Cyber Essentials scheme – it’s common sense

This week we have a guest blog post from Howard Smith.

Cyber threats are a widely publicised problem, and it is apparent that companies and organisations aren’t following a prescriptive process to tackle it.  The lack of common sense in applying proactive processes is their own doing, yet we see it time and time again.  The outcome impacts on themselves and their customers, which can lead to a drop in business, lack of confidence in their company and, ultimately, customers going elsewhere.

Whether the business is financial, engineering, government related, local authority, the list goes on – it’s all relative.  Yet the cyber criminals are today’s persistent treat.  A recent article in the Independent on Sunday newspaper of 12 Oct 2014, (here), states “Cyberspace is a low-risk, high-profit criminal area.” I suggest it’s both high risk and critical by virtue of its nature.

Her Majesty’s Government (HMG), however, have defined a process that’s available to large and small businesses alike, which is available here:

Cyber Essential Scheme Summary, Requirements and Framework

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs to be light-touch and achievable at low cost. The two options give organisations a choice over the level of assurance they wish to gain and the cost of doing so. It is important to recognise that certification only provides a snapshot of the cyber security practices of the organisation at the time of assessment, while maintaining a robust cyber security stance requires additional measures such as a sound risk management approach, as well as ongoing updates to the Cyber Essentials control themes, such as patching.

Next steps

Organisations wishing to be assessed should contact one of the Cyber Essentials accreditation bodies to discuss their requirements and identify a Certification Body.

For further information about how to become certified, see:

If you would like to become a certification body, see, where links to the accreditation bodies can be found.

Accordingly, the following advice sheets, produced by Communication Electronics Security Group, (CESG) address “Cyber Security for Executives”, “Risks for Board Management” and “10 steps to Cyber Security”:

“Cyber Risk Management: A Board Level Responsibility”, “10 Steps to Cyber Security: Executive Companion”, “10 Step to Cyber Security: Advice Sheets”, all available here.

The advice sheets cover:

  • Information risk management regime
  • Network security
  • User education and awareness,
  • Malware prevention
  • Removable media controls
  • Secure configuration
  • Managing user privileges
  • Incident management
  • Monitoring
  • Home and mobile working

All the aforementioned documents are produced by the Communication Electronics Security Group. These documents are exacting; your business is worthy of the protection.

Further information regarding cyber security is also available from the Centre for the Protection of National Infrastructure, here you will find a wealth of valuable advice and information to protect your business.

Ultimately, the ownership of your cyber security program is down to you, the reader.

Views and opinions expressed are that of the author and may not represent IT Governance.

IT Governance is a rigorous supporter of the Cyber Essentials scheme and offers unique solutions to help you meet its requirements at a pace and for a budget that suits you.

Visit our Cyber Essentials scheme solutions page to find out more about your options.

Do It Yourself Get A Little Help Get A Lot Of Help