Cyber Essentials (CE) is a UK government scheme that organisations can (and in some cases, must) use to certify a basic level of both IT security awareness and cyber-health. It’s mostly interested in technical controls to mitigate specific, common, cyber threats.
It is thus unlike certifications such as ISO 27001 which are more concerned with identification of risk, and allow for that risk to be mitigated in non-technical ways, e.g. with policy documents that users have to be made aware of. To take a common example, Cyber Essentials states that you must “use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)“. Thus it’s no good if your users do log on with administrator-level accounts on a daily basis to perform those activities – it doesn’t matter if you’ve identified that as an acceptable business risk. You cannot pass CE if that is how you’re currently operating your IT.
I have been doing a fair amount of assessing and testing for both CE and CE+ recently, and thought some of the knowledge I have accrued might be of use to people who are considering getting certified. I have spent many (18) years designing and running large enterprise IT environments, and the last few years working for a cyber security training and consultancy company doing increasing amounts of security-related work. I am Tiger Scheme certified as a Qualified Security Team Member, which is a UK government penetration testing certification.
Cyber Essentials, if you ask the wrong people (i.e. security and IT product vendors) can be a licence to sell you all kinds of new hardware/software/devices, whereas in reality it’s often relatively easy to comply with what you almost certainly already have – albeit potentially with a few changes to your working practices. You probably know the things you’re currently doing that are bad and CE might just be the prod you need to get them changed.
Look out for further articles where I’ll explain how to get CE certified for no extra charge (except the certification fee!)
Once your IT and business practices comply with all the requirements for Cyber Essentials, getting certified is simply a case of selecting a suitable Certification Body, filling in a form and paying a fee of a few hundred pounds. Assuming you’re in compliance with the requirements, and you hopefully won’t fill out the form unless you know you are, you’ll shortly be awarded your certificate, be allowed to use the Cyber Essentials logo, and be added to the publicly searchable directory. Your certification lasts for 12 months, so just before your existing certification expires you need to go through the process again, ensuring you’ve kept up to date with any new or changed requirements.
You might want to consider contacting my employers, PGI, for a quote for certification and/or consultancy.
Cyber Essentials Plus is an enhanced level of certification, where you not only have to say that you comply with the requirements for CE, but you also get tested to ensure that you comply. This testing includes vulnerability scans of your internal and external infrastructure, and mobile devices. It is more expensive because you have to pay for a consultant to do the testing, some of which necessarily involves them being on site with you for a day or so. Note that this does not include a full penetration test: a vulnerability scan, as its name implies, just scans for vulnerabilities (e.g. missing security updates, misconfigured security settings), it does not try and exploit them.
CE+ is a bit like a cyber MOT for your organisation. It’s a reasonably standard set of tests that, if you’re in compliance, means you’re doing the basics right.
Sometimes, it can be a requirement to have CE or CE+. For example, the UK government requires “all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme“.
Is it for me?
CE is for everyone, from a sole trader to a large company. CE gives your customers and other organisations that you interact with a sense of reassurance that when it comes to cyber security, you’re getting the basics right – and are thus potentially safer to deal with than your competition.
I’ve also seen CE+ used by company directors as an easy and relatively inexpensive way to audit that their (often outsourced) IT is being managed sensibly when it comes to cyber security. Used in this way, it’s then giving a double benefit of being a good standardised benchmark to meet, and also getting a recognised certification.
For starters, if you’re even slightly technical (i.e. can use a computer for internet-based activities) you should really check out the Requirements for IT Infrastructure. You can also check out all the other information on the Nation Cyber Security Centre’s Cyber Essentials website. NCSC is part of GCHQ – they know what they’re talking about when it comes to Cyber stuff.
You can also ask me for advice either via the Hire Me link at the top, or by leaving a comment. You could also check out the PGI Cyber Essentials page – mention my blog if you contact them!