CYBER ESSENTIALS

– certify your organisation against cyber attacks –

What is Cyber Essentials?

Cyber Essentials is a government-backed cyber security certification scheme that implements basic levels of protection against Internet-based threats. Under this scheme organisations can apply for a badge which recognises the achievement of government-endorsed standards of cyber security. Cyber Essentials is designed for organisations of all sizes, and in all sectors.

Why should you get Cyber Essentials?

The primary aim of the scheme is to encourage organisations to adopt best practices in their information security strategy, offering a mechanism to demonstrate that they have taken essential precautions to secure against the majority of cyber risks.

Having a Cyber Essentials Certification will:

  • Protect your organisation against common cyber threats
  • Show your customers you take this issue seriously and make every effort to protect data
  • Enable you to bid for Government contracts
  • Help you have a wide perspective of your organization’s security defences
  • Help you to address other compliance requirements such as the EU General Data Protection Regulation
  • Reduce insurance premiums as a CE certification provides a valuable signal of reduced risk for insurers

Cyber Essentials assurance framework

Cyber Essentials includes an assurance framework and identifies some fundamental technical security controls that an organisation needs to have in place within their IT systems to protect information from threats coming from the internet.

The scheme focuses on the following  five essential technical controls:

All devices connected to the internet should be protected by firewalls to prevent unauthorized access to your internal network. Also corporate or user-owned devices (BYOD), including those used by home workers, not connected to the organisation’s internal network should be protected.

Security measures should be implemented when building and installing computers and network devices in order to minimise the number of inherent vulnerabilities. A secure configuration ensures each device discloses only the minimum information about themselves to internet and provide only the services required to fulfill their intended function. All cloud services utilised by your company should be secured and protected my MFA ( multi-factor authentication).

The purpose of access control is to ensure that user accounts are assigned only to authorized individuals and at the appropriate level. There must be a separation between user and administrative accounts with standard activities like emailing and web browsing avoided on admin accounts.

In the new Evendine question set tests are introduced to ensure that two factor authentication is in force in order to access data stored in all cloud providers.  This can be Microsoft 365 or other providers such as Sage or Dropbox.

There must also be clear account separation between administrative accounts and standard user accounts.  It is no longer acceptable to work as an administrator for day to day tasks.  This applies equally for local or domain admins.  There will be tests to check that all administrators work on a day to day basis as a standard user.

Computers connected or exposed to the internet can be infected with malware and dedicated software is required to monitor, detect and disable malware. The anti-malware software should be set to update by default. Only a list of approved applications should be installed on company s devices including BYOD (bring your own device).

A patch management strategy is required to ensure the latest supported version of applications is used, to ensure vulnerabilities can be found and solved. All high-risk or critical security updates for operating systems should be installed within 14 days of release. All software and firmware must be in support and have security patches applied within 14 days.

Certification options

There are two levels of Cyber Essentials certification available:

CYBER ESSENTIALS – An independently verified self assessment

Organisations assess themselves against five basic security controls filling in a questionnaire. The information provided is verified by us and if there is sufficient confidence that the controls have been effectively implemented a certificate is awarded. Certification at this stage provides a basic level of confidence that the controls have been implemented correctly, and relies on the organisation having the skills to respond appropriately to the questionnaire.

CYBER ESSENTIALS PLUS – A higher level of assurance

A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking attacks. The Cyber Essentials Plus certification includes all of the assessments for the Cyber Essentials certification, and also includes an additional internal scan and some on-site checks and vulnerability assessments. We carry out tests of the systems using a range of tools and techniques and if the tests are successful, award the Cyber Essentials Plus certificate.

* To complete Cyber essentials Plus, companies must have gained the basic Cyber Essentials certification within the last 90 days, or you can get the both at the same time.

How you can get certified

SELF-SUPPORTED – Any organization that have knowledge of the five security controls and are comfortable carrying out all of the preparation for certification can complete the self assessment questionnaire.

WITH EXPERT GUIDANCE AND SUPPORT – For organisations that have difficulty in defining their scope and have little or no knowledge of the five controls or have complex organisational structures, we can provide up to 0.5 days consultancy for Cyber Essentials Basic and 2 days expert consultancy for Cyber Essentials Plus to help you achieve the standard. We will identify the key areas to address and help you complete the questionnaire.

The process of getting certified

STAGE 1
    • STEP 1
       

      Organisation identifies the systems it believes are at risk of external compromise, defining the scope of Cyber Essentials

    • STEP 2
       

      Organisation self assesses that the systems identified meet the requirements

    • STEP 3
       

      Organisation fills in the self-assessment questionnaire, which is signed by the CEO

    • STEP 4
       

      The assessment is independently verified by us

    • STEP 5
       

      If you pass, Cyber Essentials Certificat is issued

    •  
       

STAGE 2
    • STEP 6
       

      Tests of the systems are carried out on site by us using a range of tools and techniques

    • STEP 7
       

      If you pass, Cyber Essentials Plus Certificat is issued

    •  
       

In addition to the Cyber Essentials certification route organisations can obtain certification to the IASME Standard which includes aspects of basic information security governance and also the GDPR assessment elements.

We are a Cyber Essentials Certification Body

We provide all the tools and resources needed to achieve accredited certification at both levels of the Cyber Essentials scheme.