Cyber Essentials (UK)
Cyber Essentials is a UK government-backed scheme aimed at helping organizations protect themselves against common cyber threats. It offers a set of basic technical controls that organizations can implement to significantly reduce their vulnerability to cyberattacks.
Definition and purpose
The Cyber Essentials scheme was introduced to set a baseline of cyber security for all organizations. The main purpose of the scheme is to promote the adoption of best practices in information security and ensure that organizations have fundamental protections against a range of the most common cyber threats.
The scheme was launched by the UK government and is overseen by the National Cyber Security Centre (NCSC), a part of GCHQ (Government Communications Headquarters).
The most recent update was released in April 2023 with version 3.1 of the Cyber Essentials Requirements.
Cyber Essentials is suitable for all organizations, of any size, and in any sector, whether private, public, or non-profit. It's particularly recommended for organizations that handle personal data or are suppliers to government bodies.
Controls and requirements
The Cyber Essentials scheme focuses on five key controls that, when properly implemented, can prevent up to 80% of cyber attacks:
- Boundary Firewalls and Internet Gateways: Ensuring that devices that connect networks to the internet have the proper settings to prevent unauthorized access.
- Secure Configuration: Ensuring that systems are configured in the most secure way for the needs of the organization.
- User Access Control: Managing user accounts by giving only those who need access the appropriate level of access rights and ensuring proper authentication methods.
- Malware Protection: Ensuring that virus and malware protection is installed and kept up-to-date.
- Patch Management: Ensuring that the latest supported versions of applications and OS are used and that all the necessary patches have been applied.
Please refer to the official Cyber Essentials documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
Organizations can achieve two levels of certification:
- Cyber Essentials: This requires organizations to complete a self-assessment questionnaire, with the responses independently reviewed by an external certifying body.
- Cyber Essentials Plus: This involves both the self-assessment questionnaire and an independent external test of the organization's cyber security approach.
While the basic Cyber Essentials certification involves a self-assessment, the Cyber Essentials Plus certification requires hands-on technical verification.
The certificate is valid for 12 months from the date of issue. Thus, organizations should consider annual reassessment to maintain their certification. The duration of the audit, especially for Cyber Essentials Plus, would depend on the size and complexity of the organization's network and systems.