Cyber Essentials

Last updated

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

Contents

Backed by the UK government and overseen by the National Cyber Security Centre (NCSC). It encourages organisations to adopt good practices in information security. [1] Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

The certification underwent substantial changes in January 2022 which included bringing all cloud services into scope and changes to the requirements on multi-factor authentication, passwords and pins. [2]

Certification

The Cyber Essentials program provides two levels, the first is self-certification and the second requires independent validation of claims made: [3] [4]

Cyber Essentials

Commonly referred to as mark your own homework, [5] organisations self-assess their systems, and then complete an online assessment. The online assessment is marked by a Cyber Essentials Assessor who provides feedback on any areas where improvements could be made.

There is no independent validation of the accuracy of the answers at this level.

The cost for Cyber Essentials starts from £300 and is subject to VAT in the UK. The pricing model is tiered based on the number of employees and more information can be found on the IASME website.

Cyber Essentials Plus

The same as the basic but with independent validation by an accredited third party.

Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.

The cost for the Plus accreditation is dependent on the complexity of the environment but for a simple SME would typically cost around £1,400 and subject to VAT within the UK. [6]

IASME has incorporated the Cyber Essentials into the wider IASME information assurance standard. [7]

As with ISO/IEC 27001, organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.

Controls

The five technical controls are:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

Cyber Essentials guidance breaks these down into finer details.

These controls can be mapped against the controls required by ISO/IEC 27001, the Standard of Good Practice for Information Security, and IASME Governance, [8] although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.

History

The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June. [9] Since October 2014, Cyber Essentials certification has been required for suppliers to the central UK government who handle certain kinds of sensitive and personal information. [10] This is intended to encourage adoption by businesses wishing to bid for government contracts. [11] Insurers have suggested that certified bodies may attract lower insurance premiums. [12] Over 30,000 Cyber Essentials certificates have been awarded to businesses and organisations. [13]

It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI), and it is endorsed by the UK Government. [14] It was launched in 2014 by the Department for Business, Innovation and Skills. [15]

After the WannaCry ransomware attack, NHS Digital refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and planned to spend a further £150 million to address key cyber security weaknesses over the next two years. [16]

As of September 2019, there were five accreditation bodies including APMG, CREST, IASME, IRM security and QG. [17]

Beginning in April 2020, IASME has been chosen by the National Cyber Security Centre (NCSC) to be the sole Cyber Essentials Scheme Accreditation body.

In January 2022 the pricing model will change to a tiered model based on the number of employees, this is to better reflect the more complex nature of assessing larger organisations. [18] Cloud services, BYOD, home working, thin clients and MFA will see big changes as part of the assessment. [19]

See also

Related Research Articles

The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification. It is currently in version 3.1 revision 5.

CISSP is an independent information security certification granted by the International Information System Security Certification Consortium, also known as ISC2.

BS 7799 was a standard originally published by BSI Group (BSI) in 1995. It was written by the United Kingdom Government's Department of Trade and Industry (DTI), and consisted of several parts.

Accreditation is the independent, third-party evaluation of a conformity assessment body against recognised standards, conveying formal demonstration of its impartiality and competence to carry out specific conformity assessment tasks.

<span class="mw-page-title-main">IT security standards</span> Technology standards and techniques

IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">BSI Group</span> National standards body of the UK

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

The ISO/IEC 27001 Lead Auditor certification consists of a professional certification for auditors specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard and ISO 19011.

ISO/IEC 27001 Lead Implementer is a professional certification for professionals specializing in information security management systems (ISMS) based on the ISO/IEC 27001 standard. This professional certification is intended for information security professionals wanting to understand the steps required to implement the ISO/IEC 27001 standard.

