By Ian Glover , President of CREST
Both public sector and private sector organisations are beginning to realise that even if they have implemented effective cyber security controls , their suppliers may provide a weak link . So , if any organisation wants to prove to its clients that it takes security seriously , getting Cyber Essentials certification is a very good first step .
Cyber Essentials was launched in 2014 as part of the UK Government ' s National Cyber Security Strategy and introduces an entry-level cyber security standard that is achievable and affordable for any size of organisation across any type of business . It sets a baseline for cyber security and provides an independent assessment of the security controls that you need to have in place to mitigate risks from the most common forms of cyber threats .
Not only will your business be more secure , but displaying the Cyber Essentials ‘ badge ’ will demonstrate that you have taken steps to be cyber safe – giving you a distinct edge over your competitors . What ’ s more , the UK Government already mandates suppliers to be Cyber Essentials certified if they are bidding for contracts that involve handling sensitive and personal information .
The scheme focuses on five cyber security controls to help to reduce your company ’ s cyber risk . These are : boundary firewalls and internet gateways , secure configuration , access control , malware protection and patch management .
Cyber Essentials shows that an organisation has taken steps to be cyber secure but it is designed only to provide basic cyber hygiene .
The two levels of certification
The first stage in the certification process is to decide which level to certify against : Cyber Essentials : organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body . Cyber Essentials Plus : tests of an organisation ' s systems are carried out by an external Certifying Body . Both include a questionnaire which relates to security controls and the secure configuration of an organisation ’ s computing resources , and a remote technical assessment to validate elements of the questionnaire .
The key differentiator for Cyber Essentials Plus is the inclusion of a technical review of the organisation ’ s workstations , increasing the validity of certification considerably by providing evidence of compliance against the following scenarios : Can malicious files enter the organisation from the Internet through either web traffic or email messages ? Should malicious content enter , how effective are the anti-virus and malware protection mechanisms ? Should the organisation ’ s protection mechanisms fail , how likely is it that the organisation will be compromised due to failings in the patching of the organisation ’ s workstations ?
Cyber Essentials Plus is a more thorough assessment of the organisation and so may provide greater security assurance , but does come at an additional cost .
How to get certified
Once a decision has been reached to proceed with a Cyber Essentials certification , a Certifying Body must be appointed to carry out the assessment .
Organisations have a number of certified suppliers that they can select , all of whom have to be accredited by one of these four Government appointed organisations : CREST and IASME who contributed to the design and development of the scheme , along with APMG Group and QG Business Solutions . You can find out more about Cyber Essentials and how to select a company to help you on the Cyber Streetwise web site : at www . cyberstreetwise . com / cyberessentials /
Once an organisation has been assessed against the Cyber Essentials security criteria and passes , they will receive the relevant Cyber Essentials award ( badge ) based on the level of certification achieved . It is important to remember that Cyber Essentials is not a silver bullet and must instead be seen as a basic good start to becoming more secure . If an organisation is part of the supply chain , they must also understand their obligations and not become the weakest link in the chain and therefore the most logical to attack .
Ian Glover is president of CREST , the not for profit accreditation body for the technical information security industry .
By Ian Glover,
President of CREST
Both public sector and private sector
organisations are beginning to realise that
even if they have implemented effective
cyber security controls, their suppliers may
provide a weak link. So, if any organisation
wants to prove to its clients that it takes
security seriously, getting Cyber Essentials
certification is a very good first step.
