Cyber Essentials is a UK government scheme designed to protect companies and organisations, whatever their size, against a range of the most common cyber attacks. Most of these attacks are basic and carried out by relatively unskilled people. They have been described as the digital equivalent of a thief trying a home’s front door to see if it is unlocked. The Cyber Essentials certification scheme was launched in 2014 by the UK Department for Business, Innovation and Skills and is operated by the National Cyber Security Centre (NCSC). The scheme is also active in Canada, where it is managed by Cyber Essentials Canada.
Cyber Essentials can benefit your business in a number of ways:
1. Preventing cyber attacks: If you fail to protect your computer systems, you’re at more risk of a cyber attack. An attack could result in your organisation losing vital data, disrupting cash flow and damaging your reputation.
2. Government contracts: Since October 2014, four months after the launch of the UK version of Cyber Essentials, any organisation bidding for a contract with the British Government has needed Cyber Essentials certification. In Canada, some, but not all, Government agencies and departments will require Cyber Essentials certification for contract bids.
3. Customer trust: Becoming Cyber Essentials certified shows your customers that you take cyber security seriously and are taking the necessary steps to keep the data you hold about them safe. Displaying your Cyber Essentials credentials on your website, emails and other marketing materials shows your customers – and perspective ones – that you’re serious about cyber security.
There are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are:
Cyber Essentials guidance from the UK National Cyber Security Centre breaks these down into finer details (although there is no definitive Cyber Essentials standard document, as there would be with an ISO standard or a law). These controls have been chosen as the highest priority ones from other, more detailed guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Governance standard. Although, Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment.
Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold the GDPR in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data.
Not everyone has the time or money needed to develop a comprehensive cyber security system, so Cyber Essentials has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement:
The self-assessment option (not going for certification) still gives you protection against a wide variety of the most common cyber attacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others. Certification gives you increased peace of mind that your defences will protect against the majority of common cyber attacks simply because these attacks are looking for “soft” targets which do not have the Cyber Essentials technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have Cyber Essentials certification, at either the basic or Plus level.
The process of obtaining Cyber Essentials certification is relatively simple and generally costs between £300 and £600 plus VAT (around $1750 CAD in Canada), depending on which certification body you choose (see below for some advice on this). Cyber Essentials shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies – shop around for the most appropriate deal for you).
Cyber Essentials certification involves three simple steps:
Your first step is to choose a certification body. These are accredited by one of five organisations appointed by the UK government to be accreditation bodies.
In Canada, accreditation is done by the Cyber Essentials Canada Authority. Each accreditation body has a directory of certification bodies that it has accredited. It is up to you to choose one which feels right for your organisation.
It is the certification body which will perform your evaluation and award your Cyber Essentials certificate, but what factors come into play when making your decision? In our experience asking the following questions will help you to choose:
Making a good choice based on the above factors can’t guarantee that the certification process will run smoothly, but by having a good understanding of the accreditation regime and by asking the right questions early on you will have given yourself the best chance possible to have a long and happy certification relationship.
Cyber Essentials defines a set of requirements in the five control areas and you will need to make sure your systems and software meet these before you move on to the next stage of certification. You may be required to supply various forms of evidence before your chosen certification body can award certification at the level you seek, so it’s best to have this available in case it’s asked for.
You will also need to define the scope of your intended certification. This determines what is certified and, in the case of Cyber Essentials Plus, what is tested. Generally, the scope will be defined by a physical location, such as your main office, remote offices or cloud services.
Having understood the requirements which Cyber Essentials puts on the installation, configuration and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to your certification body. The actual questionnaire you complete will be supplied by your certification body, and these do vary a little depending on who the certification body has been accredited by.
The certification body may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification.
Once the certification body says you’ve passed, you will be awarded your Cyber Essentials certificate and may use the logo on your website and marketing materials. Your certificate remains valid for one year, after which you will need to re-certify if you want to stay on the list of certified organisations on the NCSC website.
The CertiKit Cyber Essentials Toolkit is designed to help implement the five key controls of Cyber Essentials quickly and effectively with much less effort than doing it all yourself. Our high-quality template documents and checklists come complete with 12 months of updates and support. Using the toolkit is the first step to securing your IT systems and will prepare your business for certification. Download a free sample document to start your compliance journey.