What is Cyber Essentials?

Cyber Essentials is the UK Governments National Cyber Security Centres minimum requirements for Cyber Security. Its a Government-backed certification scheme that helps keep your organisation’s and your customers’ data safe from cyber attacks.

Who is Cyber Essentials for?

Cyber Essentials can help every organisation – from micro businesses to large corporations – guard against the most common cyber attacks. If you have digital assets or store any data, putting the Cyber Essentials controls in place can help you keep it safe.

Cyber Essentials is structured around five technical control themes, commonly referred to as the five pillars. These define the minimum baseline controls an organisation must have in place to protect against the most common internet-borne threats.

The five pillars are:

1. Firewalls and Internet Gateways - Organisations must ensure that boundary firewalls (or cloud security groups) are correctly configured to control inbound and outbound network traffic. This includes:

   1. Using a firewall between the internet and internal networks

   2. Restricting inbound services to only those that are necessary

   3. Changing default passwords and disabling unnecessary services

2. Secure Configuration - Systems must be configured securely to reduce their attack surface. This includes:

   1. Removing or disabling unnecessary software, services, and user accounts

   2. Ensuring devices are not using default credentials

   3. Applying secure baseline configurations for operating systems and applications

3. User Access Control - Access to systems and data must be restricted to authorised users only. Key requirements include:

   1. Ensuring users only have access to what they need to do their job (least privilege)

   2. Separating administrative accounts from standard user accounts

   3. Removing or disabling accounts when no longer required

4. Malware Protection - Measures must be in place to prevent and detect malware. This typically involves:

   1. Using anti-malware software or platform-native protection (e.g. Microsoft Defender)

   2. Preventing the execution of known malicious code

   3. Ensuring malware protection is kept up to date

5. Security Update Management - Devices and software must be kept up to date to protect against known vulnerabilities. This includes:

   1. Applying security updates for operating systems, firmware, and applications

   2. Installing high-risk and critical updates within 14 days of release

   3. Ensuring all software in scope is supported by the vendor

Why get Cyber Essentials certified?

1. Its a requirement if you're in the Government Supply Chain

   1. Other than it being a requirement for all Government supply chain, NHS etc Cyber Essentials add resilience and reduces the risk of your organisation suffering from a Cyber Attack.

2. More resilient

   1. 92% fewer insurance claims are made by organisations with the Cyber Essentials controls in place

3. More trusted

   1. 89% of organisations would recommend certifying to other organisations like theirs

4. More competitive

   1. 69% of those with Cyber Essentials believe that it has increased their market competitiveness

5. More informed

   1. 88% believe Cyber Essentials has improved their understanding of cyber security risks

Source: Cyber Essentials - NCSC.GOV.UK

How do i get Cyber Essentials certified?

1. Choose the level of certification .

   1. Cyber Essentials (self assessment).

      1. You complete an online questionnaire.

      2. The certification body feeds back with any non compliances and you have 2 working days to remediate.

      3. On remediation the certification body awards your Cyber Essentials Certificate.

   2. Cyber Essentials Plus (a remote Audit and techincal test of your systems).

      1. Does not include Cyber Essentials

      2. Must be completed within three months of the Cyber Essentials certification

      3. Includes vulnerability scans and configuration checks

      4. Significantly higher assurance

      5. Often required for public sector or high risk contracts

2. Choose an official Certification Body to work with.

   1. Its important that you choose a certification body which fits with your organisation. Whilst all official certification bodies will have in house assessors which will be able to issue your certificate they all take a slightly different approach to getting you there. We've written an article on how to choose a Cyber Essentials certification body which can be accessed here.

3. Define your scope.

   1. Your certification body will work with you to help define your scope, detail which devices should be included and present the Cyber Essentials questionnaire for you to answer.

4. Answer the Questions.

   1. The questionnaire focuses on:

      1. Device types and operating systems in scope

      2. Firewall and network configuration

      3. User account management

      4. Malware protection controls

      5. Patch and update processes

   2. Key points:

      1. Answers must reflect what is actually implemented, not what is intended.

      2. It is the applicants responsibility to evidence that all controls are in place.

5. Remediate any issues

   1. On submission you will receive feedback. Some certification bodies will offer basic feedback whilst others will offer fully supported hand holding, outlining exactly where the gaps are and what controls are required in order to achieve certification.

   2. Some Certification bodies (and also IASME) will then give you 2 working days to remediate before your assessment is marked again. Other certification bodies do not impose this time restrictions.

6. Issue your certificate

   1. Once approved your certificate is issued. This comes as a PDF document report with a link to a secure page where you can download your certificate and your certification number.

   2. The certificate expires after 12 months. We recommend starting your re-certification after around 10 months which then gives you 2 months to work through any changes to the question set requirements.

   3. For Cyber Essentials Plus, certification is issued only after successful technical testing and must be obtained within three months of the Cyber Essentials certification date.

7. Maintain Compliance

   1. To remain compliant:

      1. Keep systems patched and supported in line with the requirements

      2. Maintain secure configurations and access controls

      3. Re-certify annually

      4. Ensure no major changes to IT systems are not introduced mid-term. Cyber Essentials does accommodate for organic growth and minor system changes.

I'm Mark Kindred, the senior Cyber Essentials assessor with over 20 years experience at www.getcybercertfied.co.uk which is an official authorised Cyber Essentials assessment body. I hope you found this article helpful. If you have any further questions please feel free to contact me at mark.kindred@getcybercertified.co.uk

Thanks for viewing.