Cyber Essentials Toolkit v2 Implementation Guide
2 Cyber Essentials certification The process of obtaining Cyber Essentials certification is relatively simple and generally costs between £300 and £600 plus VAT, depending on which certification body you choose (see below for some advice on this). Cyber Essentials shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies – shop around for the most appropriate deal for you). Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold the GDPR in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data. So, what does Cyber Essentials actually consist of? Well, there are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are: 1. Office Firewalls and Internet Gateways: Secure your internet connection with boundary and host-based firewalls. 2. Secure Configuration: Device settings, passwords and two-factor authentication. 3. User and Administrative Accounts: Securing user and administrator accounts and limiting access to data and services. 4. Malware Protection: Viruses, whitelisting and sandboxing (described later). 5. Software Patching: Keep your devices and software up to date. Cyber Essentials guidance from the UK National Cyber Security Centre and their partner IASME breaks these down into finer details. These controls have been chosen as the highest priority ones from other, more detailed, available guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Governance standard, although Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment. For those organisations considering ISO27001 certification (possibly in addition to Cyber Essentials), CertiKit has a separate toolkit here. Cyber Essentials certification involves three simple steps: 1. Select a Certification Body or go directly to IASME themselves (see below). 2. Verify that your computer systems that are in scope are suitably secure and meet the standards set by Cyber Essentials. 3. Complete and submit the questionnaire – your certification body will provide this and verify your answers.
www.certikit.com
Page 5 of 20