Does my business need Cyber Essentials Certification or ISO/IEC 27001?

5 min read
Nov 29, 2022 4:56:00 PM

Cybersecurity is top of the agenda for all businesses (and if it’s not – it should be!), with 60% of companies going out of business following a cyber-attack, protecting your data and defending your entry points is key. 

In this blog we look at the two main certifications you can gain in order to: 

  • Improve your cybersecurity measures and knowledge 
  • Demonstrate to clients and investors that you take cybersecurity seriously and are investing in proven and trusted solutions 
  • Ensure your staff are trained to protect your business and can spot phishing attacks 
  • Guard your business and data from up to 80% of most common attacks 
  • Benefit from more competitive insurance quotes 
  • Be eligible to apply for Government Tenders (and even Ministry of Defence tenders with Cyber Essentials Plus

There are many more benefits of gaining either Cyber Essentials or obtaining IEC/ISO 27001, which we’ll explore in this blog along with which solution might be the best choice to protect your business.  

Blog Image (long small)

Let’s explain a bit more about the cyber threat landscape.  

Cyber-attacks are ubiquitous as the rewards of committing a cybercrime against a company of any size, can be huge. No organisation is too small to be attacked, so being prepared is key for businesses of any size, from the one-man-band/solopreneur through to huge organisations, as it only takes one tiny vulnerability and BANG! Your company could be the next victim. With 39% of UK businesses suffering a cyber-attack of one sort or another in 2021, it’s not if you’ll be targeted, it’s when. 

The thing is, your business most probably won’t be targeted specifically, you won’t be ‘hand-picked’ or ‘scoped-out’ by a cybercriminal as often, cyber scams are automated and indiscriminate, as the attack parameters are based on specific vulnerabilities rather than specific websites or companies. This means you’re not ‘special’ or ‘chosen’ to be attacked, you’re simply just a statistic in an automated programme, and if your cyber defences aren’t up to scratch, you could lose everything.  

Who is it that’s attacking businesses?  

Cyber-attacks are carried out by both individuals and organised groups, we call these ‘Threat Actors’ and they include: 

  • Script kiddies – Unskilled attackers who use off-the-shelf scripts and exploit kits.
  • Insiders – Attackers with privileged access that makes it easy to target systems, these include negligent and malicious insiders, as well as external actors who gain access via user credentials.
  • State-sponsored groups – Organised cybercriminal groups that carry out cyber warfare campaigns targeting critical national infrastructure. 
  • Hacktivists – Politically motivated attackers who target organisations to promote their belief. Often their activities relate to human rights, free speech, or freedom of information issues. 

The key motivation behind almost all attacks is to extort money, to put it in simple terms:  

A cybercriminal is merely committing robbery using a modern-day method. 

Think of our cybercriminals as a 1950’s cat burglars, creeping around the internet and dark net turning the proverbial front door handle of every business in the street. They’re on their toes searching for a way into your network. For them it’s potluck if they find a way in, and it’s your job/our job to ensure they don’t find any secret entrances to your business.   

Blog Image Medium

Should the worst happen, and your business suffers a breach, what are the potential costs? The main cost to your company will generally be the reputational damage. Clients, investors, industry leaders etc, suspecting that you left your business ‘open for attack’ or were ‘lacksadaisy’ with your cybersecurity measures’ and that your business can’t be trusted. Following an attack your clients and investors could potentially leave in droves. For some businesses, it may be impossible to survive due to the lack of effective cybersecurity insurance policies and having no way to pay for the damage the attack caused to your data. Or it could be the reprisal of the nature of your data (highly sensitive, medical, or financial for example). On top of that, you could even go bankrupt from the enormous fines you will most probably incur for the breach, and for many businesses, the biggest cost will be the HUGE ransom demanded by the perpetrators for the ‘promise’ of your data being released ‘unharmed’.  

So, how can you best protect your business? 

By investing in your cybersecurity solutions, processes, people and training, and by gaining recognised industry accreditations to demonstrate and regulate your cybersecurity provisions. 

PricewaterhouseCoopers (PwC), an audit and assurance company that works in cybersecurity, reported 78% of CEO’s and Finance leaders plan to enhance their cyber risk management.  The good news is that over the last year the demand for cybersecurity professionals has increased by 60%, an 11% increase compared to 2020 and that’s lead to an increase in demand for Cybersecurity Professionals! In line with the threats and the need for protection, the salary for Cybersecurity Engineers has increased from £58,000 to £75,750, and for a Cybersecurity Architect from £70,525 to £89,320. 

There are three ways that will best improve your cybersecurity measures they are:  

  • Gaining ISO/IEC 27001 an international standard on how to manage information security 
  • Achieving your Cyber Essentials Certification 
  • Training your staff. We explain more about that, here

If truth be told, we’d suggest you obtain the Cyber Essentials Plus accreditation, Cyber Essentials just covers the essentials of cybersecurity and not much more, Learn more about the two certifications in our stress-free cyber essentials certification and free resources here

Let’s look further at these solutions.

ISO/IEC 27001 – Information Security Management (ISMS): 

Internationally recognized, ISO/IEC 27001 helps organisations manage and protect their information assets so that they remain safe and secure. It helps business to continually review and refine the way they do this, not only for today, but for the future. Bottom line, ISO/IEC 27001 helps businesses to implement a robust approach to managing information security (infosec) and building resilience. The standard was originally published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005, and then revised in 2013.  

To ensure it’s up to date, there’s a brand-new update due to be published in October 2022 taking into consideration remote working and other aspects of recent business evolutions.   

The benefits of ISO/IEC 27001 include: 

  • Protects your business from security threats
  • Protects your business reputation 
  • Protects your personal records and sensitive information 
  • Reduces risk 
  • Reduces frequent audits 
  • Improves security structure and security focus 
  • Inspires trust in your organisation 

So, it’s absolutely worth gaining. It will set you head and shoulders above your competitors for starters and ensure greater cybersecurity reducing threats to your business, your clients, and partners. If you’d like to learn more, we can help. Simply get in touch

Cyber Essentials Plus 

The Cyber Essentials scheme is a UK government-backed framework supported by the NCSC (National Cyber Security Centre). It sets out five basic security controls that can protect organisations against 80% of common cyberattacks.   

The scheme is designed to help organisations of any size demonstrate their commitment to cybersecurity while keeping the approach simple and the costs low. The certification process for either of the Cyber Essentials schemes is managed by the IASME Consortium (IASME), which licenses certification bodies such as Method IT, to carry out Cyber Essentials and Cyber Essentials Plus certifications. 

In truth, to answer the question posed by this blog ‘Does my business need Cyber Essentials Certification or ISO/IEC 27001?’ the answer is: It needs both. With the learnings gained and the processes put in place from gaining both certifications your business security measures will be superior.

If you’d like to talk to one of our cybersecurity experts, to learn more about either certification, or to discuss the exacting needs of your business we’re happy to help.  Throughout this blog, we’ve provided many additional resources that you can download and utilise, and you can also download our free Cyber Essentials guide.


Educate yourself before it’s too late and prepare for the Cyber Essentials assessment.

Click me


No Comments Yet

Let us know what you think