8 Years ago on the 5th of June 2014 the UK Government officially launched the Cyber Essentials Scheme, but what eaxctly is it and how has it changed over the years?
To start off with, it’s worth saying that Cyber Essentials is a BASELINE standard, it’s the minimum standard the UK Government recommends all organisations meet. The key thing to remember here is it’s a minimum standard, you can and in most cases probably should go well beyond the basics of Cyber Essentials. The sad thing most organisations still don’t meet that minimum standard!
Cyber Essentials is primarily concerned with how you protect your organisation from internet borne threats, it’s a framework and a prescriptive set of controls for you to implement to minimise the risk to your organisation from an attacked over the internet. This includes when your staff are browsing the internet, accessing their email and what you allow in to your private network over the internet.
At the start of 2022 we saw the biggest overhaul of Cyber Essentials to date (Known as Everdine) which brought Cloud Services in to Scope (given that most organisations now rely fairly heavily on at least one or two cloud services!) as well as updating some of the password requirements and a few other minor updates.
The 5 Key Areas of Cyber Essentials
The controls of Cyber Essentials can be broken down in to five key areas, the questions below help you think about each of those five areas:
- How do you Secure your Internet Connections?
- How do you secure your devices and your software?
- How do you control access to your data and your services?
- How do you protect yourself from viruses and malware?
- How do you keep your devices and your software up to date?
Do I have to have Cyber Essentials?
Although Cyber Essentials is not [currently] a legal requirement in most cases, it is highly advisable, remember it is the minimum recomended standard.
If you want to do any governement work, including local councils, the NHS or other government organisations Cyber Essentials is supposed to be part of the contract, you will find other organisations may also require you to hold Cyber Essentials in order to work with them (A couple of years ago I helped a client who’d won a contract with HS2 on the basis that they had to acheive Cyber Essentials.
Also if you do any work for the Defence Sector you are very likely to require Cyber Essentials Plus, usually when you are asked to join JOSCAR you will be required to get Cyber Essentials then.
Over the last year there has also been a report from the Information Commissioners Office (ICO) on a solicitors firm that had a data breach, they were criticised for not holding Cyber Essentials when their regulating body recommended it. The Law Society also recently published a blog post recommending all Professional services organisations meet the Cyber Essentials Requirements (not not just the Legal sector, but all professional services).
Cyber Essentials Resources
Cyber Essentials is designed to be easily accessible and cost effective for even the very smallest businesses. The Requirements and the question set are published by the National Cyber Security Centre (NCSC) and IASME (The Delivery Partner for Cyber Essentials).
NCSC Cyber Essentials Requirements
You can download the Government requirements for Cyber Essentials free of charge directly from teh NCSC here: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf
Cyber Essentials Question Workbook
You can download the question booklet free of charge from the IASME Website here: https://iasme.co.uk/wp-content/uploads/2021/11/Cyber-Essentials-only-question-booklet_vEvendine.pdf
Top Tip: Use the Workbook for Refernce, but fill the answers in live on the assessment portal – there is no import feature…
DIY Implementation Guide to Cyber Essentials
In 2021 I published a Free Video DIY guide to Cyber Essentials on YouTube you can view that here: https://youtube.com/playlist?list=PLYeIH9PzOF_lQo87WPGI0wn0-fjOSafYg
Please Note, this is on the old Questionset, most of it is still relevant, but there have been some updates as mentioned above. (Also note I produced these videos under my old IT business, brokenStones, before I sold it) – an Updated version will be coming in 2023!
How do I get Cyber Essentials?
There are two ways to apply for Cyber Essentials Certification.
1. Apply through the IASME Website, your assessment will be passed to a Pool Assessor like myself to assess and provide feedback. If you fail on the first attempt you get a 2nd attempt, if you fail again you have to re-pay the full assessment fee.
2. Apply though a certification body like Blunt Security, the fee ‘should’ be the same as directly through IASME (Some Certificatin bodies may charge more!). Certification bodies may also offer additonal help or guidance on completing the assessment. The number of re-tries you get will also vary by assessment body.
If you are unsure about the assessment body you can always check their details on the IASME Website: https://iasme.co.uk/certification-bodies/
You will find Blunt Security listed, and can search for other Certification bodies if you wish.
If you’d like to apply for Cyber Essentials through Blunt Security please book a free Discovery call here and I can run through any questions and get you started
“
Cyber Essentials provides an easy reference point for all Organisations no matter how small to meet a basic Cyber Security standard
Cyber Essentials is designed to be easy and cost effective for Small organisations to achieve, in fact often it’s the larger organisations which struggle more as they have more complex systems which need additional work to meet the minimum requirements set out by the UK Government. The framework and question set is available free to any organisation so there is a very low barrier to entry, you just need to spend a little bit of time reading about it!
Related Articles
NHS Cyber Attack August 2022
In August 2022 the NHS suffered another Cyber Attack, this time caused by one of its IT Suppliers. What have we got to learn from this?