HOME

TheInfoList



Click Here for Items Related To - Cyber Essentials
OR:
Cyber Essentials on:   [Wikipedia]   [Google]   [Amazon]

Cyber Essentials is a
United Kingdom The United Kingdom of Great Britain and Northern Ireland, commonly known as the United Kingdom (UK) or Britain, is a country in Europe, off the north-western coast of the continental mainland. It comprises England, Scotland, Wales and North ...
certification scheme designed to show an organisation has a minimum level of protection in
cyber security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
through annual assessments to maintain certification. Backed by the UK government and overseen by the National Cyber Security Centre (NCSC). It encourages organisations to adopt good practices in
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the
internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
. The certification underwent substantial changes in January 2022 which included bringing all cloud services into scope and changes to the requirements on multi-factor authentication, passwords and pins.


Certification

The Cyber Essentials program provides two levels, the first is self-certification and the second requires independent validation of claims made:


Cyber Essentials

Commonly referred to as mark your own homework, organisations self-assess their systems, and then complete an online assessment. The online assessment is marked by a Cyber Essentials Assessor who provides feedback on any areas where improvements could be made. There is no independent validation of the accuracy of the answers at this level. The cost for Cyber Essentials starts from £300 and is subject to VAT in the UK. The pricing model is tiered based on the number of employees and more information can be found on the IASME website.


Cyber Essentials Plus

The same as the basic but with independent validation by an accredited third party. Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management. The cost for the Plus accreditation is dependent on the complexity of the environment but for a simple
SME SME may refer to: Economics * Small and medium-sized enterprises * Socialist market economy, an economic system of China Organizations Music * SME Limited, UK audio turntable manufacturer * Sony Music Entertainment, US * Spontaneous Music Ensembl ...
would typically cost around £1,400 and subject to VAT within the UK. IASME has incorporated the Cyber Essentials into the wider IASME information assurance standard. As with
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
, organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.


Controls

The five technical controls are: #Boundary
firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...
s and internet gateways # Secure configuration #
Access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...
#
Malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
protection #
Patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song) ...
management Cyber Essentials guidance breaks these down into finer details. These controls can be mapped against the controls required by
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
, the Standard of Good Practice for Information Security, and IASME Governance, although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.


History

The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June. Since October 2014, Cyber Essentials certification has been required for suppliers to the central UK government who handle certain kinds of sensitive and personal information. This is intended to encourage adoption by businesses wishing to bid for government contracts. Insurers have suggested that certified bodies may attract lower insurance premiums. Over 30,000 Cyber Essentials certificates have been awarded to businesses and organisations. It was developed in collaboration with industry partners, including the Information Security Forum ( ISF), the Information Assurance for Small and Medium Enterprises Consortium ( IASME), and the British Standards Institution ( BSI), and it is endorsed by the UK Government. It was launched in 2014 by the
Department for Business, Innovation and Skills , type = Department , logo = Department for Business, Innovation and Skills logo.svg , logo_width = 200px , logo_caption = , picture = File:Лондан. 2014. Жнівень 26.JPG , seal = , se ...
. After the
WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitco ...
,
NHS Digital NHS Digital is the trading name of the Health and Social Care Information Centre, which is the national provider of information, data and IT systems for commissioners, analysts and clinicians in health and social care in England, particularly th ...
refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and planned to spend a further £150 million to address key cyber security weaknesses over the next two years. As of September 2019, there were five accreditation bodies including APMG, CREST, IASME, IRM security and QG. Beginning in April 2020, IASME has been chosen by the National Cyber Security Centre ( NCSC) to be the sole Cyber Essentials Scheme Accreditation body. In January 2022 the pricing model will change to a tiered model based on the number of employees, this is to better reflect the more complex nature of assessing larger organisations. Cloud services,
BYOD Bring your own device (BYOD )—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to being allowed to use one's personally owned device, rather than being required to u ...
, home working,
thin clients In computer networking, a thin client is a simple (low-performance) computer that has been optimized for establishing a remote connection with a server-based computing environment. They are sometimes known as ''network computers'', or in th ...
and MFA will see big changes as part of the assessment.


See also

* CESG * Cyber Assessment Framework * GovAssure *
Government Digital Service The Government Digital Service is a unit of the Government of the United Kingdom's Cabinet Office tasked with transforming the provision of online public services. It was formed in April 2011 to implement the "Digital by Default" strategy prop ...
*
Government Security Classifications Policy The Government Security Classifications Policy (GSCP) is a system for classifying sensitive government data in the United Kingdom. GPMS Historically, the Government Protective Marking Scheme was used by government bodies in the UK; it divides dat ...
* IASME *
ISO/IEC 27001 ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
* NCSC *
UK cyber security community The cyber security (or information assurance) community in the United Kingdom is diverse, with many stakeholders groups contributing to support the ''UK Cyber Security Strategy''. The following is a list of some of these stakeholders. Government ...
*
UK Cyber Security Forum The UK Cyber Security Forum is a social enterprise spanning the United Kingdom, representing small and medium-sized enterprises (SMEs) in the UK cyber sector. It is divided up into 20 regional cyber clusters which provide free membership and event ...


References

{{reflist


External links


Official Cyber Essentials Website

Official Cyber Essentials Advice

Official Cyber Essentials Guidance - All Topics

National Cyber Security Centre: 10 Steps to Cyber Security
Computer security in the United Kingdom Information assurance standards Information governance Information technology organisations based in the United Kingdom