6 minute read

3 Cyber Essentials certification

The process of obtaining Cyber Essentials certification is relatively simple and generally costs between £300 and £600 plus VAT, depending on which certification body you choose (see below for some advice on this). Cyber Essentials shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies – shop around for the most appropriate deal for you).

Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold the post-Brexit GDPR equivalent in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data.

So, what does Cyber Essentials actually consist of? Well, there are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are:

1. Office Firewalls and Internet Gateways: Secure your internet connection with boundary and host-based firewalls. 2. Secure Configuration: Device settings, passwords and two-factor authentication. 3. User and Administrative Accounts: Securing user and administrator accounts and limiting access to data and services. 4. Malware Protection: Viruses, whitelisting and sandboxing (described later). 5. Software Patching: Keep your devices and software up to date.

Cyber Essentials guidance from the UK National Cyber Security Centre and their partner IASME breaks these down into finer details. These controls have been chosen as the highest priority ones from other, more detailed, available guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Governance standard, although Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment. For those organisations considering ISO27001 certification (possibly in addition to Cyber Essentials), CertiKit has a separate toolkit here.

Cyber Essentials certification involves three simple steps:

1. Select a Certification Body or go directly to IASME themselves (see below). 2. Verify that your computer systems that are in scope are suitably secure and meet the standards set by Cyber Essentials. 3. Complete and submit the questionnaire – your certification body will provide this and verify your answers.

Your first step is to choose a certification body. These are accredited (accreditation is a kind of approval process) by the Cyber Essentials Partner, IASME. Previously, there were five accreditation bodies, but the scheme has recently been simplified to one.

IASME has a directory of certification bodies that it has accredited. It is up to you to choose one which feels right for your organisation. It is the certification body which will perform your evaluation and award your Cyber Essentials certificate, but what factors come into play when making your decision? In our experience asking the following questions will help you to choose:

• Do they audit for both Basic and Plus? Check the certification body has the capability to audit the scheme you are going for and if so, how many customers they have for that level. How long have they been auditing for Cyber Essentials and how many qualified people do they have? • How long will it take? What sort of availability do they have to process your application and how far in advance will you need to book to meet your own timescales for certification? • How much will it cost? Charges can vary, particularly if you’re going for the advanced version of Cyber Essentials, so it’s best to understand this from the start. • What is their reputation? Even amongst accredited certification bodies, there are more and less well-known names. Since a lot of the reason for going for certification is to gain credibility with your customers and perhaps regulators, consider which certification body would carry most weight with them. • How good is their administration? A lot of the frustration we see with certification bodies is not due to the quality of their auditors but their administration processes.

You need an auditing company that will arrange the audits professionally and issue your certificate promptly, providing additional materials to help you advertise your certification. When you contact them initially, do they return your call and sound knowledgeable? • Do they have experience of your industry? Some certification bodies specialise in particular industries and build up a strong knowledge of the issues relevant to their customers. This can be helpful during the audit as basic industry concepts and terms will be understood and time will be saved. Check whether they have audited similar organisations in your industry.

Making a good choice based on the above factors can’t guarantee that the certification process will run smoothly, but by having a good understanding of the accreditation regime and by asking the right questions early on you will have given yourself the best chance possible to have a long and happy certification relationship.

Cyber Essentials defines a set of requirements in the five control areas, and you will need to make sure your systems and software meet these before you move on to the next stage of certification (see the guidance in the rest of this guide). You may be required to supply various forms of evidence before your chosen certification body can award certification at the level you seek, so it’s best to have this available in case it’s asked for.

You will also need to define the scope of your intended certification. This determines what is certified and, in the case of Cyber Essentials Plus, what is tested. Generally, the scope will be defined by a physical location, such as your main office, but you can choose whether or not to include other aspects, such as remote offices too. Note that from January 2022, cloud services must also be included in your scope.

Figure 1: Boundary of scope - ©NCSC

Having understood the requirements which Cyber Essentials puts on the installation, configuration and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to your certification body. The certification body may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification. Once the certification body says you’ve passed, you will be awarded your Cyber Essentials certificate and can use the logo on your website and marketing materials, if you want to. Your certificate remains valid for one year, after which you will need to recertify if you want to stay on the list of certified organisations on the NCSC website.

So, the process for Cyber Essentials certification is relatively straightforward. And the CertiKit Cyber Essentials Toolkit aims to make it even more so.

This article is from: