What is Cyber Essentials
The Cyber Essentials Scheme was created by the UK Government and industry working together to design a basic set of requirements that all organizations could apply with limited experience of cybersecurity. Those organizations that apply these requirements would then be able to publicly demonstrate their commitment to cybersecurity via the Cyber Essentials Badge.
The process is designed to be low cost and provide a respected minimum standard in Cyber Security.
The Scheme is designed to address the most common internet-based threats to your organization’s cybersecurity, particularly attacks that use tools that require little skill by the attacker.
Threats addressed by the scheme include:
- Hacking, using known vulnerabilities in Internet-connected devices, using tools and techniques found on the internet
- Phishing, ways of tricking users into installing or executing a malicious application, such as email attachments or downloads
- Trojan Horse installation
- Local threats from staff with excessive access privileges
- Password guessing, and brute forcing
Device in scope include:
- Desktop/Laptop PC’s (including MS Surface),
- Thin clients
- Servers and virtualised hosts
- Tablets and smartphones
- All types of network equipment (Layer 3 switches, Firewall, Routers etc.)
- Cloud Infrastructure
- Platform as a service
- Software as a service
- Platform as a service
- Infrastructure as a service
- Staff owned devices where they are used to access organizational data or services
- Other devices may also be in scope
Just some of the benefits include:
- Protecting your organization by meeting the Cyber Essentials requirements, reducing risk from 80% of cyber attacks
- Reassure your customers and other stakeholders that you are taking information security seriously
- Builds trust with suppliers
- Gain access to UK Government contracts and a growing number of commercial supply chains and thus competitive advantage
- Demonstrate you have taken key steps towards complying with UK GDPR
- Increasing resilience to and reducing the impact of a cyber attack
Cyber Essentials Basic — Self Assessment
Cyber Essentials Basic is a multi-choice self-assessment questionnaire covering the 5 core elements of the Cyber Essentials Scheme that all organizations should adhere to:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
Your organization must ensure that it meets all the requirements. The first thing you should do is determine the boundary of scope and what systems or devices are in scope within this boundary.
Then, review all 5 technical control areas for those systems, taking action as needed to ensure that your organisation meets every requirement, throughout the scope you have determined.
If you need help determining what is in scope and what the questions mean your organization we can help.
CyberAggress do not offer direct IT support i.e. making changes to devices or configuration, but we are happy to suggest trusted providers if needed or work alongside your own as appropriate.
Cyber Essentials Portal Account
Standard features- Free but optional Insurance, providing up to £25,000 of indemnity cover for qualifying organizations
- Fast turnaround on submission
- One free retest
- Publicly accessible certification and badging
- Optional posting on social media
- Certification searchable via public register
Cyber Essentials (Micro)
Portal Access- 0-9 Staff
Cyber Essentials (Small)
Portal Access- 10-49 Staff
Cyber Essentials (Medium)
Portal Access- 50-249 Staff
Cyber Essentials (Large)
Portal Access- 250 and more
Addon: Pre-Submission Review
- Pre-Review prior to submission
- Fast turnaround
- Guidance on non-compliant findings
- Assured outcome when implemented
- This service can be used even if using an alternative certification body
Cyber Essentials Advisor Support
- 2 Hours of remote consultancy
- Talk through, walk through of the scheme requirements
- How to meet the requirements
- Guidance on non-compliant findings
- This service can be used even if you are using an alternative certification body
- Gaining certification is not a pre-requisite for this service
How to apply and the next steps
- Call 01292 811 811 or email us at cyberessentials@aggress.co.uk
- We will discuss your needs and timelines
- We will create quote for the work, and provide you with a copy of the questionnaire in spreadsheet form and reference documentation
- Portal accounts have a life span of 6 months once created, if submission is not made within 6 month you will need to re-purchase
- Cyber Essentials is an annually renewing certification (but not auto renewing)
- On acceptance of the quote, we will issue our invoice
- Within 24 hours of receipt of payment:
- If you opted for just portal access, we will create your portal account ready for submission and certification on meeting the scheme requirements, note, at no point can we guarantee a pass.
- ‘Add-ons’ such as Cyber Essentials Advisory services will rendered as appropriate.
- ‘Add-ons’ such as Pre-Review may make use of the spreadsheet questionnaire or the portal.
- After you submit your self-assessment our highly experienced assessors will mark your answers against the scheme criteria, this will typically be within 1 working day of submission but may take up to 3 working days.
- If your self-assessment meets the Cyber Essentials requirements you will receive and email with a link to your certificate and you will be able to login into the portal to download your report.
- Certification is valid for 12 months from the date of issue.
- If your self-assessment fails to meet the Cyber Essentials requirements:
- You will be able to download the report and identify any non-compliances.
- On the first attempt, you must make appropriate changes and resubmit one final attempted within 2 working days; Any further attempts will require repurchase; unless
- You take up the opportunity to contract with our experienced advisors.
Background to Cyber Essentials
Cyber Essentials Scheme was set up by the UK government in 2014 out the result of the implementation of the ’10 Steps to Cyber security’ and is now a recognized worldwide baseline standard for IT security and has been duplicated in many countries. At its core it covers 5 areas of IT and IT security controls. The scheme focuses on preventing attacks originating from the internet aimed at business IT infrastructure. These attacks come from the network boundary to the end device (PC/Laptop/Server/Smartphone etc.).
Despite what some provocateurs may say, the originators of the scheme were CESG and IASME with support of the British Standards Institution (BSI) and Information Security Forum (ISF). David Booth (ex GCHQ) who was the MD of IASME at the time (2014, now supporting the NCA) played a key part in its creation. Others such as CREST, QG temporarily played a part later in its evolution.
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of business can implement and potentially build upon. Implementing these measures can significantly reduce your business’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence businesses facing these threats will need to implement additional measures as part of their security strategy.
What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cybersecurity for all sizes of business. With Cyber Essentials you get a choice over the level of assurance you wish to gain (basic/plus) and the cost of doing so.
It is important to recognize that certification only provides a snapshot of the cybersecurity practices of the business at the time of assessment, maintaining a robust cybersecurity stance requires additional measures such as a sound risk management approach, as well as ongoing updates to the Cyber Essentials control themes, such as patching and vulnerability management. It offers the right balance between providing additional assurance of a business’s commitment to implementing cybersecurity to third parties, while retaining a simple and low-cost mechanism for doing so.