Introduction
Cyber Essentials are in fact a set of basic but fundamental security requirements which, if implemented efficiently and effectively, would minimize the risk of a successful cyber-attack. It was targeted principally at SMEs (small and medium enterprises) whilst accepting that bigger organisation should be doing these actions as well. The five basic Cyber Essentials controls are taken from the advice issued by Government Communications Headquarters (GCHQ), and also the ‘10 Steps to Cyber Security’.
The five main areas for the Cyber Essentials controls are qualified by a set of questions in the form of cyber essentials questionnaire that should be possible for most business owners and managers to answer, perhaps with some limited technical advice. However, if support by a Cyber Essentials Consultant is preferred, then feel free to contact us for support.
The Five Controls
- Boundary firewalls and networking gateways: These are devices designed to stop unauthorized access to or from various private networks, but the good setup of these devices either in hardware or software type is very important for them to be absolutely effective.
- Secure configuration: This involves making sure that systems are designed within the most secure method for the requirements of the organisation.
- Access control: Making certain that only those who ought to have access to systems to have access and at a suitable level.
- Malware protection: This involves ensuring that the latest virus and malware protection is installed.
- Patch management: Making certain that the newest supported version of applications is employed and all the required patches provided by the supplier been applied.
General Information
It is necessary that the appropriate information is provided as part of the general application for certification. This information will include; the business name, business size, a point of contact and most importantly, the scope of the system to be assessed and certified. It is critical that the scope is correctly defined and usually the easiest and best method to do this is a simple block diagram. This block diagram shows you a simple system and the red line highlights the extent of the assessment. It is essential to note that the certificate will show a brief description of the system certified. The organisation’s name could only be used on the certificate if all the IT systems in use in the organisation are within the scope of the assessment.
Three Steps to Certification
- Select an accreditation/certification Body.
- Make sure that your IT is suitably secure and meets the standards set by Cyber Essentials; your Certification Body or our Cyber Essentials Consultants can help with this.
- Complete the cyber essentials questionnaire, your Accreditation/Certification Body will provide this and verify your answers.
Once you have passed, your accreditation body will grant you the certificate.
The Process in Detail
Selecting an Accreditation/Certification body
- Your first port of call is the Directory of Accreditation Bodies. Read the details about each of these and choose one which feels like a good fit for your organisation.
- When you have got chosen a certification Body then click through to their websites and their directory of Certification Bodies.
- It is the Certification Bodies which is able to perform your evaluation and award your Cyber essentials Certificate.
Verify That Your IT is Secure
Cyber essentials include an elaborate set of necessities for your IT (Information Technology).
You would be required to make sure that all your systems and software meet these before you progress on to the next phase of certification.
You may be needed to provide numerous types of proof before your chosen Certification Body can award certification at the level you ask for.
Complete the Cyber Essentials Questionnaire
Once you have understood all the requirements which Cyber Essentials puts on the installation, configuration, and maintenance of your IT, then you are ready to complete the cyber essentials questionnaire and submit this to your Accreditation/Certification Body.
The actual cyber essentials questionnaire that you complete is provided by your Certification Body.
Accreditation Body/Certification Body
Mainly five accreditation Bodies are specially chosen by the NCSC to supervise Cyber Essentials.
They recruit and manage a number of Certification Bodies, ensuring the standards which we have set down for the scheme are met.
Each Accreditation Body
- Produces a cyber essentials questionnaire for their Certification Bodies to use when certifying.
- Has a process for auditing its Certification Bodies in place.
- Verifies that all of their Certification Bodies meet the NCSC’s demanding level of technical competence.
- Is audited at least every 12 months by the NCSC.
The Benefits of Certification
- Attract new business with the promise you have got cybersecurity measures in place.
- Cyber essentials will facilitate your organisation in numerous ways.
- Reassure customers that you take cybersecurity seriously.
- Be listed on the directory of organisations awarded Cyber essentials.
Major Accreditation Bodies
- APMG international
- CREST
- IASME Consortium
- IRM
- Management standards
If you are interested in support with implementing the controls to achieve a certification, please contact us for a free quote with no obligations.