Do I need Cyber Essentials for Defence Contracts?

Do I need Cyber Essentials for Defence Contracts?

Every business in the UK has a legal responsibility to protect any data they hold on individuals, a requirement which has become more important since the introduction of the GDPR legislation last year.

Cyber Essentials is a government-approved certification scheme, which tests your data security system, helps you identify and fix any gaps you may have, and shows you’re committed to best practice.

Cyber Essentials requires you to assess your security processes against a checklist which is then verified for you, and Cyber Essentials Plus uses an outside party to test systems to simulate a hack or other malware attack. The Cyber Essentials testing starts at around £400+VAT.

There are a number of approved assessment companies which you can use to help you to secure certification. ATG supports clients to secure the certifications, and we recommend reassessing every 12 months.

However, our involvement doesn’t stop there. We offer ongoing support throughout the year to help protect your business against attacks and constant monitoring to proactively identify threats, so you know that you’re always compliant and keeping data safe.

You can be confident in our expertise, as our own business is Cyber Essentials Plus certified. Furthermore, we also have the IASME standard – recognised by the government as ‘the best cyber security standard for small companies’ and based on international best practice for security and backup.

Risks to Your Business

Apart from the legal implications of being non-compliant, there is also the potential for damage to your professional reputation. Customers and suppliers want to be assured that you’re taking your responsibilities seriously and securing their data properly.

Cyber attacks are increasing, with smaller companies equally as likely to be targeted as multinationals. Any kind of data breach or attack makes you vulnerable, not only because information may be lost or access to it restricted, but because of the time it takes to restore that data and the subsequent loss of earnings.

If you are part of a supply chain, there is also the possibility that criminals will seek to cause damage to all of the businesses within it by attacking the weakest link. Smaller companies are more vulnerable and therefore chosen by the attackers as a way to get to the larger companies.

To prevent any threats to yourself and also to protect those you work within the supply chain, you need to have robust systems in place, and to check these regularly. Cyber Essentials certification will also ensure that if someone else in the chain is attacked, your data will be safe.

Ministry of Defence Cyber Security Requirements

There are also specific requirements if you hope to be part of The Ministry of Defence (MOD) supply chain. Their version of Cyber Essentials is known as the Cyber Security Model, which came about after the MOD and key suppliers in the business world formed the Defence Cyber Protection Partnership (DCPP) to improve cyber defence.

As of January 2016, the MOD has required all partners to have the Cyber Essentials certification at the start of the working relationship, and to renew this annually. Wherever possible, partner companies need to be able to demonstrate that this is in place throughout the supply chain of every other business that supports them with a MOD contract.

The MOD have developed the Defence Assurance Risk Tool (DART) to help them identify potential cybersecurity risks and to enable them to support partners to protect against threats and to demonstrate their commitment to security.

The Cyber Security Model carries out a risk assessment on each new contract opportunity that goes out to tender and assigns it a risk profile to decide what the requirements are for suppliers to meet. Cyber Essentials is the appropriate level for low risk; anything higher requires Cyber Essentials Plus certification.

The five risk profiles as set out by the MOD are: not applicable, very low, low, moderate or high. Each of these has a risk control requirement, ranging from only one control to 44 controls at different levels.

Understanding the Risk Profiles

Level Threat Example Contract
Not applicable No or minimal cyber risk MOD expects this will rarely apply
Very low Hacking or phishing Purchasing commodities or essential services
Low Ransomware Anything involving official information, purchasing non-military basic parts
Moderate Persistent, targeted and skilled attacks Relating to official, sensitive information or personal data
High Well-organised, sophisticated APT (advanced, persistent threats), potentially over a long period of time Secret information and above, essential support of key military capability


To find out more about Cyber Essentials and why you need it in your business, download our Cyber Essentials Business Guide.

Here at ATG, we have recently renewed our Cyber Essentials(+) and IASME certification, we are also assessors for both accreditations. So if you wish to let us manage your compliance, simply fill out the form below and one of our representatives will get in touch.

Related Content