A brief post this time on my thoughts as to how best integrate certification to the Government’s Cyber Essentials scheme into an ISO 27001 ISMS. I’m going to intentionally stay away from how to achieve certification to Cyber Essentials, and just focus on how it might sit within your ISMS.
Assuming that you’ve identified a good business reason to attain Cyber Essentials certification, you can capture and record this information as either a requirement of an interested party or contract. This may depend on whether the organisation wishes to attain Cyber Essentials certification to enhance its reputation or to be eligible for particular contracts that have it as a requirement. What works best for your organisation is likely the right answer.
When deciding which controls your organisation plans to implement, select those necessary to comply with the Cyber Essential standard as mandatory regardless of the outcomes of your risk assessment. I suspect for most organisations it’s highly likely that they’d be selected by the risk assessment anyway. If you are using Annex A of ISO 27001 as your reference control set then Annex A of the Cyber Essentials will be very helpful to reference between the two control sets.
Remember that the scope of your ISMS and Cyber Essentials certification may not exactly match. The mandatory controls will need to be implemented over at least the entirety of the Cyber Essentials scope regardless of whether that is larger or smaller that the ISMS. The work of documenting, implementing, monitoring and reviewing these controls should still fall within the ISMS as long as there is an overlap.
My impression is that’s all there is to it – treat Cyber Essentials as a requirement of a contract or an interested party and everything else should naturally come out as the management system runs its course.