UPDATE: Since this post was published in September 2014, Ascentor has added a dedicated Cyber Essentials page to our website with an additional PDF download. This article is still valid but, should you wish to read our more detailed explanation about the different Cyber Essentials levels and the three routes to certification with costs, please visit the page here.
Are you an organisation planning to bid for public sector contracts requiring access to government information? If so, you will need to be Cyber Essentials certified from October 1st. Yes, it’s yet another certification – but there are competitive advantage benefits too.
Not only will it provide measures to reduce your vulnerability to a cyber security attack, it will also demonstrate your cyber resilience and level of compliance to customers. Achieving certification will therefore send a reassuring message to existing and potential clients – as well as opening opportunities to tender where certification to the scheme becomes a requirement.
Background to Cyber Essentials
Cyber Essentials builds on earlier Government guidance in 2012 that encouraged organisations to consider whether they were managing their cyber risks – namely the CESG “10 Steps to Cyber Security” and the small business guide “What you need to know about Cyber Security” .
However, despite this guidance cyberattacks continued, suggesting that security controls were still not being applied in some organisations. In addition, smaller businesses without access to IT teams may have found the guidelines complex, according to IASME.
Accordingly, Cyber Essentials was developed by Government with the help of industry and was launched in June 2014. It is now seen as the “organisational standard” for all UK businesses and organisations that want to mitigate basic cyber risk – and offers two relatively low-cost levels of certification.
Cyber Essentials – what it is – and what it isn’t
The Government’s summary paper on the Cyber Essentials scheme describes it as:
Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online.
While Cyber Essentials is a positive step towards better security, it is important to recognise that Cyber Essentials certification is only an audit and “snapshot” of the organisation’s cyber security capability – at the time of assessment. In this respect it’s like an MOT, measuring cyber security “road-worthiness” at a point in time, consequently, it shouldn’t be seen as evidence of on-going cyber security effectiveness.
What’s more, many organisations will have their own systems, such as web applications, for example, that will require additional and specific controls beyond those provided by Cyber Essentials – issues that might be addressed by Cyber Essentials Plus or IASME system management.
However, the Government believes the scheme offers the right balance between providing assurance of an organisation’s commitment to implementing cyber security to third parties, while retaining a simple and low-cost mechanism for doing so.
Cyber Essentials – what it covers
Cyber Essentials concentrates on five key controls relating to the CESG “10 Steps”. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber attacks over the last few years. They are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
The Assurance Framework
There are two levels of certification:
Cyber Essentials – a self-assessment process, signed off by a senior executive, followed by an external verification by an independent certification body. This level of assessment will be mandated as of the 1st October for companies with a requirement to access HMG information.
Cyber Essentials Plus – offering a higher level of assurance with external testing of the organisation’s cyber security approach. This level is optional and provides more in-depth assessment of the security controls to protect from basic cyber attacks.
More information on the two stages of Cyber Essentials and how they become embedded in the organisation’s approach to information risk management over time can be found here: HM Government: Cyber Essentials Scheme: Summary
Cyber Essentials – how to become certified
There are two accrediting bodies offering independent assessment for Cyber Essentials certification. They are: Information Assurance for Small and Medium Enterprises (IASME) Consortium and CREST.
You can find out more about the ways to gain certification in our free download Cyber Essentials Scheme “Protect your business from cyber threats and gain valuable certification”. Please click the icon below to receive your copy.
Ascentor was selected by IASME as the first licensed external assessors of its assessment process. Trained and licensed to assess for Cyber Essentials certification, Ascentor can partner with your organisation to ensure you meet this security management standard. The first stage of the process, via IASME, is completion of the self-assessment questions – these questions will help to ensure you understand the issues and find out the answers in advance of starting the live assessment. An online assessment follows.
Ascentor implements the IASME Cyber Essentials scheme by providing one day’s advice from a Cyber Security Expert. This support is designed to support organisations in both understanding and completing the application form but also provides validation of the evidence that the organisation intends to submit in its application. This effectively de-risks the application failing because the expert can advise whether the available evidence is robust enough to achieve certification.
In addition, SME’s completing the IASME standard also receive Cyber Essentials accreditation as part of the process.
Want to keep up to date with Cyber Essentials?
Article by Dave James, MD of Ascentor.
Useful links to:
HM Govt Cyber Essentials summary and Q&A
The IASME Cyber Essentials Scheme
The CREST scheme