The UK government has worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls for organisations to use. The full scheme, launched on 5 June 2014, enables organisations to gain 1 of 2 new Cyber Essentials badges.
What is Cyber Essentials
The UK government has worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop Cyber Essentials, a set of basic technical controls for organisations to use. The full scheme, launched on 5 June 2014, enables organisations to gain 1 of 2 new Cyber Essentials badges. It is backed by industry including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses. From 1 October 2014, government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme. Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cyber security for organisations of all sizes. The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs to be light-touch and achievable at low cost.
The Cyber Essentials Scheme Requirements Document focuses on Internet-originated attacks against an organisation’s IT system. Many organisations will have particular additional services, e.g. web applications, that will require additional and specific controls beyond those provided by Cyber Essentials. Cyber Essentials concentrates on five key controls. These are:
- Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
- Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
The Assurance Framework is designed to provide a simple means for third parties to distinguish between organisations that are implementing basic cyber security controls from those that are not. This can be used in a number of ways; an organisation may undergo certification to mark them out from their competitors; they may require certification from partners where contractual relationships expose them to wider cyber risk (for example where information is shared); and insurers, investors and auditors may take certification into account when assessing an organisation’s risk profile.
The two levels of certification, Cyber Essentials, and Cyber Essentials Plus are set out in figure below:
- Cyber Essentials certification is awarded on the basis of a verified self assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance and can be achieved at low cost.
- Cyber Essentials Plus offers a higher level of assurance through the external testing of the organisation’s cyber security approach. Given the more resource intensive nature of this process, we anticipate that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification.
On successful completion a certificate will be awarded. Organisations who receive a certificate will be able to display the appropriate Cyber Essentials or Cyber Essentials Plus badge.