The lowdown on the UK government’s new Cyber Essentials Scheme

Recognising that not all organisations have adequately dealt with cyber security, the UK Government has recently developed a Cyber Essentials Scheme which aims to provide clarity on good cyber security practice.

In its Cyber Essentials Scheme, the UK Government sets out five controls which it is hoped will provide all types of organisations with basic protection against the most widespread type of Internet threats. As such, the Cyber Essentials Scheme should be viewed as a form of strategic risk management, designed to mitigate the risk from common online threats, and to significantly reduce an organisation’s vulnerability. 

Along with the Cyber Essentials Scheme, the Government has published an Assurance Framework, which enables organisations to reassure customers, investors, insurers and others that they have taken the appropriate cyber security precautions.

Rationale underlying the Cyber Essentials Scheme

The Government realised that the controls incorporated in its 2012 guide, “10 Steps to Cyber Security” were not being adequately applied, and therefore initiated a call for evidence on a preferred cyber security Standard.

The government concluded in November 2013 that no individual standard was in line with its fixed requirements, and therefore developed the Cyber Essentials Scheme, by developing a set of controls and implementation guidance for “basic cyber hygiene”.

When will the Cyber Essentials Scheme come into effect?

The voluntary scheme is currently open and available to all types of organisations. From 1 October 2014 onwards, the Government will require suppliers bidding for certain types of personal and sensitive information handling contracts to be Cyber Essentials certified.  

Controls offered by the Cyber Essentials Scheme

Cyber Essential focuses on five core controls:

1. Boundary firewalls and internet getaways

Designed to prevent unauthorised access to or from private networks and offers a basic level of protection.

2. Secure configuration

Designed to implement security measures when building and installing computers and network devices.

3. Access control and administrative privilege management

Designed to protect user accounts and helping prevent the misuse of privileged accounts.

4. Patch management

Designed to ensure the software used on computers and network devices is up to date.

5. Malware protection

Designed to ensure that malware and virus protection is installed so as to protect important documents, computer, and privacy from attack.

Assurance Framework

The two levels against which organisations can be certified are: Cyber Essentials (Stage 1), which consists of self-assessment and authentication by a certification body, and Cyber Essential Plus (Stage 2), which rests upon more detailed assessment by a certification body, in addition to the Stage 1 requirements.    

Stage 1: Cyber Essentials

  • The scope must be defined in terms of network boundaries, location and management control by the organisation
  • The organisation must answer a self-assessment questionnaire in order to prove its level of compliance with the requirements for basic cyber security. It is signed by an authorised signatory from the organisation to confirm its accuracy, and is then sent to the certification body to be verified. Once the certification body is certain that the controls have been correctly implemented, a certificate is awarded.

Stage 2: Cyber Essentials Plus

  • This stage examines whether the controls implemented are adequate to safeguard the organisation against Internet based threat actors with low levels of technical capability.
  • All CREST-accredited certification bodies carry out the necessary verification for Stage 1, combined with a more in-depth internal assessment of a sample of relevant devices that are connected to the Internet and/or capable of receiving emails.

As a whole, certification should bring numerous benefits, such as the opportunity to tender for business in cases where certification might be a prerequisite to the scheme, and contributing to building customer and investor confidence in the ability of a business to deal with cyber security.

Is the Cyber Essentials Scheme the way forward?

While the Cyber Essentials Scheme is an important step in improving cyber security standards businesses should continue to place emphasis on internal risk management strategies, which may well require additional and specific security controls, while customers should not forget that evidence of certification should not replace appropriate due diligence on a supplier and other risk management strategies such as putting in place cyber security insurance.