Cyber Essentials was launched in 2014 as
part of the UK Government's National
Cyber Security Strategy and introduces an
entry-level cyber security standard that is
achievable and affordable for any size of
organisation across any type of business. It
sets a baseline for cyber security and
provides an independent assessment of
the security controls that you need to have
in place to mitiga FR&�6�2g&��F�R��7@�6�����f�&�2�b7�&W"F�&VG2���B��ǒv�����W"'W6��W72&R��&R6V7W&R��'WBF�7����rF�R7�&W"W76V�F��2( �&Fv^( ��v���FV���7G&FRF�B��R�fRF�V�7FW0�F�&R7�&W"6fR( 2v�f��r��RF�7F��7@�VFvR�fW"��W"6��WF�F�'2�v�N( �2��&R��F�RT�v�fW&��V�B�&VG���FFW0�7WƖW'2F�&R7�&W"W76V�F��26W'F�f�VB�`�F�W�&R&�FF��rf�"6��G&7G2F�B��f��fP���FƖ�r6V�6�F�fR�BW'6������f�&�F����F�R66�V�Rf�7W6W2��f�fR7�&W"6V7W&�G��6��G&��2F��V�F�&VGV6R��W"6���( �0�7�&W"&�6��F�W6R&S�&�V�F'�f�&Wv��0��B��FW&�WBvFWv�2�6V7W&P�6��f�wW&F����66W726��G&�����v&P�&�FV7F����BF6���vV�V�B�7�&W"W76V�F��26��w2F�B��&v�6F����2F�V�7FW2F�&R7�&W �6V7W&R'WB�B�2FW6�v�VB��ǒF�&�f�FP�&6�27�&W"��v�V�RࠥF�RGv��WfV�2�b6W'F�f�6F���F�Rf�'7B7FvR��F�R6W'F�f�6F���&�6W70��2F�FV6�FRv��6��WfV�F�6W'F�g�v��7C��7�&W"W76V�F��3��&v�6F���0�6���WFR6V�b�76W76�V�@�VW7F�����&Rv��6��2&Wf�WvVB'��W�FW&��6W'F�g���r&�G��7�&W"W76V�F��2�W3�FW7G2�b��&v�6F���w27�7FV�2&R6'&�VB�W@�'��W�FW&��6W'F�g���r&�G��&�F���6�VFRVW7F�����&Rv��6�&V�FW0�F�6V7W&�G�6��G&��2�BF�R6V7W&P�6��f�wW&F����b��&v�6F���( �0�6��WF��r&W6�W&6W2��B&V��FP�FV6��6�76W76�V�BF�fƖFFRV�V�V�G0��bF�RVW7F�����&R�F�R�W�F�ffW&V�F�F�"f�"7�&W"W76V�F��0��W2�2F�R��6�W6����bFV6��6�&Wf�Wr�`�F�R�&v�6F���( �2v�&�7FF���2���7&V6��p�F�RfƖF�G��b6W'F�f�6F���6��6�FW&&ǒ'��&�f�F��rWf�FV�6R�b6��Ɩ�6Rv��7@�F�Rf����v��r66V�&��3��6��Ɩ6��W2f��W2V�FW"F�P��&v�6F���g&��F�R��FW&�WBF�&�Vv��V�F�W"vV"G&ff�2�"V����W76vW3�6��V�B�Ɩ6��W26��FV�BV�FW"���p�VffV7F�fR&RF�R�F��f�'W2�@���v&R&�FV7F����V6��6�3�6��V�BF�R�&v�6F���( �2&�FV7F����V6��6�2f�����rƖ�Vǒ�2�BF�@�F�R�&v�6F���v���&R6��&�֗6V@�GVRF�f�Ɩ�w2��F�RF6���r�bF�P��&v�6F���( �2v�&�7FF���3�7�&W"W76V�F��2�W2�2��&RF��&�Vv��76W76�V�B�bF�R�&v�6F����B6���&�f�FRw&VFW"6V7W&�G�77W&�6R��'WBF�W26��RB�FF�F����6�7Bआ�rF�vWB6W'F�f�V@���6RFV6�6����2&VV�&V6�VBF�&�6VVBv�F�7�&W"W76V�F��0�6W'F�f�6F����6W'F�g���r&�G��W7B&P����FVBF�6''��WBF�R76W76�V�Bࠤ�&v�6F���2�fR�V�&W"�b6W'F�f�V@�7WƖW'2F�BF�W�6�6V�V7B����bv��Ц�fRF�&R67&VF�FVB'���R�bF�W6Rf�W �v�fW&��V�B���FVB�&v�6F���3��5$U5B�B�4�Rv��6��G&�'WFVBF�F�P�FW6�v��BFWfV���V�B�bF�R66�V�R�����rv�F��rw&�W�Br'W6��W70�6��WF���2���R6�f��B�WB��&R&�W@�7�&W"W76V�F��2�B��rF�6V�V7B�6���F��V���R��F�R7�&W �7G&VWGv�6RvV"6�FS�@�wwr�7�&W'7G&VWGv�6R�6���7�&W&W76V�F��2���6R��&v�6F����2&VV�76W76V@�v��7BF�R7�&W"W76V�F��26V7W&�G��7&�FW&��B76W2�F�W�v���&V6V�fRF�P�&V�Wf�B7�&W"W76V�F��2v&B�&FvR��&6VB��F�R�WfV��b6W'F�f�6F���6��WfVBगB�2���'F�BF�&V�V�&W"F�B7�&W �W76V�F��2�2��B6��fW"'V��WB�B�W7@���7FVB&R6VV�2&6�2v��B7F'BF�&V6�֖�r��&R6V7W&R��b��&v�6F��গ2'B�bF�R7Wǒ6����F�W��W7B�6�V�FW'7F�BF�V�"�&ƖvF���2�B��@�&V6��RF�RvV�W7BƖ���F�R6����@�F�W&Vf�&RF�R��7B��v�6�F�GF6�ख�v��fW"�2&W6�FV�B�b5$U5B�F�R��@�f�"&�f�B67&VF�FF���&�G�f�"F�P�FV6��6���f�&�F���6V7W&�G���GW7G'�ࠠ