What is Cyber Essentials?
Most organisations will, by now, have heard of Cyber Essentials. For the benefit of those who have not let me answer this question.
Cyber Essentials is a government-backed certification path. The certification was established to evidence businesses were securing their networks adequately.
Created by the National Cyber Security Centre (NCSC) and launched in 2014, Cyber Essentials is now a widely recognised certification.
Cyber Essentials was initially intended for organisations that provided services to government agencies. In more recent years it has been more widely used as a benchmark by the NHS and private sector alike.
Further details can be found on the link below:
Cyber Essentials comes in two levels. Cyber Essentials and Cyber Essentials PLUS.
Cyber Essentials is easily attained through a simple self-assessment questionnaire. Once completed your certifying body partner will review the responses in line with the standard. As part of the review process your partner will provide feedback regarding whether you’re likely to pass or fail. If the result is likely to be a fail your partner will provide you with remediation advice. You will need to ensure that the remediation suggestions have been adequately fulfilled and the self-assessment questionnaire revised before resubmitting this to your Cyber Essentials certifying body.
Cyber Essentials PLUS encompasses the process above but adds a level of complexity. Additional onsite consultancy is required to attain the Cyber Essentials Plus certification. The onsite elements include reviews of policies, procedures, device builds, patch management and security solutions. These reviews are there to make sure that best business practices are being adhered to.
A bonus feature of gaining either level of Cyber Essentials is Cyber Insurance. Cyber Essentials certified organisations are provided with up to £25,000 worth of cyber insurance from AXA through the scheme. For small business this is a very nice feature.
How Has Cyber Essentials Changed Recently
In October 2019 the NCSC re-tendered for accrediting bodies. The scheme had become diluted with 8 accrediting bodies. The NCSC decided that, in order to govern the process, a more standardised approach was required. The NCSC therefore concluded that the IASME standard was to become the de-facto standard. This change will come into effect as of April 2020.
The IASME standard also carries increased criteria that certifying bodies need to meet. In order to become an assessor the candidate needs to be certified to one of the following levels:
Certified Professional (CCP) SIRA, IA Auditor or IA Architect roles at Practitioner-equivalent level or above
ISO27001 Lead Auditor
Being certified to one of these levels ensures that the person certifying you has an in depth knowledge of cyber security, the policies and procedures you need to maintain and what emerging threats look like.
In addition to the change in the accrediting and certifying bodies NCSC has also decided to issue certificates with an expiration date. To date, this has not been the case with certificates being issued with a “recommended recertification” date. The introduction of an expiration date will ensure that organisations maintain the standard year on year and protect their networks from emerging threats.
What Can Cognisys Do To Help?
We are Cyber Essentials Plus certified and can advise clients on the best way to pass the certification
We have a team of experienced consultants that work closely with you to ensure a pass result
We adhere to the IASME standard
No up-front costs
If you’re considering Cyber Essentials for your organisation please email firstname.lastname@example.org with your contact details and one of our experienced team will call you back to discuss your requirements.
Further details of our services can also be found on our website: www.cognisys.co.uk.