The Cyber Essentials Scheme
Recognising that not all organisations have the necessary resources to address the business-critical issue of cyber security, the UK Government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance.
From 1 October 2014, the government will require certain suppliers bidding for certain information handling contracts to be Cyber Essentials certified. This will provide further protection for the information the government handles, as well as encouraging wider adoption of the new scheme.
What is the Cyber Essentials Scheme?
The Cyber Essentials Scheme is a key deliverable of the UK’s National Cyber Security Strategy/Cyber Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the government instigated a call for evidence on a preferred cyber security Standard. In November 2013 it concluded that no individual Standard met its specific requirements, so developed the Cyber Essentials Scheme, a set of controls and implementation guidance for basic cyber hygiene against which organisations can achieve different levels of certification. Certification can be used by organisations to demonstrate to their customers and business partners that industry-minimum cyber security measures are in place, and provides evidence to validate the organisation’s security posture. It was released on 7 April 2014 and officially launched on 5 June 2014.
the level and different types of cyber threat
vulnerabilities, weaknesses and exploits
cyber incidents and their local and national impacts.
The scheme is being backed by major industry players including BAE Systems, Lockhead Martin, Barclays and Hewlett-Packard. The Information Commissioner has stated that he '…supports the Cyber Essentials Scheme and encourages all businesses to be assessed against it'.
The Cyber Essentials Scheme covers five key areas
The scheme builds on the 10 Steps to Cyber Security, particularly five key aspects relating to ISO27001:
Implementing the security measures required when building and installing computers and network devices in order to reduce unnecessary vulnerabilities.
Boundary firewalls and internet gateways
Providing a basic level of protection where an organisation connects to the Internet.
Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts.
Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for virus removal, which will protect your computer, your privacy, and your important documents from attack.
Achieving certification to the Cyber Essentials Scheme
There are two types of certification: Cyber Essentials, which relies on self-assessment and an external verification by a certification body, and Cyber Essentials Plus, which relies on more rigorous onsite assessments and internal scan by a certification body, in addition to the requirements of of Cyber Essentials.
IT Governance is a CREST member, and an accredited Cyber Essentials (CES) certification body.
What type of verification will be conducted?
Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award or 'badge'.
First, the scope (i.e. the Internet-facing systems to be covered) is defined by the organisation.
The organisation answers the Cyber Essentials self-assessment questionnaire to demonstrate its level of compliance with the requirements for basic cyber security. The questionnaire is signed by an authorised signatory from the organisation to confirm its accuracy, and is then sent to the certification body to be reviewed.
All CREST-accredited certification bodies will conduct an external vulnerability scan of the Internet-facing networks and applications, to verify that there are no obvious vulnerabilities present.
Cyber Essentials Plus
All CREST-accredited certification bodies will conduct the necessary verification for Cyber Essentials as stated above, followed by a more thorough, internal scan and on site assessment of a sample of relevant devices that are connected to the Internet and/ or capable of receiving emails.
In both cases, certification reflects the state of an organisation’s cyber security only at the time of assessment. It is no proof of the ongoing effectiveness of an organisation’s cyber security.
Certification will provide numerous benefits, including the opportunity to tender for business where certification to the scheme may be a prerequisite, reducing insurance premiums, and helping to improve investor and customer confidence.
John Cridland, Director General of the CBI, said, “Business leaders will benefit from the access to helpful and authoratative cyber security guidance. Encouraging firms to adopt this scheme is a postive step towards greater awareness of cyber security and more widespread action to manage the risks.”
Do you know whether you would meet the requirements of the Cyber Essentials Scheme?
Find out by completing our quick online checklist >>
IT Governance offers 3 unique solutions to certification that will enable you to achieve certification to Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the 3 solutions to certification >>