What is Cyber Essentials? It's a UK government backed IT security certification that is valid for 12 months. For self-assessment, organisations are assessed using a questionnaire. For Cyber Essentials Plus, an audit is required at least 3 months after self-certification.
What Is Cyber Essentials?
What Is Cyber Essentials?
Table of Contents
Introduction
In January 2022, the UK’s National Cyber Security Centre (NCSC) urged organisations to strengthen their cyber security defences, due to tensions between Russia and Ukraine.
It is feared that if a military conflict breaks out, UK organisations may be targeted with cyber-attacks like those that crippled Estonia for three weeks in 2007.
The NCSC has advised UK organisations to take specific actions now to prepare for such an event.
What Is Cyber Essentials?
The UK Cyber Essentials program is a Government backed security certification designed to help organisations of any size improve their Cyber Security. It was launched in 2014 to help organisations implement a set of simplified security controls that would mitigate the biggest risks with the least effort.
Cyber Essentials is operated at three different levels, by certification bodies, accreditation bodies and the NCSC themselves.
There are many certification bodies all around the UK, and these are the organisations that carry out assessments and issue certificates. Since the program started in 2014 there were five accreditation bodies: APMG, CREST, IASME, IRM security and QG. However since 2020, IASME has been the sole accreditation body. The NCSC oversees the Cyber Essentials program.
Self-assessment is the initial certification that is done online. A set of questions must be answered in the self-assessment questionnaire (SAQ) and the submission must be signed off by a director of the company. This is not a simple multiple-choice questionnaire. Questions must be answered with freeform input giving details about system configuration.
For organisations that wish to have the Cyber Essentials Plus audit, an on-site visit is required. This can be done by one of the many certification bodies.
The cost of self-assessment starts at £300 + VAT and this increases to £500 + VAT for bigger organisations.
Cyber Essentials Plus will cost considerably more since the certification body will need to attend site and test the security of systems. If you are serious about protecting your organisation from Cyber attacks, then Cyber Essentials Plus is really what you need.
The National Cyber Security Centre’s website has all the resources you might need to prepare for self-assessment or Cyber Essentials Plus. Most of the effort will likely be spent on preparing for certification by updating policies and improving security. Once you have prepared, submitting the questionnaire will be fairly straightforward.
What Are The Benefits of Cyber Essentials?
The biggest benefit of obtaining Cyber Essentials certification is that the going through the process will undoubtedly improve security in an organisation. It also demonstrates commitment to securing supply chains and ensuring that organisations are resilient when faced with ransomware, malware, or other types of Cyber-attacks.
Being Cyber Essentials certified also gives an organisation’s management a degree of peace of mind, in that they have a good baseline of Cyber defence in place.
UK domiciled organisations that are certified by an IASME certification body are eligible for free Cyber insurance, provided their turnover does not exceed £20 million.
And finally, contracts with central Government where sensitive data is handled or where certain technology is provided will require mandatory Cyber Essentials certification.
What Is Included In Cyber Essentials?
Requirement #1: Firewalls
Boundary firewalls must be used to isolate the organisations digital assets from untrusted networks and devices. Firewalls and network devices must be configured securely. Host based firewalls are recommended for endpoints.
Requirement #2: Secure configuration
Computers and network devices must be configured securely, by disabling services that are not needed, changing default accounts, and by regularly updating and patching firmware.
Requirement #3: User access control
This requirement specifies that user account should only be available to users who have a valid need for them. In addition, role-based access must ensure that authorised users are only granted access to the digital assets that they specifically have a need for. This requirement also covers password policies and multi-factor authentication.
Requirement #4: Malware protection
This requirement requires that malware is prevented by using either effective anti-malware software, whitelisting of applications or sandboxing. It states that anti-malware signatures must be updated regularly, and protection must include web and file access controls.
Requirement #5: Security update management
This final requirement requires that all software on all devices is updated and patched in accordance with best practises for vulnerability management. The requirement also says that software must be licensed and all software that is no longer supported should be removed.
How Do You Do A Cyber Essentials Assessment?
Step #1: Use the readiness toolkit
The NCSC has a very useful tool for getting free Cyber Essentials guidance and testing your readiness for the self-assessment. A wizard style questionnaire takes you through some basic questions about your organisation, and your IT infrastructure and devices. You will be given helpful resources and action items to resolve before you are able to be certified.
Step #2: Read the security requirements
NCSC also publishes a 22-page PDF document with a full set of security requirements that must be met before certification is possible.
Step #3: Make improvements needed
Most organisations will need to make some improvements or implement security processes before they can be certified for Cyber Essentials. The questionnaire contains freeform text answers and if the answered are not sufficient certification will be rejected. This is to be expected because one of the main objectives of this certification program is to improve security.
Step #4: Choose a Cyber Essentials certification body
To improve your chances of getting certified look for a more experienced certification body that is also authorised to provide Cyber Essentials Plus assessments. I recommend you contact Cyber Tec Security, the UK's leading Cyber Essentials certification body with over 30 years experience in the industry. But you can also use the tool on the IASME website to select any certification body on the list.
Step #5: Contact Certification body and pay the fee
The Cyber Essentials certification bodies will be able to give further advice to assist in completing the SAQ. It’s best to contact the certification body directly and discuss the process.
Step #6: Complete the SAQ online
Once you have received access to the security questionnaire you can complete it in your own time and submit when you are happy that you have answered all questions sufficiently.
Some Final Words
So is Cyber Essentials a waste of time or money?
Considering that you may qualify for £20 million worth of free Cyber insurance and the average Cyber attack in the UK costs in the region of £3 million, surely it's a no brainer.
So when you are ready to go ahead with Cyber Essentials and you want to work with the UK's leading certification body, check out Cyber Tec Security in Bristol.
If you work in a large organisation and you are interested in more advanced Cyber Security defences, then check out my article about the top 5 Cyber Security tools companies need.
If you found this article useful and would like to be the first to read new articles and Cyber Security updates, please go ahead and sign up for my newsletter.
Subscribe to My Newsletter