The Difference Between Cyber Essentials, Cyber Essentials Plus and IASME Cyber Assurance

 

Introduction

With cyber security threats continuing to evolve and adapt at lightening pace, adequate protection of organisational data is essential. There are many ways for organisations to ensure systems and data are protected – these include the implementation of security measures and controls. Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance are aimed at providing organisations with ways to implement security measures, but what’s the difference? In this article we explore the topic with a view to helping organisations gain more clarity and support decision making.

 

Cyber Essentials

Cyber Essentials is a UK government-backed scheme and the recommended minimum standard for organisations of all sizes. It’s an annual renewable certification scheme designed to protect organisations from the most common forms of internet-based cyber security threats. It focuses on just five (technical) controls. Cyber Essentials (Level One) involves implementing the required security controls and completing a questionnaire. Successful applicants are awarded a 12-month certificate, with eligible organisations also being able to opt in for free cyber insurance.

 

Cyber Essentials Plus

Cyber Essentials Plus (Level Two) has Cyber Essentials as a prerequisite and consists of a technical audit of an organisation’s IT systems, which verifies that the five technical controls are in place. It gives more assurance that organisations are protected from common forms of cyber threat and provides confidence that the security measures are operating effectively. The audit focuses on a sample of user devices and includes testing of servers, networking equipment, and cloud services. Successful applicants are awarded a 12-month certificate for Cyber Essentials Plus.

 

IASME Cyber Assurance

IASME Cyber Assurance goes beyond Cyber Essentials, being much broader and more comprehensive. It is aimed at making organisations more cyber resilient and references up to 65 security requirements. These requirements can be applied to organisations of all sizes, with the scheme having tailored solutions for organisations with less than 50 people. There are two levels for IASME Cyber Assurance, with Level One being a verified self-assessment and Level Two being an audit. Successful applicants are awarded a 12-month certificate, with the Level Two audit being required every three years. Cyber Essentials is a valid prerequisite for IASME Cyber Assurance.

 

Specific Controls and Themes

Cyber Essentials and Cyber Essentials Plus have just five technical controls – it’s aimed at helping protect organisations from common forms of internet-based threats:

1. Firewalls
2. Secure Configuration 
3. Security Update Management
4. User Access Control
5. Malware Protection 

IASME Cyber Assurance has up to 14 themes and 65 security controls – it’s aimed at helping organisations be cyber resilient:

1. Planning 
2. Organisation 
3. Assets
4. Legal and Regulatory 
5. Risk
6. Physical and Environmental 
7. People 
8. Policy 
9. Managing Access
10. Technical Intrusion 
11. Change Management
12. Secure Operations
13. Backup and Restore
14. Resilience: Business Continuity, Incident Management and Disaster Recovery

 

Key Differences

1. Aims: Cyber Essentials and Cyber Essentials Plus are aimed at protection against common forms of cyber threat, whereas IASME Cyber Assurance is more comprehensive
2. Security Controls (Measures): Cyber Essentials and Cyber Essentials Plus have just five technical controls, whereas IASME Cyber Assurance has up to 65 requirements, which can relate to people, organisation, physical, as well as technical aspects
3. Levels: Both schemes have two levels – Level One is a verified self-assessment, and Level Two is an audit
4. Devices: Cyber Essentials and Cyber Essentials Plus relate to internet-connected devices, whereas IASME Cyber Assurance relates to both internet and non-internet-connected devices (including paper)
5. Cost: Cyber Essentials Level One and IASME Cyber Assurance Level One both start from £320 + VAT and increase based on organisational size and consultancy services. Cyber Essentials Plus and IASME Cyber Assurance Level Two typically require an initial scoping session to determine cost, in order to determine company size, existing security posture, and complexity

 

Where to Start

• Each provides a huge amount of benefit 
• Each can suit organisations in different ways
• Cyber Essentials (Level One) is typically a great starting point
• Cyber Essentials Plus and/or IASME Cyber Assurance is a great next step
• Level One of both schemes involved a self-assessment which is marked by an IASME Assessor 
• Level Two of both schemes relates to an audit from an IASME Assessor, which can provide additional assurances that the security controls are in place 

 

How RB Consultancy Ltd Help

• As NCSC Cyber Advisor and Assured Service Provider, we advise organisations on how to implement the technical controls for Cyber Essentials and Cyber Essentials Plus
• As an IASME Assessor and Certification Body, we assess and certify organisations for Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance
• Holding CISSP and ISO 27001 lead implementer certification, we advise organisations on how to implement all controls relating to IASME Cyber Assurance 

 

Conclusion – key differences between Cyber Essentials and IASME Cyber Assurance

Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance all provide excellent benefits. Cyber Essentials can protect from the most common forms of internet-based threats. Cyber Essentials Plus is an audit, that provides additional assurances that these controls are in place and operating effectively. IASME Cyber Assurance is much broader and more comprehensive than Cyber Essentials and Cyber Essentials Plus – this has two levels and covers up to 65 security controls. Organisations typically choose Cyber Essentials first, then progress to Cyber Essentials Plus and/or IASME Cyber Assurance.

 

Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional and cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only and should not be taken as legal advice.

 

FAQs

Can an organisation have more than one certification?

Absolutely! Cyber Essentials (level one) is a valid prerequisite for IASME Cyber Assurance. Cyber Essentials can also be chosen as a ‘stepping stone’ to other certifications.

Can an organisation phase the introduction of certifications?

Definitely! Phasing is a great choice – it provides additional assurances, broadens scope, and helps to demonstrate continuous improvement. 

How can I find out more about Cyber Essentials and IASME Cyber Assurance?

Contact us for more information – we’re experts in Cyber Essentials, Cyber Essentials Plus, and IASME Cyber Assurance.