What is Cyber Essentials (UK)?
Cyber Essentials is a government-backed scheme that was created to help organizations of all sizes protect themselves from a wide range of common cyber attacks. It was established to ensure a baseline level of cyber security is accessible and achievable for all.
There are two levels of Cyber Essentials certification:
- Cyber Essentials – This level of certification involves a self-assessment aimed at protecting you from basic common cyber attacks (that if left open can lead to more serious and complex attacks). This certification will walk you through the steps needed to address the basics and prevent the most common attacks.
- Cyber Essentials Plus – This level of certification involves exactly the same controls and simplicity of approach, with an added hands-on technical verification. Both certifications can either be achieved at the same time or the “Plus” can be achieved within 3 months of the basic self-assessment certification. Small organizations who undertake Cyber Essentials Plus are offered Cyber Insurance via IASME, the certifying body. (More information about the insurance can be found here: https://iasme.co.uk/cyber-essentials/cyber-liability-insurance/)
Cyber Essentials was created by the British Government together with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF). The government department involved in Cybersecurity set up the National Cyber Security Centre (NCSC). IASME is now the official Cyber Essentials delivery partner and they provide help, guidance and the ability for organizations to become certified. Certificates awarded by IASME for compliance with Cyber Essentials are valid for a 12-month period after which they need to be renewed.
An independently-verified certification, Cyber Essentials was originally released for public use on June 5th, 2014 and has received updates since. On January 24th, 2022, a new set of technical requirements and question sets came into effect. Any assessments that begin on or after this date are now certified to the new standard. IASME has noted that there is a grace period until January 2023 for organizations to meet certain technical requirements.
Particular care has been afforded the Education sector as they have been hit with an enormous number of cyber attacks, ransomware and data breaches. To that effect, a Cyber Essentials pilot scheme built especially for schools has been released by IASME together with the Risk Protection Arrangement (RPA). The RPA is an alternative to commercial insurance for public sector schools in England. It aims to protect public sector schools against losses due to unforeseen and unexpected events. You can find details of what the RPA covers and how to become a member at The Risk Protection Arrangement (RPA) for schools – GOV.UK (www.gov.uk).
What are the requirements for Cyber Essentials (UK)?
The framework itself is built on compliance against 5 technical controls:
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
Each of these main areas encompasses its own detailed objectives and requirements to apply to the scope of your assessment.
The National Cyber Security Centre (NCSC) detailed steps to compliance in the new requirements released in January 2022. The three main steps are:
1. Establish the boundary of scope for your organization and determine what is in scope within this boundary.
2. Review each of the five technical control themes and the controls they embody as requirements.
3. Take steps as necessary to ensure that your organization meets every requirement, throughout the scope you have determined.
Why should you become Cyber Essentials (UK) compliant?
The overall goal of the NCSC and Cyber Essentials is to make the UK a safer place to live, work and do business with. The main benefits of becoming Cyber Essentials certified are listed on their site as:
- Reassure customers that you are working to secure your IT against cyber attack
- Attract new business with the promise you have cyber security measures in place
- You have a clear picture of your organization’s cyber security level
- Some Government contracts will require Cyber Essentials certification
Cyber Essentials is suitable for any organization, of any size, in any sector. Whilst it has been created for organizations within the UK, certification is available for any organization overseas who wishes to meet UK Cyber Essentials requirements.
Since October 2014, the British Government required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme. The NCSC writes more recently on their website that organizations who want to bid for a government contract should clarify for each contract as to their expectations for Cyber Essentials, as requirements and exemptions may vary between departments.
Cyber Essentials is not a set of laws so non-compliance will not result in penalties or fines. Not achieving Cyber Essentials may mean:
- Not bidding for or being accepted for government contracts
- Not being protected against common cyber attacks
- Being unable to show your customers that you are committed to best Cybersecurity practices and protections.
How to achieve Cyber Essentials (UK) compliance?
To finish the certification process, once you have paid via the official website, you will receive the login details for a secure online assessment platform. The questions are the same as those used for preparation on our platform.
Finally, a board member from your organization will sign a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body like IASME will then evaluate the responses. In the event that you pass you receive a certificate. [If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your cyber security.
The best way to achieve the Cyber Essentials objectives is to use a compliance management platform that will break down the requirements into a simple questionnaire, tracking your progress towards full compliance and offering actionable remediation insights to bridge any gaps. Centraleyes offers a built-in Cyber Essentials questionnaire that will prepare your organization for certification using built-in powerful automated tools to guide you through the process simply and efficiently.
Read more: https://www.ncsc.gov.uk/cyberessentials/overview
Guide for IT Infrastructure Cyber Essentials: Requirements for IT infrastructure