What is the UK Cyber Essentials Scheme?

You’ve probably heard about the new Cyber Essentials scheme (CES) that the UK Government launched on 5 June, and then again at the CESG’s IA14 event on 16 June.

The intention is that certification to the CES starts making its way into the UK Government’s procurement requirements as of October 2014.

For smaller organisations, the CES is a means by which they can get on the information assurance ladder, and, in my opinion, an important first step. It is, however, one that should rapidly be followed by a couple of other small but important steps in order to maximise the benefit, as I will describe later in this blog.

The first thing to note about the scheme is that organisations adopting it can get a certificate stating that they comply with its requirements for ‘basic technical protection from cyber attack’. I’ll return to the requirements shortly.

Cyber Essentials certification?

Any organisation that complies with the requirements of the CES can opt for certification. This is a process whereby a CES certification body assesses the organisation’s compliance with the requirements and, subject to the extent of the assessment the organisation requested and the outcome of that assessment, awards a certificate reflecting it.  Along with the certificate comes the right to use a logo that demonstrates the organisation’s assessed compliance with the scheme’s requirements.

There are currently two levels of certification/badge (not two levels of security!) relating to the single Cyber Essentials profile:

i.        Cyber Essentials; and

ii.        Cyber Essentials Plus

Further security profiles are planned for the future that may well start to introduce information risk management and a process approach into the requirements, and I guess there will also need to be different badges available to distinguish between the profiles the certificate relates to.  For now, it is one profile and two levels of badge.

So, as the scheme currently stands, the level of recognition – straight Cyber Essentials, or Cyber Essentials Plus – does not indicate a different level of security, but how robust the check and challenge is to earn the ‘badge’. While the CES Assurance Framework document [3] includes a diagram that could be interpreted as suggesting that Cyber Essentials Plus is a more mature profile, there is just the single requirement profile and achieving ‘Cyber Essentials’ is not a prerequisite to applying for certification to ‘Cyber Essentials Plus’.

The difference in the extent of the check and challenge is summarised below:

Cyber Essentials: Stage 1/Verified self-assessment [3]

Prerequisite: None

Control stance: Self-assessment questionnaire signed by the organisation’s authorised signatory (typically the CEO) attesting its accuracy. This is checked by the CES certification body

Vulnerability test (scan): An external vulnerability assessment of the internet facing network perimeter is a CREST mandated requirement. (CREST being one of the CES accreditation bodies)

Cyber Essentials Plus: Stage 2/Independently tested [3]

Control stance: As per stage 1 above

Vulnerability test: External vulnerability assessment of the Internet-facing network perimeter.

Test: Certification body security assessment of internal end-user devices (90% of all user devices [3]), tested against a list of known simulated malware packages

Which of the two badges is most appropriate for your organisation is a decision for you, and is likely to be informed by what your clients and stakeholders require.

It is worth noting that certification demonstrates that the organisation has “in place industry recognised minimum standards” [1]. Yes, minimum, and the badge shows that these were in place only on the day of the assessment.  Cyber Essentials certification does not give any assurance that this security stance will be maintained, or that it will be robust enough for anything beyond the most basic external internet based risks.  For this reason, organisations are required to recertify at least once a year [3], and potentially more frequently if customers demand it.  (A word of warning for procurement teams: at present, it is intended that certificates of compliance do not have an expiry date – they are only truly valid for the day of the test, so they should not be taken to imply any period of validity – the scheme is based on tests generally being conducted once a year, unless clients demand otherwise.)

The final word on certification under this scheme relates to the selection of a CES certification body. It is up to your organisation to determine which CES certification body to appoint from an approved list (approved accreditation bodies are described at www.cyberstreetwise.com/cyberessentials,  and some CES accredited certification bodies are listed at www.cyberessentials.org). To issue a certificate, the CES certification body needs to demonstrate that it is well positioned to deliver the CES accreditation body’s certification process. As the scheme currently stands, there can be – and is – more than one accreditation body, and a single organisation can be both an accreditation and CES certification body [3].

The Cyber Essentials scheme requirements

The CES requirements consist of “5 essential strategies” [1] that are “appropriate for organisations for whom IT is a business enabler rather than a core deliverable” [1].

