The initiative that led to the Cyber Essentials Scheme was launched by UK Government following their publication in 2012 of the 10 Steps to Cyber Security. The Cyber Essentials Scheme then resulted from a subsequent call for evidence on a preferred standard for cyber security; this was conducted by Government and industry, concluding in November 2013.
Government then worked with an industry consortium of Information Assurance for SMEs (IASME), Information Security Forum (ISF), and the British Standards Institution (BSI) who collaborated on developing the requirements of the scheme. CREST was later invited to work closely with CESG to develop the technical assessment aspects of the framework, based on the specification provided by the consortium.
The Cyber Essentials Scheme represents a base level standard that all organisations should look at meeting, and has specifically been designed with pragmatism in mind with regards to smaller organisations. The scheme distils from the 10 Steps to Cyber Security, five essential elements:
- Secure configuration – essential security elements when installing and commissioning systems and networks, forming the bedrock of your security
- Boundary firewalls and Internet gateways – basic protection related to connections to the Internet
- Access control and administrative privilege management – establishing basic controls for users to safely and securely access accounts
- Patch management – the very important ongoing update of systems to ensure that they will at least be resistant to well known and widely prevalent attack vectors
- Malware protection – establishing a base level of protection against a range of malicious software such as viruses, worms, spyware, botnets, etc.
There are two tiers in the scheme that represent increasing rigour of assessment and standards of security:
- Cyber Essentials – essentially based on an independently checked self assessment and a vulnerability assessment
- Cyber Essentials Plus – an independently tested and verified external and internal assessment, offering a higher level of assurance
Commissum recommends that all organisations embrace as a minimum, the principals of this scheme, to ensure a baseline of security upon which they can build a more secure and confident business. It must be emphasised that this scheme is intended as a baseline standard and would not be appropriate for any organisation that has a risk profile where they may be the target of more sophisticated cyber attacks (e.g. APT type attacks). However, as a basis upon which to then build better security it is an excellent way to get things moving.
We suggest that for most smaller and third sector organisations, a good starting point is to look at using the online guides to establish the basics for yourself. Available documents include:
- Summary of the Cyber Essentials Scheme
- Cyber Essentials Scheme: Requirements for basic technical protection from cyber attacks
- Cyber Essentials Test Specification (CREST document)
Commissum is able to assist organisations through our consulting and CREST certified services to establish a minimum baseline under the Cyber Essentials Scheme:
- Assess and certify you to either Cyber Essentials or Cyber Essentials Plus as appropriate
- Provide expert independent assessment, audit and advice on remediation to get you started on building a sound Information Security Management System (ISMS) with Cyber Essentials as your foundation
- Provide pointers and guidance to smaller organisations that may not be able to afford independent consulting services on how you can start the process yourself using readily available online resources – you can then later call on our assistance at a point in your development that you feel is appropriate to build upon your internally established foundation
Contact us today to find out how we can help you.