Kalpana Kalpana (Editor)

Cyber Essentials

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

Cyber Essentials is a UK government scheme encouraging organisations to adopt good practice in information security. It includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet. It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government. It was launched in 2014 by the Department for Business, Innovation and Skills.

Contents

Assurance framework

Organisations can earn two levels of certification, or badges:

  • Cyber Essentials: Organisations self-assess their systems, and this assessment is independently verified.
  • Cyber Essentials Plus: Systems are independent tested, and Cyber Essentials is integrated into the organisation's information risk management.

    • Annual recertification is required. Certifying Bodies are, in turn, licensed by Accreditation Bodies, which have been appointed by UK government.The five current accreditation bodies are APMG, CREST, IASME, IRM security and QG. CREST has developed an assessment framework. IASME, one of the Accreditation Bodies, has incorporated the Cyber Essentials into the wider IASME information assurance standard.

    As with ISO/IEC 27001:2005, organisations may choose to limit the scope of certification to a certain subset of their business.

    Controls

    The five main technical controls are:

    1. Boundary firewalls and internet gateways
    2. Secure configuration
    3. Access control
    4. Malware protection
    5. Patch management

    Cyber Essentials guidance breaks these down into finer details. These controls can be mapped against the controls required by ISO/IEC 27001:2013, the SOGP, and IASME, although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.

    History

    The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June. Since October 2014, Cyber Essentials certification has been required for suppliers to central UK government who handle certain kinds of sensitive and personal information. This is intended to encourage adoption by businesses wishing to bid for government contracts. Insurers have suggested that certified bodies may attract lower insurance premiums. There are over 700 companies certified by Cyber Essentials.

    References

    Cyber Essentials Wikipedia
    (Text) CC BY-SA