<\/a>.<\/p>\n One of the limitations of ISO 27001 is that it does not provide detail on what to do to fulfill requirements or implement controls; it only tells you what you need to achieve. For implementation details, you can use ISO 27002 as guidance. For more information, see: ISO 27001 vs. ISO 27002<\/a>.General facts<\/span><\/h3>\n
\n\n
\n \nISO 27001<\/td>\n Cyber Essentials<\/td>\n<\/tr>\n<\/thead>\n \n International standard<\/td>\n Government program in the U.K.<\/td>\n<\/tr>\n \n Defines requirements for the establishment, implementation, maintenance, and continual improvement of an Information Security Management System (ISMS)<\/td>\n Defines a set of controls that cover the basics of cyber security related to common Internet-originated attacks against an organization\u2019s IT systems, and a mechanism to demonstrate that these precautions have been taken<\/td>\n<\/tr>\n \n Applicable to any type and size of organization<\/td>\n Applicable to any type and size of organization<\/td>\n<\/tr>\n \n Implementation and certification are optional.<\/td>\n Implementation and certification are mandatory for UK government suppliers contracted for handling sensitive and personal information. For other purposes, they are optional.<\/td>\n<\/tr>\n \n Current version: ISO 27001:2013<\/td>\n Current version: Cyber Essentials 2015<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n ISO 27001 structure<\/h2>\n
\n