00) Does your organisation hold any certifications in information security?
Security Certifications Scoping
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 3, 2020

Scoping question. Answer yes if your organisation holds any certifications that cover information security (e.g. ISO27001, Cyber Essentials…).

There are a number of certifications that you can be audited against that cover information security. Risk Ledger has put together a helpful list of them below, and included our thoughts on each.

Cyber Essentials and Cyber Essentials Plus

Cyber essentials is a UK government backed certification that covers the implementation of controls designed to protect you against the ten most common types of cyber attack. You can certify to either the basic level through a self assessment (we recommend using CyberSmart) or to the plus level after a third party assessment has been completed.

If you are a small to medium enterprise or startup we would recommend this certification as it is lightweight and effective. If you supply (or want to supply) to the UK government you need to be Cyber Essentials certified to the basic level.


ISO27001 is based around the implementation of an information security management system (an ISMS). This is a comprehensive certification that requires a three stage external audit to be certified, and as such requires a large amount of preparation and implementation.

ISO27001 is a great framework for any corporates or larger enterprises who need a way to effectively manage their security systems.

NIST Cybersecurity Framework

The NIST Cybersecurity Framework is a framework developed by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. It was developed as a security framework for use by all critical infrastructure of the United States.

NIST Cybersecurity Framework is a great framework for any critical infrastructure or utilities enterprises who need a way to effectively manage their security systems.

SOC2 Report

A SOC 2 report is designed to provide assurance to an organisations’ clients, management and users about the presence and effectiveness of the organisation’s controls that are relevant to security, availability, processing integrity, confidentiality and/or privacy.

A SOC2 audit is a comprehensive audit that includes both the presence testing of controls and the effectiveness testing of controls. The audit is also not information security specific.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.