Cyber Essentials, the cyber security scheme mandated by the UK Government, is becoming more widely adopted in the UK, with over 100 companies already certified according to unofficial figures. Companies that have achieved certification so far include Barclays, Vodafone, Airbus Defence & Space Ltd, BPL Global, MASS and Sheffield Futures. (You can see a list of organisations certified by IT Governance here.)
The growth of the scheme has not only led to a growing number of certification bodies, but also to the launch of innovative services and means of achieving certification. For example, IT Governance recently launched CyberComply – a unique online service that enables companies to apply for certification to Cyber Essentials online (at just £300), following a convenient ‘do-it-yourself’ approach.
What does it take to achieve Cyber Essentials certification?
The time and resources it takes to meet the requirements of the scheme will vary from organisation to organisation, but according to Alan Calder, founder and executive chairman of IT Governance, “Most large organisations would have already implemented important cyber security controls” and “it would be a matter of ensuring these controls are in line with the scheme’s requirements, and that the necessary external and, if applicable, internal assessments have been conducted.”
Calder also adds that small and medium-sized organisations will “benefit from the scheme by ensuring they implement at least a minimum level of security.”
Geraint Williams, head of technical services at IT Governance, wrote in a blog that initial results from Cyber Essentials certifications conducted by IT Governance showed that the success rate for applicants is 88%. Of those that pass, 35% have no action points reported.
According to Williams, “the most common action points relate to the configuration of the external infrastructure that is tested as part of a level 1 Cyber Essentials certification.”
Finally, certification to the scheme is not overly expensive and should provide return on investment, given the improved security and competitive advantages it brings. For organisations unable to fulfil the requirements on their own, there are affordable Cyber Essentials scheme solutions available that can make the process easier.
Five key controls
In principle, in order to be awarded a Cyber Essentials or Cyber Essentials Plus badge you need to implement five key controls against which you will be assessed. The following controls are based on the most common Internet based threats to cyber security:
Boundary firewalls and Internet gateways
Information, applications and computers within your organisation’s internal networks should be protected against unauthorised access and disclosure from the Internet, using boundary firewalls, Internet gateways or equivalent network devices.
Computers and network devices should be configured to reduce the level of inherent vulnerability and provide only the services required to fulfil their role.
Access control and administrative privilege management
User accounts, particularly those with special access privileges (for example administrative accounts), should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.
Computers that are exposed to the Internet should be protected against malware infection through the use of malware protection software.
Software running on computers and network devices should be kept up to date and have the latest security patches installed.
Cyber Essentials vs Cyber Essentials Plus
If you are pursuing Cyber Essentials, you will need to complete a self-assessment questionnaire, which must be signed off by a senior company representative and then verified by an external certification body. An external vulnerability scan will also be required if the company has chosen to be certified through a CREST-approved certification body like IT Governance.
To achieve Cyber Essentials Plus, you need to provide a more advanced level of assurance in addition to the Cyber Essentials requirements. This level of assurance will be reached by an internal assessment and internal scan, conducted on-site by the certification body.
IT Governance offers unique solutions to help you meet the scheme’s requirements at a pace and for a budget that suits you. Visit our Cyber Essentials scheme solutions page to find out more about your options.