Cyber Essentials vs Cyber Essentials with IASME Governance
I’ve been asked several times over the last year or so about what the difference is between the Cyber Essentials scheme and the Cyber Essentials Scheme with IASME Governance Standard? Is it worth it? Is it something that I need, why are there so many more questions than the basic one? Why is it more expensive? And the list goes on.
These are all good questions and hopefully in this blog post, I’ll be putting them all to bed and explain the reasons why I think going with Cyber Essentials with IASME Governance is a better option overall for businesses.
Cyber Essentials has been around since 2014, the scheme is based upon a self-assessment of around 40 questions, which you complete by logging into a web portal. Cyber Essentials is required by the government to be selected as a supplier and many companies are requiring Cyber Essentials as part of the tender process.
Organisations assess themselves against the five basic security controls which are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Once the organisation has completed the questions, they are then assessed by a Cyber Essentials certification body, such as TeraByte.
On average the cost of the basic Cyber Essentials Scheme is around £300 + VAT but can vary upon certification bodies.
The IASME Governance option adds around an additional 130 questions to the 40 or so Cyber Essentials questions (171 questions in total to be exact at the time of writing), these additional questions are based around your business and look at areas such as business continuity and risk management. The IASME Governance standard has been developed constantly over the years since its conception. Originally, it was a government funded project to help to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001.
As part of this, the IASME Governance standard allows small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers information.
On average the cost of the basic Cyber Essentials Scheme, including the IASME Governance standard is around £400 + VAT, but can vary upon certification bodies. The additional cost is due to the additional number of questions that the company must answer, as well as the assessing company needing to mark.
Benefits of both
Cyber Essentials is a good stepping point for businesses of all sizes, if done properly, it identifies that the business in question is working towards ensuring that safe business practices are in place to help safe guard against cyber incidents. However, only having Cyber Essentials in place can only guarantee so much, implementing both Cyber Essentials with IASME Governance further helps your business to identify all key areas of operation. From ensuring your backups are working, to identifying risk areas of operation, to ensuring your entire supply chain is checked and secure.
If you are a business and you are looking to ensure that you are doing things right, would like to implement the best practices of ISO 27001, but can’t justify the cost or have the means to put it in place, the IASME governance standard is the one for you.
Having both Cyber Essentials and IASME Governance also ensures that you are doing the basics for protecting your cyber security as well as working to protect your data governance and personal information, which can help businesses win tenders.
Going one step further, Cyber Essentials Plus
Once you have achieved the Cyber Essentials certification you can go one step further and work on obtaining Cyber Essentials Plus. This additional layer of certification builds upon the self-assessment by having an independent third-party assessor come on site and verify your answers as well as reviewing your procedures and performing a vulnerability assessment on your local network. The Plus certification not only helps identify companies who are serious about protecting their data and doing things right but helps put trust in place.
To summarise the above, from personal preference, experience and recommendations, I’d highly recommend that businesses take out the Cyber Essentials certification with IASME governance standard to help show that they are taking the protection of information and their business serious. It not only helps the reputation of the business, but also safe guards the business itself by help the business look at itself from all areas of information security.
If you would like further information on undertaking Cyber Essentials with (or without IASME Governance), visit our website at: https://terabyteit.co.uk for more information.