The scheme requirements document [2] refers to five “categories”:

  1. Boundary firewalls and internet gateways
    (supported by 5 subsidiary requirements)
  2. Secure configuration
    (supported by 5 subsidiary requirements)
  3. User access control
    (supported by 7 subsidiary requirements)
  4. Malware protection
    (supported by 5 subsidiary requirements)
  5. Patch management
    (supported by 4 subsidiary requirements)

The scheme requires the organisation to identify the scope boundary (the technology in scope, including all devices capable of connecting to the Internet, which in turn includes Bring Your Own Devices if your organisation allows this), and then to apply the categories and controls it describes.  The scope is to take due regard of outsourced IT services and that those externally provided IT services are equally controlled and compliant.  The requirements allow you to use alternative controls offering the same degree of protection if implementing the described ‘Boundary firewalls and internet gateway’ control is not feasible.

The CES requirements have very few references to processes (there is at least one – user account creation – and some of the other subsidiary requirements would be best served by introducing further processes) and does not require a management system (again, the certificate demonstrates that the controls were in place on the day of the assessment and does not give any assurance that they will be maintained appropriately).

Does the CES suit my organisation?

Whether CES and certification is for you or not, it is worth reflecting on the advice given in [1]: “The best approach to take is to seek the guidance of the experienced Cyber Essentials suppliers.”  This is particularly relevant when defining the scope statement. If this is not valid, then what should be a relatively low cost certification activity may need to be repeated time and time again until a) a certificate of compliance can be granted, and b) the costs have increased significantly.

Referring to Cyber Essentials certification bodies, the Guide [1] goes on to suggest “ln addition to providing advice on the most appropriate standards they can perform a security review and/or risk assessment and help the organisation to determine which activities, controls, practices and certifications are right for mitigating the risks within their unique environment.” These are both things that IT Governance has been doing for years.  Of course, IT Governance is also on the list of Cyber Essentials approved service providers (see www.cyberessentials.org/companies/index.html) – IT Governance is a CREST member and, as you might expect, has been on this list from its inception.

Back to the requirements and making the most of them. Given the scheme’s very specific focus, it falls short of what I believe are two essential arrangements that any and every organisation should have in place: effective information security incident management arrangements and an information security awareness programme.  These two, along with CES compliance and any other cyber/information security initiative, would, of course, be almost impossible without the appropriate degree of management commitment!

What does this mean for my ISO 27001 complaint Information Security Management System?

The CES is not a replacement for ISO 27001.

The CES is focused on some of the ISO 27001 controls. I see the scheme driving the ISO 27001 message home further with all but the smallest of organisations. (It is worth noting that ISO 27001 has worked – and worked well – for a micro-business, see [workforce metrics case-study/video].)  Perhaps the CES will provide the impetus for medium and larger organisations that have put off adopting accredited certification for their ISMS to bite the ISO 27001 bullet. This will be doubly reinforced if procurement teams and their clients understand what ISO 27001 certification means with regard to cyber/information security, and how to determine the degree of assurance an ISO 27001 certificate provides.

ISO/IEC 27001:2013 specifies that an organisation shall consider the requirements of ‘interested parties’, building on the implications of the 2005 version of the same standard.  Given that ‘interested parties’  includes clients, employees and the community, it is reasonable to assume that at least one of these parties will require that the organisation protects itself against ‘low level cyber attacks’. The Cyber Essentials control profile is designed specifically with these in mind, so it is reasonable to conclude that all ISO 27001-compliant ISMSs will deliver the controls in the CES, or an equivalent that provides the same degree of assurance with regard to the associated risks.  In short, organisations that claim compliance with, or hold certification to, ISO 27001 need to review their Statement of Applicability and ensure it considers and addresses the controls described in the Cyber Essentials requirements.

In conclusion…

The CES is a great place to start addressing cyber security for you and your suppliers. Indeed, I’d go further and say that compliance should be seen as mandatory; whether you want a badge to demonstrate your compliance to others or demand it of your suppliers is up to you. The cost of assessment is minimal in comparison to the assurance it provides to the organisation, its investors and clients.  Furthermore, organisations should also pursue information security incident management and information security awareness as essential components of existing in a connected world.

With regard to its use in the supply chain, I’d expect any savvy procurement team to mandate compliance with the CES to tender/bid for contracts, whether that procurement team is based in a public sector organisation or not.  Yes, this is likely to drive organisations to CES certification, but the scheme was created with the aim of ensuring cost was not a barrier for small organisations.

[1] – A Guide to the Cyber Essentials Scheme, (Crest Cyber Essentials Guide final)

[2] – Cyber Essentials Scheme – Requirements for basic technical protection from cyber-attacks, June 2014

[3] – Cyber Essentials Scheme – Assurance Framework, June 2014