Cyber Essentials is a UK Government sponsored and recognised cyber security certification scheme covering key security controls: "Cyber Essentials defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet." - Cyber Essentials Scheme Summary
Cyber Essentials Scheme has been set up by the Cabinet Office and the Department for Business, Innovation & Skills with professional input from industry organisations such as the Council of Registered Ethical Security Testers (CREST) and others. It covers the following five key cyber security controls:
1. Boundary firewalls and Internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
We have extensive experience in all of the above areas and through a partnership with an accredited Certification Body are in position to ensure that your organisation has effective and efficient controls to meet the requirements of the scheme and pass the certification audit first time and with minimum effort. To support you in becoming Cyber Essentials certified we can:
- Project manage both your implementation and certification activities
- Draft or review the necessary documentation taking into consideration your business requirements
- Advise you on what processes need to be implemented and how to implement them
- Conduct pre-audit vulnerability assessments and advise on remediation of any identified weaknesses
- Arrange the audit and support you during the assessment process by the Certification Body
There are two levels of Cyber Essentials certification: Cyber Essentials and Cyber Essentials Plus. The Cyber Essentials Scheme Summary document defines these two levels as follows:
Cyber Essentials certification is awarded on the basis of a verified self-assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance and can be achieved at low cost.
Cyber Essentials Plus offers a higher level of assurance through the external testing of the organisation’s cyber security approach. Given the more resource intensive nature of this process, we anticipate that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification.
We recommend Cyber Essentials Plus for organisations with systems or applications accessible from the Internet while Cyber Essentials is appropriate for any organisation.
The following well-known organisations have chosen to become Cyber Essentials certified (this is an incomplete list for illustrative purposes only):
Airbus Defence & Space, Barclays Bank, City of London Police, Confederation of British Industry, Grant Thornton, Harpenden Building Society, JCB, Jupiter Asset Management, Manpower, Virgin Media Business, Vodafone, Volkswagen Financial Services
Cyber Essentials is the first level of certification and the first stage of assessment under the Cyber Essentials Scheme that requires a verified self-assessment of how the organisation implements the controls required by the Scheme. Steps involved in becoming Cyber Essentials certified at this level are as follows:
1. The organisation decides on and documents the scope of the certification, which can be the whole organisation or a specific department or function, and ensures that the organisation has fully and effectively implemented the requirements of the Scheme, if necessary by engaging a Cyber Essentials qualified consultancy.
2. The organisation's chief executive, managing director or similar official signs a formal declaration of compliance with the requirements of the Cyber Essentials Scheme which is submitted to an accredited Certification Body along with relevant evidence.
3. The Certification Body reviews the submitted documentation and provided it meets the requirements of the Scheme issues a certificate of conformance which is valid for one year and allows the organisation to use the Cyber Essentials certification mark.
Cyber Essentials Plus
Cyber Essentials Plus is the second, higher assurance, level of certification and the second stage of assessment under the Cyber Essentials Scheme that builds upon the assurance provided by the first level of the certification. It requires all the steps required by Cyber Essentials first stage and in addition includes the following requirements:
Internal and external vulnerability scanning and assessment of the organisation's network and Internet gateway using approved vulnerability scanners.
Software configuration reviews of a sample of organisation's computing systems are conducted to ensure all requirements of the Scheme are adequately implemented.
Once the Certification Body performs the above testing activities and is satisfied that the requirements of the Scheme are met it issues a certificate of conformance which is valid for one year and allows the organisation to use the Cyber Essentials Plus certification mark.
For more information complete a free online self-assessment questionnaire or contact us to discuss your requirements.