Cyber Essentials (CE) is a government-backed cybersecurity certification scheme that sets out a baseline of cybersecurity suitable for all organisations. The scheme’s five security controls can prevent “around 80% of cyber attacks”. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Who is the Cyber Essentials scheme applicable to?
- Organisations that use Internet-connected systems
- Organisations that use Internet-connected end-user devices such as computers, mobile phones, printers, tablets, servers and laptops
Five key controls required for both levels of the scheme:
- Secure Configuration
- Boundary firewalls and Internet gateways
- Access controls and administrative privilege management
- Patch management
- Malware protection
With Cyber Essentials you can:
- focus on your core business objectives, knowing that you’re protected from the vast majority of common cyber attacks
- drive business efficiency, save money and improve productivity through the streamlining of processes
- reduce your insurance premiums
- increase your resistance to cyber threats
- demonstrate to clients, insurers, investors and other interested parties that you have taken the precautions necessary to reduce cyber risks
- bid for UK Government contracts that involve the handling of personal and sensitive information.
Assessment methodologies for Cyber Essentials and Cyber Essentials Plus:
- A verified self-assessment questionnaire
- An external vulnerability scan of Internet-facing networks and applications to verify that there are no known vulnerabilities present
- This extra scan provides an independently verified view of the organisation’s security posture
- Includes all the assessments for the Cyber Essentials level plus an additional internal scan and on-site assessment to test:
- the security and anti-malware configuration of each device type
- patch levels and system configuration
- whether the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries.
The background of the Cyber Essentials scheme
The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the government instigated a call for evidence on a preferred cybersecurity standard. In November 2013, it concluded that no individual standard met its specific requirements, so it developed the Cyber Essentials scheme.
- Cyber Essentials delivers the basic controls that all organisations should implement to mitigate the risk from common Internet-based threats.
- The scheme provides a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken essential precautions to secure against the majority of cyber risks.
- A recent report by the government UK cyber security: the role of insurance in managing and mitigating the risk revealed plans to include Cyber Essentials certification in insurers’ risk assessments for SMEs.
- Cyber Essentials enables companies to successfully tender for government contracts. View the UK Government’s procurement policy notice here.
The Cyber Essentials scheme is increasingly popular within the private sector; more than 1,200 organisations have adopted the scheme to date. Insurance firms have recognised that Cyber Essentials certification is a valuable indicator of a mature approach to cybersecurity and, according to a government report, Cyber Essentials certification can also contribute to the reduction of risk.