The announcement was made alongside the confirmation of several changes in the way the scheme is managed. The most significant revisions are the introduction of a 12-month expiry date for certificates and the appointment of a single accreditation body to manage the scheme.
Cyber Essentials requirements
There are no changes to the five technical controls that organisations need to meet:
- Secure configuration.
- Boundary firewalls and Internet gateways.
- Access control.
- Patch management.
- Malware protection.
The controls focus on threats that require low levels of attack skill and which are widely available online. These comprise the majority of attacks, so the controls are a sufficient framework for many organisations.
That said, we suggest complementing all cyber security programmes with staff awareness training. This isn’t a technical control, so it doesn’t apply to Cyber Essentials, but it’s worth remembering that technologies are only as effective as the people using them.
Employees should therefore be taught the importance of these controls and shown how they fit in alongside their day-to-day work.
- Registered certification marks
Certificates will now expire after 12 months. Currently, organisations are encouraged to re-certify annually, but they can still consider themselves ‘Cyber Essentials certified’ if they don’t.
Organisations’ practices might have slipped in the years since they certified, meaning it can be hard to tell how relevant the certificate is.
- A simpler route to certification
Currently, organisations can choose between five accreditation bodies (APMG, CREST, the IASME Consortium, IRM and QG) for Cyber Essentials certification, with each body operating in slightly different ways.
The government is simplifying this process, appointing a single partner to run the scheme. That body hasn’t been confirmed yet, but the government is confident that whoever takes over will create a streamlined customer experience and introduce more consistency.
- Minimum criteria for certification bodies and assessors
Certification bodies will still be necessary once a single accreditation body has been confirmed, but the government has stressed that they will have to operate under the new uniform rules.
All certification bodies are currently held to certain standards, but how they demonstrate that depends on the accreditation body they are affiliated with. Under the new system, the single accreditation body will create a consistent minimum standard of expertise.
Certify to Cyber Essentials with IT Governance
IT Governance is a CREST-accredited certification body for the Cyber Essentials scheme. This means that organisations will receive an added level of independent assurance in the form of an external vulnerability scan.
Our fixed-price packages can help your organisation achieve certification quickly and easy, whatever your budget or level of technical expertise.