30th May 2022

Some details about Cyber Essentials

Continuing our overview of Cyber Essentials from part one. Here we look in more detail at some of the more technical aspects of the assessment and compare Cyber Essentials to some other security-related certifications.

A Guide to Cyber Essentials

The details behind Cyber Essentials

Cyber Essentials and BYOD

Bring Your Own Device (BYOD) are those devices that access business data but are owned by individuals. Depending on the requirements of the organisations, BYOD may or may not be in scope for the assessment. If they are, then typically there are specific provisions that apply to BYOD so that they are considered suitably secure to handle business data.

Cyber Essentials and home working

Ideally, home workers should use company-owned devices which will be covered by the company’s security policies and controls. Since January 2022, home networks are not in scope for Cyber Essentials but the devices used must have an internal ‘software’ firewall enabled. Whether BYOD or company-owned, homeworker’s devices are in scope for Cyber Essentials and must comply with the requirements.

Cyber Essentials IT infrastructure requirements

There are several specific stipulations regarding infrastructure configuration, such as encryption, updating, protection software, firewalls, passwords, user privileges, and so forth.

Cyber Essentials and mobile devices

The same comments apply as for BYOD.  Mobile devices that can access company data, such as email, should be included in the scope of Cyber Essentials.  If they are, then typically there are specific provisions that apply to mobile devices so that they are considered suitably secure to handle business data.

Cyber Essentials and operating systems

Almost any fully-supported operating system is permitted, providing the vendor is actively monitoring for vulnerabilities and providing patches in a timely manner.

Cyber Essentials password policy

There are minimum requirements for the password policy - length, complexity, and expiry. The standard requirement is for a 12-character complex password, however, this may be reduced to 8 if other password-related controls are in place.

Cyber Essentials vulnerability scan

CyberEssentials requires that devices must have an active and effective mechanism to identify, prevent and remove threats from a system.

Cyber Essentials vs the alternatives

Cyber Essentials vs ISO27001

Both are certifications applicable to almost every sector of business.

ISO27001 is an ongoing management system that operates within and drives the business and provides ongoing feedback for continuous improvement. It covers a range of topics around data security, much wider than purely the IT systems alone. Compliance with Cyber Essentials will help with eventual compliance with ISO27001.

Cyber Essentials and DSPT

The Data Security and Protection Toolkit (DSPT) is a specific set of criteria that applies to businesses with access to NHS patient data and systems.

DSPT effectively requires an ongoing management system embedded within the business, similar to ISO27001. It covers a range of topics around data security, much wider than purely the IT systems alone.

Cyber Essentials and GDPR

GDPR is mandatory for all UK businesses. Both GDPR and CyberEssentials are applicable to every sector.

GDPR's scope concerns how businesses manage the data they hold about individuals ( Personal Data) how they use it, how they ensure it is secure, how they dispose of it, and their responsibilities to the individual. It does not concern itself with specific details of the IT systems. It does however require that Personal Data is kept secure, and Cyber Essentials certification will satisfy those requirements without further justification.

Cyber Essentials and IASME

IASME is the accreditation body appointed by the National Cyber Security Centre (NCSC) to operate the Cyber Essentials programme. It provides training for assessors, sets the self-assessment questions, and monitors the performance of the Certifying Bodies (CBs).

Cyber Essentials vs NIST

The NIST programme is a framework for US businesses to understand and control their cybersecurity. The framework covers five general areas that businesses should consider as part of their cyber protection measures. There are no specific requirements nor is it assessed. It is similar to the code of best practice provided by NCSC for UK businesses.

Cyber Essentials vs SOC 2

SOC 2 is a certification aimed at service providers (cloud computing, software-as-a-service, etc). It considers the effectiveness of an organisation's controls around security, availability, integrity and privacy. SOC 2 may be either a point-in-time report or form part of an ongoing management system.

Cyber Essentials resources

Cyber Essentials checklist download

The Cyber Essentials checklist may be downloaded from the IASME website here https://getreadyforCyber Essentials.iasme.co.uk/.

Cyber Essentials certifying bodies

There are around 200 CBs in the UK that are licensed to provide CE and CE Plus certificates. They can all be found in an online search.

The Cyber Essentials Plus register

Once a CE certificate is issued, the certified organisation is added to a public database which may be searched via the IASME or NCSC websites.

Cyber Essentials gap analysis

This is the first phase of a CE certification project, where an organisation’s security controls are compared to those required by Cyber Essentials and a list of ‘gaps’ is developed.

Cyber Essentials grants

Grants may exist from time to time to help an organisation with the cost of becoming CE certified. These grants may be issued by any number of public bodies.

Using the Cyber Essentials branding

Once you have achieved a CE or CE Plus certificate, you will be issued with a ‘Branding Guidelines' pack containing logos and marks which may be used in promotional materials.

Next steps

A successful cyber-attack is serious, stopping all operations, incurring significant costs to recover, and resulting in reputational damage. Many businesses never recover and ultimately cease trading.

Cyber Essentials has two main benefits. It is an indication of taking the threat of cyber attack seriously, giving you credibility to other organisations. At the same time, it ensures your business takes measures to protect itself and significantly reduces the risk of a successful attack, saving financial or reputational losses.

Flex IT can assist with implementing Cyber Essentials for your business. We have good experience of the process and can implement mechanisms to ensure your systems verifiably comply with the key requirements. We work closely with an independent consultant when taking our clients through accreditation to ensure they get an expert's view on the required steps.

Want to know more? Contact us today.