Cyber Essentials Toolkit v3 Implementation Guide
2 Introduction This concise guide takes you through the process of implementing the five Cyber Essentials controls using the CertiKit Cyber Essentials Toolkit. Cyber Essentials is a UK government scheme designed to protect companies and organisations, whatever their size, against a range of the most common cyberattacks. Most of these attacks are basic and carried out by relatively unskilled people. They have been described as the digital equivalent of a thief trying a home’s front door to see if it is unlocked. The Cyber Essentials certification scheme was launched in 2014 by the UK Department for Business, Innovation and Skills (now the Department for Business, Energy and Industrial Strategy) and from April 2020 is operated by the IASME Consortium as a partner to the National Cyber Security Centre (NCSC). The scheme is open to organisations in all countries, so it’s possible to become certified despite not being based in the UK. Not everyone has the time or money needed to develop a comprehensive cyber security system, so Cyber Essentials has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement: • • •
The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT systems, without becoming certified. If you need more certainty in your cyber security (or you want to show others that you’re taking it seriously), you can apply for basic Cyber Essentials certification. The CertiKit toolkit aims to help you with that process and make it quicker and easier. For those who want to take cyber security a bit further, Cyber Essentials Plus certification is also available. The five controls are the same as for the basic level, but Plus also includes a more detailed vulnerability scan from inside your network (i.e. someone comes onsite), to check your devices are configured correctly.
The self-assessment option (i.e., without going for certification) still gives you protection against a wide variety of the most common cyberattacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others. Certification gives you increased peace of mind that your defences will protect against the majority of common cyberattacks simply because these attacks are looking for “soft” targets which do not have the Cyber Essentials technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have Cyber Essentials certification, at either the basic or Plus level. Of course, every organisation is different, and there are many valid ways to embed the basic disciplines of information security. The best way for you may well depend upon a number of factors, including: • • • •
The size of your organisation. The culture your organisation has adopted. The industry you operate within. The resources you have at your disposal.
www.certikit.com
Page 5 of 22
