What Is Cyber Essentials

What Is Cyber Essentials: Understanding The Assessment

ByAndrew Lugsden

Cyber Essentials is an information security compliance audit developed by the UK government’s National Cyber Security Centre (NCSC) and currently implemented by the IASME Consortium.

The goal of Cyber Essentials is to provide an accessible and affordable certification standard for all businesses to align with, and to help improve information security to protect against the most common cyber attacks and cyber risks.

The primary aim of the assessment is to keep businesses safe from the vast majority of common cyber attacks and reduce the potential of a security incident from occurring.

Table of Contents

    The IASME Consortium

    IASME Cyber

    The IASME Consortium was established to help other businesses educate, train, and improve their information security standards and provide knowledge and awareness regarding the potential cyber threats that businesses can face.

    IASME has developed a range of cyber security standards, training programs, and qualifications that can help individuals and organizations align with recommended best practices, improve their information security management, and demonstrate their knowledge and experience with cyber security practices.

    National Cyber Security Centre (NCSC)

    National Cyber Security Centre NCSC

    The NCSC is the UK government organization for defining and managing information security controls and standards for both private and public sectors.

    The NCSC’s aim is to improve security standards throughout the UK and to help companies protect themselves from the increasing number of cyber threats.

    Working with IASME, they continue to develop Cyber Essentials as an information security compliance standard that is accessible for all business types and sizes, including small and medium-sized organizations.

    Information Security Compliance Standards

    Information Security Certifications

    An information security standard can define a range of requirements for a business to align with, such as:

    • Configuration settings for devices and services
    • Policies and procedures that companies should follow
    • Risk and threat assessments that organizations should conduct
    • Logging, Monitoring, and Reporting requirements that companies should conduct
    • Documentation that businesses should maintain
    • Security testing methods that a business should conduct
    • External audits and checks which a company may need to carry out annually

    Existing Information Security Standards

    Cyber Security Certifications

    A number of information security compliance standards have been developed over time, and are utilized by businesses, such as the following:

    Issues With Existing Security Standards

    Information Security Standards

    However, there are limitations with some of the existing cyber security standards, such as:

    • Some existing cyber security standards are defined as recommendations and have no tangible method to evidence that the standards are in place.
    • Other security standards can be targeted towards larger organizations, with dedicated departments employees, and software focused on implementing and maintaining different cyber security controls.
    • Other standards such as ISO 27001, can assess a company’s policies and procedures, but are often relatively expensive, particularly for small businesses which may have limited budgets and experience with managing cyber security.

    Developing The Cyber Essentials Scheme

    Cyber Essentials Scheme

    Cyber Essentials has been developed as a security standard to address many of these common issues and to make the certification more accessible to all businesses:

    • Cyber Essentials can apply to all business types of all sizes, without requiring dedicated tools, departments, or employees to manage its requirements.
    • The Cyber Essentials standard is also intended to be relatively inexpensive when compared to some other certification standards, to make the certification process accessible to the majority of businesses.
    • When a company can achieve cyber essentials certification, they can also embed the certification logo into their company website, and advertise using the issued certificate to demonstrate their commitment towards information security.

    The Cyber Essentials Certification Scheme

    Cyber Essentials Certifications

    Cyber Essentials is split into two separate certifications, Cyber Essentials and Cyber Essentials Plus.

    Although the requirements for both assessments are the same, the method of verification changes between the two certification standards.

    • Cyber Essentials, is reviewed by an external auditor using a questionnaire that requires information to be supplied by the business, regarding how they manage their information security controls when compared to the Cyber Essentials requirements.
    • Cyber Essentials Plus is assessed through a series of practical vulnerability tests conducted by a qualified external auditor, which are designed to test how a business aligns with the Cyber Essentials requirements.

    As Cyber Essentials Plus, requires a practical assessment, it is considered a higher level of verification and assurance that a company has aligned with the required information security standards.

    To certify to the Cyber Essentials Plus standard, it is also required to first certify against Cyber Essentials, emphasizing the increased audit requirements and verification standards for Cyber Essentials Plus.

