Cyber Essentials is an industry supported certification scheme developed by the UK Government. The scheme sets out critera against which an organisation can measure their cyber-security systems.
Achieving certification in Cyber Essentials therefore provides confidence and reassurance that the certified organization has covered the essential cyber security precautions.
Since 1 October 2014 UK Government has made Cyber Essentials certification compulsory for organizations bidding for contracts that require the handling of sensitive and personal information.
Why was Cyber Essentials introduced?
The cyber space climate is such that instances of cyber security breaches are becoming increasingly frequent. Many organizations are making the wise move of implementing controls such as ISO27001 - but such efforts only constitute a single aspect of an over-arching cyber security strategy.
Cyber Essentials has been developed to address the need for government and wider industry to ensure that their partners and suppliers are implementing a standard level of cyber security. Certification in Cyber Essentials not only instils confidence in the organization achieving certification – but allows the organization to provide evidence to its customers and stakeholders that their assets and data are resilient against cyber threats.
The concepts of Cyber Essentials are valid even if you do not intend to seek certification, they set out controls that it is good practise for any organisation to implement.
Which controls does Cyber Essentials cover?
Cyber Essentials covers five key controls:
• Boundary firewalls and internet gateways – prevention of unauthorized access
• Secure configuration – ensures secure system configuration
• Access Control – ensures appropriate access to systems
• Malware protection – installation and maintenance of virus and malware protection
• Patch management – application of patches and ensuring the latest version of applications is used
What levels of Cyber Essentials are available?
There are two levels of Cyber Essentials certification available, the standard Cyber Essentials certification and Cyber Essentials Plus.
Cyber Essentials certification will provide a basic level of confidence that an organization has implemented cyber security controls effectively.
Cyber Essentials Plus builds on the Cyber Essentials foundations. Certification at this level tests whether the organization’s implemented controls are sufficient to protect against internet based threats. Achieving Cyber Essentials Plus certification is more challenging than achieving the standard Cyber Essentials certification, and includes a pen test to provide a higher level of assurance that the organization’s cyber assets are secure. Certification is valid for 12 months.
The standard Cyber Essentials certification must already be held in order to apply for Cyber Essentials Plus certification.
What are the benefits of Cyber Essentials certification?
• Provides cost-effective, basic cyber security for organizations of all sizes
• Demonstrates that an organization meets one of the eligibility requirements when bidding for UK Government contracts
• Can reduce the risk of prevalent cyber-attacks on an organization
• Differentiate yourself from your competitors by demonstrating that you take cyber security seriously