The assurance framework proposes three tiers reflecting different levels of rigour: gold, silver and bronze.
Organisations that have successfully been assessed against the scheme will be able to use the appropriate Cyber Essentials badge to publicise this fact. Being able to advertise that you have met a government approved cyber security scheme will, it is believed, give your organisation an edge over competitors in the same market.
Below I have answered four common questions about Cyber Essentials.
Will there be a time limit on the Cyber Essentials badge or will it need renewing?
BIS are currently consulting on the validity period of the badge, and are looking for evidence to support a range of different periods for each tier of the Scheme.
But what if your business already complies with a global standard in cyber or information security, such as ISO27001 or the PCI DSS? Are you supposed to get assessed against Cyber Essentials as well, and why is that thought necessary?
The short answer is you can gain the Cyber Essentials badge in addition to other certification schemes. The belief is that the badge will demonstrate a basic level of cyber security; whether this is needed for your organisation is a business decision. BIS intend that compliance with Cyber Essentials will add value to the majority of UK businesses and demonstrate to customers, partners and stakeholders that they take information security seriously. Time of course will tell if this is the case.
Will implementing just the Cyber Essentials controls be enough to ensure that your organisation is protected from cyberattack?
No. Cyber Essentials aims to describe the small number of fundamental mitigations that will stop the majority of internet based cyberattacks to your IT systems. It is important that you think about your own organisation and risk as set out in the ’10 Steps to Cyber Security’ Cyber Essentials Scheme: Summary guidance to determine if implementing Cyber Essentials alone is enough for you. Many businesses will need to have in place far more controls and procedures to manage the risks they face. In fact, it is likely that many senior managers reading this will work for organisations that have already implemented a standards-based approach that is based (however loosely) on the international Standard for Information Security, ISO27001, and/or the best practice recommendations on information security management published in ISO27002 for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Cyber Essentials can be seen as a first, basic step in the direction of the policies, procedures and controls needed to fully-manage your risk in relation to data theft – such as legal and contractual fines and damage to reputation that can result from public exposure of possible negligence – but it is not a comprehensive approach.
So why just five security controls – and how did the Government choose them?
We are told that government analysis of continuing attacks, and feedback from industry vulnerability testers has identified that a number of critical technical controls are still not being applied in a high proportion of organisations, leaving systems vulnerable to threat actors with relatively low levels of technical capabilities. The controls in Cyber Essentials have been chosen to mitigate threats that use ‘commodity’ capabilities, i.e. capabilities and techniques that are freely available on the Internet. They are not intended to mitigate the risk of Advanced Persistent Threats (APTs) where systems are subject to continuous computer hacking processes. Attacks often orchestrated by a human attacker targeting a specific entity and involving a high degree of covertness over a long time period.
Will this be mandated by government?
In time, we are advised, government will look to use the standard where relevant and proportionate in its procurement. Which I read as: some contracts to supply government may require you to show evidence of your Cyber Essentials badge.
Cyber Essentials aims to protect the data once it is stored within your systems.
It won’t stop you from getting hacked. As stated, implementing the basic controls stipulated in Cyber Essentials can never prevent a determined attack on your systems. Rather, it is intended to reduce the risk of opportunist attacks via the Internet. An analogy can be drawn between locking the doors and windows of your house and setting the alarm: a determined criminal may still be able to gain entry, but an opportunist looking for an easy target will move on to try elsewhere.
Want our expert help to find out where you stand with Cyber Essentials?
Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security measures in line with the Cyber Essentials controls.
* * * *
If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS) to help you comply with PCI DSS v3.0 and Cyber Essentials, talk to our consultants: call 0845 070 1750.