The United Kingdom Accreditation Service (UKAS) is the sole national accreditation body recognised by the British government to assess the competence of organisations that provide certification, testing, inspection and calibration services. It evaluates these conformity assessment bodies and then accredits them where they are found to meet relevant internationally specified standards.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

The Chartered Institute of Information Security (CIISec), formerly the Institute of Information Security Professionals (IISP), is an independent, not-for-profit body governed by its members, with the principal objective of advancing the professionalism of information security practitioners and thereby the professionalism of the industry as a whole.

<span class="mw-page-title-main">IASME</span>

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

The cyber security community in the United Kingdom is diverse, with many stakeholders groups contributing to support the UK Cyber Security Strategy. The following is a list of some of these stakeholders.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

eCOGRA is a London-based testing agency and standards organisation in the realm of online gambling. The company was established in 2003 in the United Kingdom at the behest of the online gaming industry as the first industry self-regulation system. eCOGRA is a testing laboratory, inspection body, and certification body, specializing in the certification of online gaming software and the audit of Information Security Management Systems.

<span class="mw-page-title-main">Ian Bryant (academic)</span> British computer scientist

Ian Bryant is a British academic, engaged in promoting Trustworthy Software and Systems, and in Standardisation.

SS 584 is an information security standard, published by Singapore Standards. The standard was last revised in 2015.

The Cyber Assessment Framework is a mechanism designed by NCSC for assuring the security of organisations. The CAF is tailored towards the needs of Critical National Infrastructure, to meet the NIS regulations, but the objectives can be used by other organisations.

References

  1. "Government scheme shows who can be trusted on cyber security". Telegraph. 5 June 2014. Retrieved 1 July 2014.
  2. "Cyber Essentials: Requirements for IT infrastructure Version 3.0" (PDF). National Centre for Cyber Security . 29 November 2021. Retrieved 26 December 2021.
  3. "Cyber Essentials Scheme Assurance Framework" (PDF). HM Government. Retrieved 1 July 2014.
  4. stevevi. "UK Cyber Essentials Plus - Azure Compliance". docs.microsoft.com. Retrieved 2021-08-20.
  5. Raywood, Dan (2017-11-17). "Cyber Essentials: Fad or Future". Infosecurity Magazine. Retrieved 2021-02-08.
  6. "Frequently Asked Questions - Iasme". iasme.co.uk. Retrieved 2021-02-08.
  7. "Cyber Essentials Scheme – IASME". www.iasme.co.uk. Retrieved 2016-09-07.[ permanent dead link ]
  8. "Requirements for basic technical protection from cyber attacks" (PDF). HM Government. Retrieved 1 July 2014.
  9. "First seven SMEs bite on Government's flagship Cyber Essentials scheme". Computer World. 30 June 2014. Retrieved 1 July 2014.
  10. "Cyber essentials scheme: overview". GOV.UK. Retrieved 1 July 2014.
  11. "Cyber risk and the UK's Cyber Essentials Scheme". Computer Weekly. June 2014. Retrieved 1 July 2014.
  12. "Government launches Cyber Essentials security scheme". 6 June 2014. Retrieved 1 July 2014.
  13. "Matt Hancock's Cyber Security Speech". 27 March 2017. Retrieved 7 July 2017.
  14. "Cyber Essentials Scheme" (PDF). HM Government. Archived from the original (PDF) on 13 June 2016. Retrieved 9 September 2016.
  15. "'Cyber Essentials' scheme launched". ICO. Archived from the original on 25 June 2014. Retrieved 1 July 2014.
  16. "Health chiefs refuse to foot £1bn bill to improve NHS cyber security". Building Better Healthcare. 15 October 2018. Retrieved 27 November 2018.
  17. "Cyber Essentials - OFFICIAL SITE". www.ncsc.gov.uk/cyberessentials/overview. Retrieved 2023-05-05.
  18. "Cyber Essentials to adopt tiered pricing structure from 2022". www.ncsc.gov.uk. Retrieved 2021-12-18.
  19. Muncaster, Phil (2021-11-30). "Cyber Essentials Set for Major Changes in 2022". Infosecurity Magazine. Retrieved 2021-12-18.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.