Organisations can demonstrate that they have taken steps to protect their and their clients’ data from cyber-attacks by obtaining a Cyber Essentials certification.
The scheme was launched in late 2014 and quickly adopted, with many UK Government supply chains requiring their suppliers to be certified. The requirement for Cyber Essentials is increasingly being seen in tender documents.
Cyber Essentials was born out of the UK Government’s National Cyber Security Strategy aim of making the UK a safer place to do business. The scheme is based on NCSC’s ‘10 steps to Cyber Security’ Guidance but also incorporates guidance from other key standards and bodies, including ISO 27001, IASME (Information Assurance for SMEs) and the BSI (British Standards Institute). It has been developed with technical input from industry bodies such as CREST. The scheme aims to develop a baseline standard of security accessible to companies of all sizes.
Cyber Essentials focusses on the following core areas:
- Boundary firewalls and Internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Certification has two levels, Cyber Essentials and Cyber Essentials Plus. Your organisation can choose the level you wish to certify against.
Cyber Essentials – This introductory level of certification is based on a self-assessment questionnaire that will be validated by an external assessor.
Cyber Essentials Plus – This is a more detailed assessment where the external assessor will verify the self-assessment questionnaire with an on-site check and vulnerability assessment.
Our View of Cyber Essentials
EJC believe that Cyber Essentials does provide a useful standard for organisations of all sizes to meet. The requirements are real world, common sense recommendations that all businesses should adopt as they would improve security and reduce risk.
Many of the requirements on organisations are already part of EJC standard operating procedures, including when we install new computers, firewalls, servers or users. However, some may require tighter control of your infrastructure, more management oversight or a more formal approach to key processes.
We recommend organisations wanting to achieve the standard apply for Cyber Essentials Certification and then if wanted progress to the more rigorous and costly Plus certification.
Our Approach to Certification
EJC have selected 7 Elements, an independent technical information assurance consultancy as our preferred assessor for clients wanting to achieve Cyber Essentials certification. We selected 7 Elements because they are committed to organisations achieving the standard and working with EJC so that we can address identified gaps. You can view their website here: https://www.7elements.co.uk/services/cyber-essentials/
Cyber Essentials is the introductory level of certification and is based on self-assessment. As your IT partner, we have the best knowledge about your environment and can complete the certification process quickly and efficiently.