If you're attempting to bid on a government based contract or work in the security industry, then you've probably heard of Cyber Essentials. But if you've just been asked mid-tender, "Have you got Cyber Essentials?" Then have we got the answers for you!
We're going to cover off:
As always, (on our second ever blog) if you can't be bothered to read the full article, then skip to the TL;DR
What does Cyber Essentials cover?
Cyber Essentials was created by the National Cyber Security Centre (NCSC) and is a government backed scheme to assist you in protecting your organisation against 80% of the most common cyber threats. The controls are foundational and are a good starting point to ensure that you remain secure in the online environment.
Cyber Essentials is based upon five controls:
Firewall – The organisation's boundary. How do you control what comes in and what comes out?
Secure Configuration – Making sure your devices are correctly set up and only have necessary software installed (if you're worried about using your personal device and having games installed, see the FAQs below).
Patch Management – Ensuring your Operating Systems and applications kept up-to-date with the latest security fixes
Access Control – How is access to files and folders managed within the organisation? How do you ensure those with administrative access know their responsibilities?
Malware Protection – Do you have an antivirus in place? How do you protect yourself against computer viruses?
What is Cyber Essentials?
This is a verified (marked) self-assessment that you would complete (or complete with the assistance of your IT provider or Certification Body) and the answers must truly reflect the way that your organisation uses IT. Depending on what is required, this may be enough for your tendering process. Once your Cyber Essentials self-assessment has been marked and verified by a Certification Body, you will be certified for a 12 month period.
What is Cyber Essentials Plus?
This takes your organisation's commitment to the next level. Cyber Essentials Plus is a technical audit based on the answers you've provided in the verified self-assessment. You must hold a Cyber Essentials certificate to complete Cyber Essentials Plus.
"BUT WAIT!" I hear you say, "Can't I get both certifications on the same day?". Yes. The Cyber Essentials certificate must be run before the Cyber Essentials Plus report can be completed but both can be done on the same day.
During the assessment, a vulnerability scan will be conducted on a sample of your devices; this isn't a penetration test.
Do you need it?
Let's be honest. If you're in a tendering process and they've mentioned Cyber Essentials, you'll probably need it. More and more companies are having a larger presence online and also going the route of home working, with many allowing the option to BYOD (bring your own device). If you're not sure of your IT footprint or would like a starting point to check, then Cyber Essentials is for you.
FAQs on Cyber Essentials
We get a lot of questions about Cyber Essentials. That's why we've made a FAQ of the most common ones here!
TL;DR
Question | Answer |
|---|---|
What does Cyber Essentials cover? | Foundational protection for your IT and information assets. |
What is the Cyber Essentials Verified Self-Assessment? | It is a set of questions that you provide the answers and information for that is then reviewed by an accredited third-party for compliance. |
What is Cyber Essentials Plus? | This is the technical audit to prove that the Cyber Essentials controls are working as intended (not a pentest). |
Do you need it? | If you're here, probably. |
How to Prepare for Cyber Essentials? | See below. |
How to Prepare for Cyber Essentials?
We're creating easy to follow guides that you can use to help you prepare. If you have any questions or comments, feel free to reach out!
コメント