Recognising that not all organisations have the necessary resources to address the business-critical issue of cyber security.
The UK Government’s Cyber Essentials Scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, against which they can achieve certification in order to prove their compliance. Addressing these five topics and controls eliminate up to 80% of typical Cyber threats.
CST is registered by the IASME to assess and certify against the UK Government Cyber Essentials Scheme. CST are also licensed to advise on achieving Cyber Essentials certification, as well as deliver Cyber Essentials PLUS and the IASME governance assessment and certification. We have a number of Cyber Essentials product and service options available.
Since October 2014, the UK Government has required all suppliers bidding for certain information handling contracts be Cyber Essentials certified for the purpose of providing further protection for the information the Government handles.
As well as the Government mandating the standard, it is also being used by non-government affiliated organisations to demonstrate a level of formal compliance to security best practises. Many of our customers are asked by their customers to complete IT security questionnaires, and agree with information protection agreements. Using the Cyber Essential scheme is a method to respond and validate their security posture to their clients.
Realising that the controls in its 2012 guide, 10 Steps to Cyber Security, were not being implemented effectively, the UK Government instigated a call for evidence on a preferred cyber security standard. In November 2013 it concluded that no individual standard met its specific requirements, so developed the Cyber Essentials Scheme, a set of controls and implementation guidance for basic cyber hygiene against which organisations can achieve different levels of certification. Certification can be used by organisations to demonstrate to their customers and business partners that industry-minimum cyber security measures are in place, and provides evidence to validate the organisation’s security posture. It was officially launched on 5th June 2014 and addresses:
All of the five requirements are recommended as part of the “SANS Top 20” controls, and the ISO27001 standard:
1. Secure configuration
Implementing the security measures required when building and installing any computers and network devices, in order to reduce unnecessary vulnerabilities.
2. Boundary firewalls and internet gateways
Providing a basic level of protection where an organisation connects to the Internet.
3. Access control and administrative privilege management
Protecting user accounts and helping prevent misuse of privileged accounts.
4. Patch management
Keeping the software used on computers and network devices up to date, and resistant to low-level cyber-attacks.
5. Malware protection
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software, and ransomware) including options for virus removal, which will protect your computer, your privacy, and your important documents from attack.
There are currently two levels against which organisations can be certified:
Cyber Essentials (Stage 1), which relies on self-assessment.
Cyber Essentials Plus (Stage 2), which relies on an independent (on-site) audit.
Organisations must be assessed by an accredited certification body such as CST, and must successfully complete Stage 1 prior to proceeding to Stage 2.
Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award or 'badge' and will need annual re-assessment.
In both cases, certification reflects the state of an organisation’s cyber security only at the time of assessment. It is no proof of the ongoing effectiveness of an organisation’s cyber security. However, certification will provide numerous benefits, including the opportunity to tender for business where certification to the scheme may be a prerequisite, reducing insurance premiums, and helping to improve investor and customer confidence.
CST can help you complete Stage 1 and Stage 2, we can provide the guidance and support required, and ultimately certify you against the standard. We operate under the ISAME assessment body which means qualifying compliant businesses also receive Cyber Insurance (up to £25,000 Cyber Liability Insurance free of charge) as part of successful certification.
Call or email if you would like to know more, we would be happy to arrange an informal time with one of our scheme consultants for a more in-depth discussion.
Opinion & Resources
We are pleased to have successfully accomplished the Cyber Essentials+ certification. The scheme will provide our clients with additional confidence, and reduce risk against cyber-threats. CST assisted us in understanding the Scheme, worked with us to advance our cyber-defence posture, and undertook the assessment. Their approach was professional, efficient and pragmatic, I can highly recommend them.
Andrew Flatt CTO, Omni Partners Ltd. Dec 2017.
Omni Partners LLP is a London based hedge fund sponsor and investment management firm founded in 2004.
Business leaders will benefit from the access to helpful and authoritative cyber security guidance. Encouraging firms to adopt this scheme is a positive step towards greater awareness of cyber security and more widespread action to manage the risks. John Cridland, Director General of the CBI
Learn what National Audit Office has to say about Cyber Essentials and WannaCry.