Cyber Essentials is ‘a UK Government-backed scheme to help businesses in protecting themselves against cyber threats’. The aim, of course, is to improve the standard of cyber security across UK business but also specifically to provide a means by which a company can ‘advertise the fact that it adheres to a government endorsed standard’. From 1 October 2014 Cyber Essentials is mandated for suppliers bidding for government contracts that involve handling sensitive and personal information. The scheme is based on ISO27001/2 and the government’s ‘10 Steps to Cyber Security’ but it does not pretend to be an all-encompassing security standard nor to replace any existing standards.
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials is awarded on the basis of a verified self-assessment. An organisation undertakes its own assessment of its implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded.
Cyber Essentials Plus addresses the same control themes but provides greater assurance as the self-assessment is validated by independent internal and external vulnerability testing.
The scheme has clear strengths. Properly implemented, the five control areas: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management can protect against a large number of vulnerabilities and cyber threats including those we most often encounter as the cause of data breaches. Further, the certification process is simple and straight-forward. The cost of certification to other standards is off-putting to many SMEs but Cyber Essentials accreditation can be achieved for relatively little cost. It seeks to achieve a balance in being a scheme that is affordable for smaller businesses and demonstrating a commitment to cyber security. It should play a useful part in raising awareness and providing a base level of security that businesses can build upon as skills and resources permit.
What are the downsides then? One must be doubt as to whether Cyber Essentials can achieve sufficient awareness amongst the plethora of other standards. It is very early yet but hopefully the government’s mandating of the standard for some suppliers will help.
The second question must be whether certification will give a false sense of security. Concern arises from two factors. First, in order to be affordable and light touch the process relies very much on self-assessment. Consultants reviewing companies that have self assessed to the payment card industry data security standard (admittedly a far more detailed standard) find that self-assessment can be wildly over-optimistic. It remains to be seen how challenging the independent verification of Cyber Essentials self assessments will be and how business will react if it is more than a tick-box exercise.
The second concern is that although the standard rightly identifies five critical controls it would be a mistake for any company to imagine that that is all there is to cyber security. A comparison of Cyber Essentials to ISO 27701 quickly shows the range of control that is not covered. There are still many real threats that operate outside the scope covered by the five Cyber Essentials controls.
So we would encourage companies to engage with the Cyber Essentials programme and 7Safe is pleased to be among the first companies accredited to carry out certification. But we would also urge businesses to see it not as a final destination but just as a stepping stone toward a more thorough, risk based and embedded cyber security culture.
To find out more about how 7Safe can help you comply with Cyber Essentials contact us.