Cyber Essentials is an online safety scheme operated by the National Cyber Security Centre (NCSC). The scheme was launched in 2014 with the backing of the government in collaboration with industry partners. The purpose of the scheme is to establish a set of IT security controls against which applicants of the certificate may be assessed.
What is the purpose of the Cyber Essentials certification?
The purpose of the Cyber Essentials certification is to demonstrate that the holder of the certificate has displayed competence and vigilance towards online security. Suppliers that wish to do business with central government must attain the certification - with the trickle-down intention to encourage affiliated businesses to gain the accreditation.
What are the two levels of Cyber Essentials certification?
The Cyber Essentials certification is available in two tiers:
- Cyber Essentials- This is the basic level: Self-assessment of IT systems, followed by independent verification of the assessment by an officially recognised Accreditation Body.
- Cyber Essentials Plus - This is the upper tier of certification: IT systems are independently tested by an Accreditation Body. This independent verification of security controls is the major difference between the Cyber Essentials certification and the Cyber Essentials Plus certification. As part of the Cyber Essentials Plus scheme, all Cyber Essentials considerations will also be advised upon and integrated within the applicant company’s risk management procedures where necessary.
The Cyber Essentials assessment involves a complete scan of all IT systems. This vulnerability scan serves to highlight issues such as legacy or unsupported software, potential issues with personal and boundary firewall configuration, and any open ports that must be addressed.
What does the Cyber Essentials questionnaire involve?
The Cyber Essentials certification process is designed to ensure that the applicant is able to display an understanding of five key security controls. Companies wishing to progress through the accreditation process must ensure that the relevant staff members within the company undergo training and are able to display an adequate level of understanding in these five areas.
The assessment will test whether the company is able to display knowledge in the following five areas (this is not an exhaustive list):
- Knowledge of the purpose and use of firewalls
- Knowledge of the difference between personal and boundary firewalls
- Knowledge of how to switch on a firewall to protect the operating system
Understanding Secure Device Settings
- Knowledge of how to locate device settings
- Knowledge of how to switch off unneeded settings
- Knowledge of guidance on passwords (including two-factor authentication)
Understanding Data Access Permissions
- Knowledge of how to assign administrative privileges
- Knowledge of how to assign a minimal user on a device
- Knowledge of account permissions and understanding of ‘least privilege’
- Knowledge of how malware can infect a device
- Knowledge of how to install an antivirus application on a device
- Knowledge of ‘sandboxes’ and methods to protect against malware
Understanding Software Updates
- Knowledge of ‘patching’
- Knowledge of how to set a device to ‘Automatic Update’
- Knowledge of how to locate software that is not up to date
How long does the Cyber Essentials Certification Process take?
The basic cyber essentials certification involves a self assessment of IT security controls that must be verified by an officially recognised accreditation body. The self assessment questionnaire is supplied by the accreditation body. This information must be completed and submitted within six months for the certification process to go ahead.
If the self-assessment is successfully verified, the applicant can typically expect the Cyber Essentials certification to be issued within days of approval. The Cyber Essentials Plus certification involves an independent assessment of IT security controls. This means that time frames may vary depending on the availability of the accreditation body.
Holders of both the Cyber Essentials certification and the Cyber essentials Plus certification are advised to renew each year.