Cyber Essentials, is it Essential?

There is a pretty good chance you will have heard of the Cyber Essentials but is it essential?

Cyber Essentials was launched back in 2014 by the National Cyber Security Centre (part of GCHQ) as a UK Government backed initiative aimed at improving the basic level of cyber security within UK organisations. The scheme is based around 5 key controls that, if implemented correctly, will help organisations guard against the most common internet-based cyber security threats.

The scheme is based around 5 key controls:

• Firewalls
  
• Secure configuration
  
• Malware protection
  
• User access control
  
• Patch management
  

From the launch in 2014 to the 1st April 2020 several Accreditation Bodies (ABs) worked with the National Cyber Security Centre (NCSC) to administer the scheme via their networks of Certification Bodies (CBs). Since 1st April 2020, the IASME Consortium (one of the original ABs) was awarded the contract to become the NCSC's chosen partner to deliver the Cyber Essentials Scheme.

Since its inception, Cyber Essentials has become increasingly popular, with more organisations choosing to certify to the standard. This increase could partly be attributed to certification becoming a mandatory contractual requirement in some supply chains. This is especially the case when looking to supply into the public sector.

Certifying to the Cyber Essentials standard can also help showcase an organisation's commitment to cyber security as well as act as a useful marketing tool with which to attract potential clients. Certification is offered at 2 levels: 'Cyber Essentials' and 'Cyber Essentials Plus'.

Cyber Essentials

Cyber Essentials, sometimes referred to as 'Cyber Essentials Basic', consists of a self-assessed questionnaire (SAQ) aimed to assess whether applicants meet the Cyber Essentials standard. The SAQ is completed by the applicant organisation and submitted online via an assessment portal. Upon submission, the SAQ responses are independently reviewed by a qualified assessor who will then issue a certificate with a pass or guidance with a fail.

Cyber Essentials is an entry level cyber security certification that is designed to be both accessible and affordable. A reason for this is to encourage uptake from smaller organisations that have traditionally held the misplaced belief that they are 'too small to be a target' of cyber criminals. The scheme offers a straight-forward certification process where all the questions asked of the applicant deal with basic security concepts. The SAQ questions and guidance are worded so that individuals possessing only a modest understanding of IT can complete it with confidence.

That said, there are instances where some larger organisations have initially experienced difficulties in meeting the required standard. This is usually due to the Cyber Essentials requirements being binary and not allowing for any compensating controls or mitigations that are typically implemented within larger organisations.

As an added bonus for achieving Cyber Essentials certification, free cyber insurance is offered to all qualifying organisations that meet the required standard. Certification is valid for a 12-month period after which time the process needs to be repeated in order to renew for a further 12 months.

Cyber Essentials Plus

Cyber Essentials Plus revolves around the same basic controls as Cyber Essentials. The difference between the certifications is that Cyber Essentials Plus requires a qualified assessor to independently audit the applicant organisation. The audit process involves a series of tests on a representative sample of 'in scope' systems as well as conducting external and internal vulnerability assessments. Achieving the Cyber Essentials Plus certification results in a higher degree of assurance that the required standards have been met.

Due to the nature of the testing requirements, the costs associated with Cyber Essentials Plus are greater than Cyber Essentials. Assessment prices can vary depending on the size, scope, and complexity of the applicant organisation. It is also worth mentioning that Cyber Essentials certification is a prerequisite to achieving Cyber Essentials Plus, which must then be attained within a 3-month period.