What Is Cyber Essentials?
Cyber Essentials is a information assurance scheme operated by the National Cyber Security Centre (NCSC) that helps organisations to protect themselves against online threats.
The Government collaborated with the Information Assurance for Small and Medium Enterprises (IASME) and the Information Security Forum (ISF) to create a set of technical controls to help organisations protect themselves against online security threats.
The complete scheme was launched on June 5, 2014. The Federation of Small Businesses (FSB), the Confederation of British Industry (CBI) and several insurance companies support it.
The Scheme Is Suitable for Any Organisation, Large or Small
The Cyber Essentials scheme is the UK Government’s answer to a safer internet space for any organisation of any size. 80% of the most common cyber security threats are covered by the Cyber Essentials controls. Developed and defined by the National Cyber Security Centre, implementation of these basic controls by your organisation should mitigate your business from the risk of cyber attacks.
Cyber Essentials certification provides a way of demonstrating to customers, investors, insurers and others that you have taken the minimum precautions to protect your organisation against cyber threats.
What is The Cyber Essentials Plus Scheme?
Cyber Essentials and its Plus variant differ in one way, Cyber Essentials Plus includes the requirement for an independent assessment to be carried out by an auditor for the purpose of certification.
Cyber Essentials Plus Audit Explained
- An audit is performed to ensure that the devices used within your organisation are securely configured per the scheme specifications. A random a sample of computers used within your organisation are tested.
- Vulnerability scans are completed on the sample of chosen machines to confirm patching and basic configuration is acceptable.
- An external port scanning of your organisations internet-facing addresses is conducted to ensure no apparent misconfigurations or vulnerabilities.
- A test is conducted on internet browsers and email providers to confirm appropriate security provisions are configured; to prevent fake malicious files and similar from being executed.
Cyber Essentials Plus is the maximum level of certification (against Cyber Essentials) involving a more stringent test on an organisation’s systems by a 3rd party.
Why You Need Cyber Essentials (Plus)
- Win new business and retain existing clients/contracts.
- Secure new funding and investment to take your business to the next level.
- Ensure reputation management with potential customers showcasing data security is at the heart of your organisation.
- Avoid data breaches and fines.
- Demonstrate your business takes compliance and its legal obligations seriously.
Why Cyber Essentials Is Important?
Irrespective of your company size, you could be a target of a cyber attack. Suppliers, vendors, and larger companies are all part of a network entwined with each other.
The damage caused by a cyber security breach will ripple down your supply chain. To ensure they are not the weakest link, organisations need to evaluate their threat profile, implement strategies and employee training in cyber security. The fines and costs associated with data breach can put small organisations out of business or cause irreparable damage.
How Much Does It Cost to Become Cyber Essentials and Plus Certified?
Cyber Essentials costs start from £300 + VAT.
Costs are dependent on the size and complexity of your organisation, the cost of preparing for Cyber Essentials Plus will be different.
Cyber Essentials & Bidding for Public Sector Contracts
Cyber Essentials certification is a requirement for government contract tenders.
Suppliers will have to comply with the Cyber Essential controls if they bid on government contracts. This mandate was introduced, October 1, 2014, during the Conservative and Liberal Democrat coalition government period.
For example, the Education Skills and Funding Agency (ESFA) has introduced requirements that universities, colleges, training, contractors and employers within higher education must be Cyber Essentials compliant (2020/2021), Cyber Essentials Plus certified (2021/2022) or demonstrate compliance to an equivalent framework or standard.
Further requirements to become ISO 27001 certified and the need to demonstrate a business continuity policy are intended to be introduced at a later date.
Cyber Essentials VS ISO 27001
ISO 27001 is the more comprehensive certification, but the Cyber Essentials guarantees the core elements of your business security are in line with the National Cyber Security Centre standards.
Certification in 27001 Does Not Guarantee Compliance in Cyber Essentials
A Cyber Essentials badge can be viewed as an essential indicator of cyber security, even though ISO/IEC 27001 is seen as offering a more extensive level of assurance.
There will be some clients who will require a Cyber Essentials certificate. The two should be seen as being complementary rather than competing.
|–||ISO 27001||Cyber Essentials|
|What is it||The requirements of an Information Security Management System to manage information security risk are set out in an international standard. The standard is not mandatory however many contracts require it.||The NCSC backed UK assurance scheme addresses five technical security controls to help businesses address common vulnerabilities. It’s a requirement for government contracts to have cyber essentials.|
|Risk||ISO 27001 uses a risk-based approach, where they set their risk acceptance criteria and risk methodology. This can be used to determine how risks are addressed.||In order to address the most common vulnerabilities in the organisation, Cyber Essentials is needed. It’s not a risk-based approach at all.|
|Recognition||Around the world, ISO 27001 is recognised as an international standard.||Cyber Essentials is a UK based scheme that is not well known in other countries.|
|Time to implement||Months.||Days to weeks.|
|Certification process||The certification is provided by a certifying body. Stage 1 and Stage 2 audits are included in this. As long as the organisation passes the audits, certification lasts for three years.||If you want to take Cyber Essentials Plus, you need to complete a self-assessment questionnaire, undergo vulnerability scans, and be assessed by a IASME Cyber Essentials Assessor. It is a requirement that certification be repeated annually.|
|Costs||Medium to high cost.||Low cost.|
|Scope||The scope is defined by the organisation, but the standard is more than just focused on IT.||Cyber Essentials focuses on:
|Applicability||Aimed at businesses of all sizes.||Aimed at all businesses, but also targets smaller businesses that may not have thought about cybersecurity.|
Cyber Essentials & GDPR
Cyber Essentials focuses on fundamental technical controls, but it’s not enough for GDPR.