    The Cyber Essentials Five Basic Security Controls

    IASME Five Basic Security Controls

    The Cyber Essentials security controls are divided into five technical controls. Each of these basic security controls are assessed within both the questionnaire and the practical tests and consist of:

    • Firewalls. This part of the assessment reviews how your company manages the security of your access point to the internet, which is typically a router or firewall.
    • Secure Configuration reviews how your business ensures that your devices and services meet a minimum set of security requirements and are protected from common cyber attacks.
    • Security Update Management assesses how often your company checks for and applies available updates for your devices to ensure your systems do not become vulnerable over time.
    • User Access Control analyzes how your organization manages the creation, change, and removal of user accounts over time, as well as the controls your company has in place for account permissions and admin accounts.
    • Malware Protection is a review of your company’s protection against unknown and potentially malicious software that may be downloaded onto your devices from websites or emails.

    Why Certify To The Cyber Essentials Scheme

    Benefits Of Cyber Essentials

    The Cyber Essentials scheme has several known benefits to organizations that are able to certify to the requirements.

    In addition to general improvements to a company’s information security controls, the certification process can also help organizations with the following:

    • Maintaining certifications within information security and using this as part of your advertising material can help to develop a level of trust and assurance with your existing client base and also with potential new business partners.
    • When working with organizations in both the private and public sector, there can often be a set of supplier requirements which a business must align with. Maintaining an information security standard is a common supplier requirement and maintaining a Cyber Essentials certificate can be a relatively straight forward method to demonstrate your information assurance.
    • The Cyber Essentials certification process can help a business understand a set of common risks and oversights in their current cyber security management, which can help them to improve their overall cyber security posture and address these risks.
    • There are a range of UK government contracts that are only available for companies to bid on after they achieve Cyber Essentials certification. In addition to improving cybersecurity, the certification process can help businesses win additional work for there company.
    • Protection from the most common cyber attacks is incorporated into the Cyber Essentials tests, and so aligning with the standards can provide assurance to you, your directors, or stakeholders that your security controls are effective at protecting your organization from cyber security risks.

    The Cyber Essentials Certification Process

    Cyber Essentials Process

    To certify against the Cyber Essentials scheme there are several steps to complete as part of the process.

    • Your company should ensure that each device, service, and account in use within your business is accounted for and that they align with the Cyber Essentials requirements.
    • Documented policies and procedures should be in place as defined within the Cyber Essentials specifications to ensure your company manages information security as necessary for the certification.
    • The Cyber Essentials Self-Assessment questionnaire should be completed and submitted to the IASME website portal for review by a qualified assessor.

    A detailed overview of the certification process and achieving Cyber Essentials certification is provided in the following article.

    The Cyber Essentials Self-Assessment Questionnaire (SAQ)

    Self Assessment Questionnaire SAQ

    The Cyber Essentials SAQ questionnaire is available to download from the IASME website here.

    The questionnaire is divided into multiple sections to review how your company manages different elements of the Cyber Essentials scheme, this includes:

    • How your business is structured, including your size, number of devices, and office locations.
    • How your business manages your user account security, such as password requirements, account login restrictions, and Multi-Factor Authentication (MFA)
    • How your business ensures the cyber security measures of devices that are allowed access to your company information
    • How your business ensures the ongoing security of your business, through applying updates, maintaining malware protection software, and monitoring for common cyber threats
    • How your business manages the security of your internet-facing systems, such as internet gateways, cloud services, and public websites.

    After completing the self-assessment questionnaire, your answers are then reviewed by a qualified assessor, and providing there are no additional questions with the supplied answers, your company can earn the Cyber Essentials certification.

    The Cyber Essentials Plus Certification Process

    Cyber Essentials Plus Process

    After your business has achieved cyber essentials, there will then be a three-month period where your business can be assessed against the Cyber Essentials Plus technical audit.

    After the three months, your company can still apply for Cyber Essentials Plus, however, it will require a new Cyber Essentials certificate to first be issued.

    This is to ensure that the devices, services, and configuration standards defined in the questionnaire have not had time to significantly change between your two assessments.

    The Cyber Essentials Plus Vulnerability Tests

    Cyber Essentials Plus consists of multiple vulnerability tests which are aimed to verify that the information supplied in the questionnaire is accurate and that your company aligns with the Cyber Essentials specification.

    The specific tests that are involved in the Cyber Essentials Plus practical tests include:

    • An external vulnerability scan of your internet-facing infrastructure. This can include your internet-accessible servers, web applications, and other accessible systems.
    • A vulnerability scan of your internal network devices. This assessment involves a vulnerability scanner authenticating to your devices such as internal servers, user devices, laptops, and desktops, and reviewing their configuration and patch levels, to identify possible vulnerabilities.
    • A review of your Malware Protection system. Depending on what is defined within your questionnaire the assessment will review how your devices are protected from potentially malicious files running on your devices.
    • An assessment of your Multi-Factor Authentication (MFA) systems. Within the Cyber Essentials specification, cloud services are required to have MFA enabled, and so each of your cloud services is assessed for this requirement.
    • A review of your User account permissions is conducted, to ensure that your daily use accounts are not configured with administrator permissions.

