The Cyber Essentials Scheme
The Cyber Essentials scheme (CES) is a UK Government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats. Launched on 5 June 2014, it provides a set of five controls that organisations should implement to achieve a baseline of cyber security, and against which they can be certified.
Don’t risk it, cyber secure it!
Compliance with the Cyber Essentials scheme is mandatory for suppliers bidding for government contracts that involve the handling of sensitive and personal information, and the provision of certain ICT products and services. It is also increasingly being adopted in the private sector, with hundreds of organisations certified to the scheme to date. Insurance firms have recognised that a Cyber Essentials certification is a valuable indicator of a mature approach to cyber security and can contribute to the reduction of risk, according to a Government report.
Cyber Essentials can help to prevent 80 % of cyber attacks
Around 80% of cyber attacks could be prevented if businesses put simple cyber security controls in place, according to the UK Government. The Cyber Essentials scheme shows how to put these controls in place, thereby effectively reducing an organisation’s risk of a cyber attack by 80%.
Cyber Essentials vs Cyber Essentials Plus
There are two levels against which organisations can be certified:
Cyber Essentials – relies on a verified self-assessment, including an external verification by an accredited certification body.
Cyber Essentials Plus – relies on more rigorous assessments by an accredited certification body, in addition to the requirements of Cyber Essentials.
How to achieve Cyber Essentials certification
As a CREST member and CREST-accredited certification body for the Cyber Essentials scheme, we recommend the following options:
If you are completely new to the Cyber Essentials scheme, then consider buying Cyber Essentials – A Pocket Guide.
If you need help meeting the scheme’s requirements, IT Governance can assist you in preparing for certification at a pace and for budget that suits you, and following your preferred project approach.
If you are certification-ready, use our online portal, CyberComply, to submit the self-assessment questionnaire and schedule the external vulnerability scans. Prices start from just £300+VAT.
Get started now >>
An overview of the Cyber Essentials scheme
The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the government instigated a call for evidence on a preferred cyber security standard. In November 2013 it concluded that no individual standard met its specific requirements, so it developed the Cyber Essentials scheme.
Cyber Essentials delivers the basic controls all organisations should implement to mitigate the risk from common internet based threats.
The scheme provides a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken essential precautions to secure against the majority of cyber risks.
A recent report by HM Government entitled UK cyber security: the role of insurance in managing and mitigating the risk, revealed plans to include Cyber Essentials certification in insurers’ risk assessments for SMEs.
Cyber Essentials enables companies to successfully tender for Government contracts. View the UK Government’s procurement policy notice here.
The scheme is backed by major industry players including BAE Systems, Lockheed Martin, Barclays and Hewlett-Packard. The Information Commissioner has stated that he “supports the Cyber Essentials Scheme and encourages all businesses to be assessed against it”.
A recent report by HM Government in conjunction with insurance broker Marsh, entitled UK cyber security: the role of insurance in managing and mitigating the risk, revealed plans to include Cyber Essentials certification in insurers’ risk assessments for SMEs.
The Cyber Essentials scheme concentrates on five key controls
Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities.
Boundary firewalls and Internet gateways
Providing a basic level of protection where an organisation connects to the Internet.
Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts.
Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.
Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award, or ‘badge’.
Hundreds of organisations have been certified to Cyber Essentials already. As a CREST-accredited certification body for the Cyber Essentials scheme, IT Governance has awarded certification to companies of different types and sizes. These include Vodafone, Airbus Defence and Space Ltd, Action for Children and ELEXON.
See a list of organisations certified by IT Governance here >>>
Do you know whether you meet the requirements of the Cyber Essentials scheme?
Find out by completing the Cyber Essentials questionnaire.
Solutions for CES certification
IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the three solutions to certification >>