Understanding Cyber Essentials
The Cyber Essentials Scheme is a UK government approved programme for businesses of all sizes to assess their cyber security and protection systems. The scheme helps you to assess what processes you have in place, to identify any vulnerabilities and then to fix any gaps.
You can complete a questionnaire yourself and have a certified third party verify your answers for you, or you can have them perform a simulated cyber attack to test your systems and then give you your results. Either of these will result in a nationally-recognised Cyber Essentials certificate. Read on to learn more.
Understanding the process
When you’ve decided to undergo the Cyber Essentials assessment, there are some things you need to do first.
The National Cyber Security Centre (NCSC), which manages the scheme along with the government, recommends using an accreditation body (e.g. IASME, CREST) and to choose the one which best aligns with your industry and business remit.
From there, you can select a certification body who will support you through the process. Each accreditation body website lists all those associated with them. The certification body will provide you with your self-assessment questionnaire, verify your answers and award you your certification.
The NCSC specially select and oversee the accreditation bodies, who in turn, audit their certification bodies and make sure the NCSC standards are being met. Audits are carried out on all bodies at least annually.
Why bother with Cyber Essentials?
ATG recommends Cyber Essentials assessment and certification for every company, no matter what industry you’re in.
We’ve written a number of blogs on why we encourage you to be verified, as well as providing support to clients going through the process.
Here are just some of the reasons we believe it’s a good investment:
- Adherence to government legislation
- Professional reputation
- Resolving vulnerabilities before a real-life attack
- Guarantees protection of company and client data
- Requirement for certain contracts, such as the Ministry of Defence
What does the assessment involve?
The Cyber Essentials assessment gives you a questionnaire to use, to look at your IT systems and all devices which connect to the internet.
There are five baseline controls to be assessed:
- Boundary firewalls and internet gateways
- Malware protection
- Patch management
- Secure configuration
- Access control
When you’ve completed the questionnaire, a certified body will review it and award your certification, once they’re satisfied that you’ve met all the requirements.
Cyber Essentials Plus involves completing the online assessment followed by a technical audit of the systems that are in-scope for Cyber Essentials.
This includes a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users, but includes the third party simulated attack too.
Depending on your regulatory or compliance requirements, Plus is not mandatory but is recommended to ensure your business is protected.
What is IASME?
The UK government has approved five companies to act as accredited bodies to assess and verify businesses in Cyber Essentials, and IASME is one of those companies.
IASME offers two levels of accreditation – Cyber Essentials and Cyber Essentials Plus. The Plus version involves an external assessor testing your systems against agreed controls, by hacking and phishing attacks, in a safe way and reporting your vulnerabilities so you can resolve them.
What is CREST?
CREST is another certifying body the government has designated as able to carry out the relevant Cyber Essentials assessments.
There are five in total, with the others being APMG, IRM and QG. They are not-for-profit industry bodies with a remit of ensuring high standards of cyber security in the technical information security industry.
As well as Cyber Essentials and Cyber Essentials Plus, CREST certified bodies can carry out tests such as a security audit and assess you for compliance, review your security policy and perform penetration testing.
Which should you choose?
Both IASME and CREST provide a list of certifying bodies which they have vetted and approved themselves. IASME also have their own standard (also government-approved), which is designed specifically for SMEs.
The audited IASME Governance (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation. It offers a similar level of assurance to the internationally recognised ISO 27001 standard but is simpler and often cheaper for small and medium-sized organisations to implement.
The standard includes all of the five Cyber Essentials technical topics and adds additional topics that mostly relate to people and processes, for example:
- Risk assessment and management
- Training and managing people
- Change management
- Incident response and business continuity
It’s based on the industry standard for the management of information security, ISO 27001 and includes their Standard Self-Assessment (like the Cyber Essentials) and their Gold Standard (similar to the Cyber Essentials Plus). If you’re a small business, this is a good choice for you.
IASME also have expertise in assessing health organisations, including dentists, ambulance services, NHS trusts and care homes. As the health sector suffers the most from data security incidents, and because of the sensitive nature of that data, it’s vital that anyone within it are aware of the risks and can protect their information.
They can also support companies looking to tender for MoD contracts, which requires answering additional governance questions for any projects which have some level of risk attached to them. You can find out more about Cyber Essentials for defence contracts here.
The IASME governance self-assessment questions are thought to prepare you well for the questions you will need to answer for low-risk project levels and above. The Defence Cyber Protection Partnership ranks the risk level of every project it puts out to tender, which we explain in another blog on the topic.
As we’ve said, CREST focuses on the technical information security industry, so if your business operates in this sector or contracts with companies within it, CREST accreditation is ideal.
At ATG, we align ourselves with SMEs and work to help them be safe from cyber attacks and other vulnerabilities. This is why we chose to offer IASME. Their certification bodies support organisations across industries, from health care to manufacturing.
For more information on Cyber Essentials and the accreditation process, download our guide: Cyber Essentials: Small Business Guide.