Cyber Essentials
Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.
Backed by the UK government and overseen by the National Cyber Security Centre (NCSC). It encourages organisations to adopt good practices in information security.[1] Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.
The certification underwent substantial changes in January 2022 which included bringing all cloud services into scope and changes to the requirements on multi-factor authentication, passwords and pins.[2]
Certification
The Cyber Essentials program provides two levels, the first is self-certification and the second requires independent validation of claims made:[3][4]
Cyber Essentials
Commonly referred to as mark your own homework,[5] organisations self-assess their systems, and then complete an online assessment. The online assessment is marked by a Cyber Essentials Assessor who provides feedback on any areas where improvements could be made.
There is no independent validation of the accuracy of the answers at this level.
The cost for Cyber Essentials starts from £300 and is subject to VAT in the UK. The pricing model is tiered based on the number of employees and more information can be found on the IASME website.
Cyber Essentials Plus
The same as the basic but with independent validation by an accredited third party.
Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.
The cost for the Plus accreditation is dependent on the complexity of the environment but for a simple SME would typically cost around £1,400 and subject to VAT within the UK.[6]
IASME has incorporated the Cyber Essentials into the wider IASME information assurance standard.[7]
As with ISO/IEC 27001, organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.
Controls
The five technical controls are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Cyber Essentials guidance breaks these down into finer details.
These controls can be mapped against the controls required by ISO/IEC 27001, the Standard of Good Practice for Information Security, and IASME Governance,[8] although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.
History
The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June.[9] Since October 2014, Cyber Essentials certification has been required for suppliers to the central UK government who handle certain kinds of sensitive and personal information.[10] This is intended to encourage adoption by businesses wishing to bid for government contracts.[11] Insurers have suggested that certified bodies may attract lower insurance premiums.[12] Over 30,000 Cyber Essentials certificates have been awarded to businesses and organisations.[13]
It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI), and it is endorsed by the UK Government.[14] It was launched in 2014 by the Department for Business, Innovation and Skills.[15]
After the WannaCry ransomware attack, NHS Digital refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and planned to spend a further £150 million to address key cyber security weaknesses over the next two years.[16]
As of September 2019, there were five accreditation bodies including APMG, CREST, IASME, IRM security and QG.[17]
Beginning in April 2020, IASME has been chosen by the National Cyber Security Centre (NCSC) to be the sole Cyber Essentials Scheme Accreditation body.
In January 2022 the pricing model will change to a tiered model based on the number of employees, this is to better reflect the more complex nature of assessing larger organisations.[18] Cloud services, BYOD, home working, thin clients and MFA will see big changes as part of the assessment.[19]
See also
- CESG
- Cyber Assessment Framework
- GovAssure
- Government Digital Service
- Government Security Classifications Policy
- IASME
- ISO/IEC 27001
- NCSC
- UK cyber security community
- UK Cyber Security Forum
References
- ^ "Government scheme shows who can be trusted on cyber security". Telegraph. 5 June 2014. Retrieved 1 July 2014.
- ^ "Cyber Essentials: Requirements for IT infrastructure Version 3.0" (PDF). National Centre for Cyber Security. 29 November 2021. Retrieved 26 December 2021.
- ^ "Cyber Essentials Scheme Assurance Framework" (PDF). HM Government. Retrieved 1 July 2014.
- ^ stevevi. "UK Cyber Essentials Plus - Azure Compliance". docs.microsoft.com. Retrieved 2021-08-20.
- ^ Raywood, Dan (2017-11-17). "Cyber Essentials: Fad or Future". Infosecurity Magazine. Retrieved 2021-02-08.
- ^ "Frequently Asked Questions - Iasme". iasme.co.uk. Retrieved 2021-02-08.
- ^ "Cyber Essentials Scheme – IASME". www.iasme.co.uk. Retrieved 2016-09-07.[permanent dead link ]
- ^ "Requirements for basic technical protection from cyber attacks" (PDF). HM Government. Retrieved 1 July 2014.
- ^ "First seven SMEs bite on Government's flagship Cyber Essentials scheme". Computer World. 30 June 2014. Retrieved 1 July 2014.
- ^ "Cyber essentials scheme: overview". GOV.UK. Retrieved 1 July 2014.
- ^ "Cyber risk and the UK's Cyber Essentials Scheme". Computer Weekly. June 2014. Retrieved 1 July 2014.
- ^ "Government launches Cyber Essentials security scheme". 6 June 2014. Retrieved 1 July 2014.
- ^ "Matt Hancock's Cyber Security Speech". 27 March 2017. Retrieved 7 July 2017.
- ^ "Cyber Essentials Scheme" (PDF). HM Government. Archived from the original (PDF) on 13 June 2016. Retrieved 9 September 2016.
- ^ "'Cyber Essentials' scheme launched". ICO. Archived from the original on 25 June 2014. Retrieved 1 July 2014.
- ^ "Health chiefs refuse to foot £1bn bill to improve NHS cyber security". Building Better Healthcare. 15 October 2018. Retrieved 27 November 2018.
- ^ "Cyber Essentials - OFFICIAL SITE". www.ncsc.gov.uk/cyberessentials/overview. Retrieved 2023-05-05.
- ^ "Cyber Essentials to adopt tiered pricing structure from 2022". www.ncsc.gov.uk. Retrieved 2021-12-18.
- ^ Muncaster, Phil (2021-11-30). "Cyber Essentials Set for Major Changes in 2022". Infosecurity Magazine. Retrieved 2021-12-18.