Cyber Essentials

What is it?

Cyber Essentials is a certification scheme that has been developed by the Government and industry to help protect organisations against common online attacks. Cyber Essentials is mandatory for central government contracts advertised after 1 October 2014, which involve handling personal information and providing certain ICT products and services. It defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes and through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

There are two types of certification available, Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials is recommended for organisations looking for a base level Cyber Security test where IT is a business enabler rather than a core deliverable. It is mainly applicable where IT systems are primarily based on Common-Off-The-Shelf (COTS) products rather than large heavily customised, complex solutions.

Cyber Essentials is a certification awarded on the basis of a verified self-assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO.

This questionnaire is then verified by the Certifying Body (Risk Factory) to assess whether your organisation has effectively implemented the controls required by the scheme, in order to defend against the most common and unsophisticated forms of cyber-attack. In the event that your organisation fails the assessment, Risk Factory will provide a detailed list of remediation to address the identified vulnerabilities without charge.

Cyber Essentials concentrates on five key controls. These are:

• Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
• Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
• Access control – ensuring only those who should have access to systems to have access and at the appropriate level.
• Malware protection – ensuring that virus and malware protection is installed and is it up to date.
• Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

How often should I do this?

The assessment process is a ‘snap shot’ in time and it can only be sure to be effective on the day of assessment as new vulnerabilities are continuously being identified. Organisations must maintain the principles of the scheme on an on-going basis (for example, ensuring that patching always occurs in a timely fashion and that malware protection is kept up to date) and not just prepared for assessment. As a minimum, to retain the certification, organisations must re-certify annually.

What will Risk Factory do?

• Provide the Cyber Essentials Questionnaire (self-assessment) for completion.
• Review your responses for completion, applicability and effectiveness of controls.
• Assess whether an appropriate standard has been achieved and issue a pass or fail determination.

What will I receive?

Once Risk Factory have completed an assessment of your responses against the criteria and your organisation passes, we will then issue you a Cyber Essentials Certificate of Compliance good for one year from date of issue.

Is there anything I need to do in advance?

Not really, after placing the order with us, our Factory Foreman will give you access to the questionnaire for your completion. The form must be completed and resubmitted to Risk Factory within 30 days of receipt for validation.