You can display to the ICO that you are on the right path by using the technical controls of Cyber Essentials putting your organisation on the right path to GDPR compliance.
As GDPR is a extensive regulation that requires businesses protect personal data; for example:
- UK citizen’s personal information (such as bank details or home address).
- Personal information of any government employees, ministers, or advisors (such as expenses information).
Remember, if your organisation handles personally identifiable information of EU citizens, you must comply with GDPR. Abiding by the Cyber Essentials does not ensure compliance with GDPR.
How Is Cyber Essentials Implemented?
There are five basic control areas that organisations should tackle to mitigate risk from the most common cyber attacks. These controls shows a clear commitment to improving your organisations approach to cyber security.
What Are the Cyber Essentials Controls?
These five control areas should prevent up to around 80% of cyber attacks.
- Use of a firewall to protect devices connected to the internet.
- Make sure you use secure settings. For example, leaving your hardware (such as a router) on a default configuration makes your organisation vulnerable.
- Consider who has access to your data, and make sure you put in relevant controls to protect access from unauthorised parties.
- Ensure your devices are protected from viruses and malware attacks. The wannaCry attack on the NHS in 2017 shows how quickly these malicious attacks can spread.
- See that your organisations’ devices and software is kept up-to-date with the latest security updates to ensure complete protection.
It helps to remember that technology is only as effective as the people using it when it comes to security, even though the five controls outlined in Cyber Essentials are fundamental technical measures. It is always advisable to conduct staff awareness training to mitigate the risk of mistakes by employees.
Frequently Asked Questions
What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?
The Basic Level of Cyber Essentials Is Self-AssessedThere are eight sections and 70 questions in the questionnaire. All the questions must be answered. Your answers must be approved by a board-level representative, business owner, or equivalent. The chosen representative needs to sign a declaration that all the answers are correct before you submit your assessment.
Cyber Essentials Self-AssessmentYou will need to finish the Cyber Essentials self-assessment in order to be certificated to Cyber Essentials Plus. You will need to finish your Cyber Essentials Plus audit within three months of your basic certification if you already have the self-assessed Cyber Essentials. Depending on the size and complicatedness of your organisation, the assessment cost will vary. The Cyber Essentials certification process includes a check against key governance aspects while also checking the technical controls. These key governance aspects are as follows:
- Risk assessment and management
- Training and managing people
- Change management
- Incident response and business continuity
What Is the Difference Between Cybersecurity and Information Security?
Do I Have to Have Cyber Essentials Before Getting Cyber Essentials Plus?
Who accredits Cyber Essentials Plus?
How Long Is the Cyber Essentials Certification Is Valid For?
Can You Become Cyber Essentials Certified Outside the UK?
Cyber Essentials is a certification. GDPR is regulation and mandatory
While Cyber Essentials is a good start, the new General Data Protection Regulation (GDPR) means you must demonstrate your commitment to protecting personal data for your staff, customers and other EU/UK citizens. Cyber Essentials compliance helps with some of the computer and network security requirements of the GDPR.
ISMS.online can help you comply with the new regulations right now, and whether or not you get Cyber Essentials today or in the future. It’s not a question of one or the other, but if you are considering the improvement of your information security, then we suggest you start with GDPR compliance and consider applying for Cyber Essentials later. You are then in a great place to start protecting all your valuable information assets by aligning to, or achieving, ISO 27001 certification.
Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.
Policies & Controls Management
Easily collaborate, create and show you are on top of your documentation at all times
Measurement & Automated Reporting
Make better decisions and show you are in control with dashboards, KPIs and related reporting
Audits, Actions & Reviews
Reduce the effort and make light work of corrective actions, improvements, audits and management reviews
Mapping & Linking Work
Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Interested Party Management
Visually map and manage interested parties to ensure their needs are clearly addressed
Simply document, easily control and publish your procedures to ensure stakeholders follow them
Other Standards & Regulations
Neatly add in other areas of compliance affecting your organisation to achieve even more for less
Staff Awareness & Compliance Assurance
Engage staff, suppliers and others with dynamic end-to-end compliance at all times
Supply Chain Management
Manage due diligence, contracts, contacts and relationships over their lifecycle
User Management & Permissions
Practical permissions with low cost plans for more regular and occasional users