The Cyber Essentials Scheme has been developed by the UK Government and industry to lay out the fundamental technical security controls that an organisation should have in place to defend against Internet based threats.
Organisations can demonstrate that they have taken steps to protect their and their clients’ data from cyber-attacks by obtaining a Cyber Essentials certification.
The scheme was launched in late 2014 and quickly adopted, with many UK Government supply chains requiring their suppliers to be certified. The requirement for Cyber Essentials is increasingly being seen in tender documents.
Cyber Essentials was born out of the UK Government’s National Cyber Security Strategy aim of making the UK a safer place to do business. The scheme is based on NCSC’s ‘10 steps to Cyber Security’ Guidance but also incorporates guidance from other key standards and bodies, including ISO 27001, IASME (Information Assurance for SMEs) and the BSI (British Standards Institute). It has been developed with technical input from industry bodies such as CREST. The scheme aims to develop a baseline standard of security accessible to companies of all sizes.
Cyber Essentials focusses on the following core areas:
- Boundary firewalls and Internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Certification has two levels, Cyber Essentials and Cyber Essentials Plus. Your organisation can choose the level you wish to certify against.
Cyber Essentials – This introductory level of certification is based on a self-assessment questionnaire that will be validated by an external assessor.
Cyber Essentials Plus – This is a more detailed assessment where the external assessor will verify the self-assessment questionnaire with an on-site check and vulnerability assessment.
Our View of Cyber Essentials
EJC believe that Cyber Essentials does provide a useful standard for organisations of all sizes to meet. The requirements are real world, common sense recommendations that all businesses should adopt as they would improve security and reduce risk.
Many of the requirements on organisations are already part of EJC standard operating procedures, including when we install new computers, firewalls, servers or users. However, some may require tighter control of your infrastructure, more management oversight or a more formal approach to key processes.
We recommend organisations wanting to achieve the standard apply for Cyber Essentials Certification and then if wanted progress to the more rigorous and costly Plus certification.
Our Approach to Certification
EJC have partnered with CyberSmart, the UK’s leading Cyber Essentials certification body, to deliver fast, hassle-free certification. We selected CyberSmart because they are committed to organisations successfully achieving certification, and their platform gives you the tools you need to prevent breaches, attacks and exploits through cyber awareness training, device monitoring, cyber insurance.
With CyberSmart, you can work through the certification process at your own pace, addressing gaps, and then when you are ready, making your certification submission.
Cyber Essentials is the introductory level of certification and is based on self-assessment. You can complete the self-assessment yourself, but in our experience, most clients ask EJC to do it. As your IT partner, we have the best knowledge about how your systems are configured and managed. With CyberSmart, we can complete the certification process quickly and efficiently.