    Where your company is determined to have passed each of the required tests, a report and certificate will be prepared by your Cyber Essentials certification body.

    Preparing For Cyber Essentials Assessment

    Cyber Essentials CheckList

    To help companies prepare for the Cyber Essentials assessment a range of tools and documents are made publicly available to help businesses understand the standard, its requirements, and to configure their systems to align with the standard.

    Cyber Essentials Readiness Tool

    The Cyber Essentials readiness tool is a short set of questions available online at the following location.

    This short survey is intended to provide some high-level initial advice and guidance on where your business can improve its current security standards, protect against threats from cyber criminals, and better prepare for the certification process.

    Cyber Essentials: Requirements For IT Infrastructure

    Requirements for IT Infrastructure

    The Requirements for IT Infrastructure document is a detailed breakdown of each of the Cyber Essentials controls, and is available here.

    The requirements documents details all of the specifics involved in the assessment standard, such as:

    • Which devices within a company are included within the cyber essentials scope
    • Specific requirements for company-issued devices and Bring Your Own Devices (BYOD)
    • How Cloud Services should be managed, and the different requirements for IaaS, PaaS, SaaS
    • How Firewalls and Internet Gateway devices should be configured and managed
    • How devices should be configured to align with the certification requirements
    • How user accounts should be configured and their permissions assigned
    • How often companies should apply updates to ensure their device security
    • How companies can implement Malware Protection to secure their devices

    Cyber Essentials Plus: Illustrated Test Specification

    Cyber Essentials Plus Test Specification

    The Cyber Essentials test specification provides a detailed description of each of the practical tests involved in a Cyber Essentials Plus assessment, including the conditions that need to be met to achieve a Pass or Fail, and is available here.

    • The vulnerability testing process for your internet-facing systems and the type of vulnerabilities that are considered a failure for the test
    • The requirements for conducting an authenticated test of your internal devices and the types of vulnerability which would result in a failure for the test
    • The individual tests that can be conducted, depending on your Malware Protection systems, and how a test may result in a failure
    • The method of reviewing each cloud service account and how to test if MFA has been configured for each account
    • The assessment process to review user accounts for the business and determine if administrator permissions are in place, which can result in a failure of the test.

    Limits Of The Cyber Essentials Assessment

    Cyber Security Compliance Standards

    Cyber Essentials has been designed as an accessible information security standard that can be achieved by all businesses of all sizes.

    As the standard has been created for this broad coverage, there are other security standards and security tests, which will inevitably provide a more comprehensive assessment of your business.

    • The ISO 27001 certification will provide a more comprehensive assessment of your company’s policies and procedures with regard to information security standards, than the Cyber Essentials questionnaire.
    • An in-depth penetration test will provide a more detailed review of the practical security of your systems, in comparison to the Cyber Essentials Plus certification.

    However, the costs and requirements of these more in-depth security assessments will inevitably be higher than the Cyber Essentials certification, which can make them inaccessible to many businesses.

    The Cyber Essentials scheme was developed to improve security for all businesses by onboarding as many companies as possible, particularly small and medium-sized businesses, to a minimum set of cyber security requirements.

    Conclusion

    Achieve Cyber Essentials

    Where your company is looking to improve its cyber security standards, reduce the potential of cyber attacks, or bid on additional contracts, the Cyber Essentials scheme can be helpful as an initial step towards improved cyber security.

    The Cyber Essentials certification process is designed to be achievable for every business but does still require a range of specific requirements to be implemented within your organisation, which can be misunderstood and result in a percentage of companies failing their certification assessment.

    Certified organisations are also required to maintain the Cyber Essentials technical requirements and to achieve their certificate annually to demonstrate the continued secure configuration of their IT systems.

    For further guidance on achieving Cyber Essentials certification or progressing into Cyber Essentials Plus, the following articles may be useful:

    • Requirements for the Cyber Essentials Accreditation, found here
    • Preparing for Assessment: A Cyber Essentials CheckList, found here
    • Requirements for Cyber Essentials Plus Certification, found here

    Where you have any further questions regarding Cyber Essentials or different cybersecurity solutions, our consultants and cyber advisors are available to address any concerns you may have.

    Contact Us Today

    Similar Posts