What is Cyber Essentials?
The Cyber Essentials Scheme is a cyber-security standard governed by the National Cyber Security Standard (NCSC) to ensure that organisations adhere to a baseline of good practice in information security and protect themselves against common internet threats. It is flexible enough to be applied to all organisations and sectors and is a widely recognised way to show that an organisation takes security seriously.
Additionally, being certified for Cyber Essentials is now mandated for businesses that require access to UK Government information.
According to research carried out by Lancaster University, with Cyber Essentials controls implemented, 99% of vulnerabilities in the SMEs interviewed were mitigated showing how beneficial it can be to organisations.
There are two certification options, Cyber Essentials (CE) and Cyber Essentials Plus (CE+). Both assess the same controls, however, where CE has been predominantly a self-assessment that is marked by an assessor from a certifying body, CE+ requires an assessor to independently validate that the controls listed in the CE self-assessment are in place.
Organisations are assessed against five key controls to ensure they are compliant, these are:
- Access Control
- Malware Protection
- Patch Management
- Secure Configuration
- Boundary Firewalls & Internet Gateways
What is changing?
A move to a single CE Partner naturally brings changes to the scheme. The below highlights the key changes from April 2020:
Accreditation Body
The biggest and most obvious change to the scheme is the selection of IASME as a partner rather than the use of five different accreditation bodies. This should ensure there is a more consistent approach to assessing CE between certifying bodies.
Assessments
The assessments themselves are for the most part remaining similar to those carried out pre-April 2020. The most notable change to the assessments is with the core CE accreditation. From April, this will only consist of a self-assessment questionnaire meaning that an external vulnerability scan is no longer part of CE. The self-assessment will now include more 'free text' than organisations may have been used to with previous accreditation bodies, encouraging more communication between the assessor and organisation being assessed to ensure all assessment criteria are appropriately met.
The CE+ certification also has minor changes, with more in-depth scans being carried out as part of the assessment to ensure internet-facing infrastructure is sufficiently covered.
An organisation now has to pass the CE assessment before they can take the CE+ assessment. This has to have been obtained within the last three months to take the CE+ assessment. Organisations are able to be assessed for the CE and CE+ assessments concurrently as long as they are successful in passing the CE assessment.
If a CE assessment is failed, an organisation has two days to remediate issues to be eligible for a retest. Otherwise they will have to wait a month before being reassessed for CE.
If a CE+ assessment is failed, an organisation has 30 days to remediate issues. If issues are not remediated in this period the CE+ assessment will be failed and the CE certificate will also be revoked.
Certification
If successful in obtaining a CE or CE+ certification, the certification will only remain valid for a year from the date of passing. This will encourage controls to be maintained rather than be implemented to just pass the initial assessment.
How can Context help?
As a certifying body, Context are in a position to certify organisations for both CE and CE+. Our consultants have the experience required to carry out both assessments. With expertise in advisory and assurance, Context are also able to provide consultancy on how the baseline controls can be expanded upon. This provides organisations with further insight into their security posture and allows improvements to be suggested going forwards.