Cyber Essentials Scheme

A primary objective of the UK Government's National Cyber Security Strategy is to make the UK a safer place to conduct business online and from the 1st October 2014 all suppliers must now be compliant with the new Cyber Essentials controls if bidding for government contracts which involve the handling of sensitive or personal information.CREST

BSI is a CREST-accredited certifying body for the Cyber Essentials scheme. CREST worked closely with CESG to develop the technical Cyber Essentials assessment framework for the Cyber Essentials scheme.

Find answers to frequently asked questions here >



What is the Cyber Essentials Scheme?

The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in its 2012 guide, 10 Steps to Cyber Security were not being implemented effectively, and that no existing, individual standard met its specific requirement, the government developed the Cyber Essentials scheme. This scheme focuses on 5 key areas:

  • Secure Configuration
    Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities
  • Boundary Firewalls and Internet Gateways
    Providing a basic level of protection where an organisation connects to the Internet.
  • Access Control and Administrative Privilege Management
    Protecting user accounts and helping prevent misuse of privileged accounts.
  • Patch Management
    Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks
  • Malware Protection
    Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.

A primary objective of the UK Government's National Cyber Security Strategy is to make the UK a safer place to conduct business online and from the 1st October 2014 all suppliers must now be compliant with the new Cyber Essentials controls if bidding for government contracts which involve the handling of sensitive or personal information.


Cyber Essentials can help to prevent 80% of cyber attacks

According to the UK Government, around 80% of cyber attacks could be prevented if businesses put simple cyber security controls in place. However, not all organisations are getting these basics right. Only 58% have assessed themselves against the governments “10 Steps” cyber security guidance and only 30% of boards receive regular cyber security intelligence*.

*Department for Business and Innovation Skills Cyber Governance Health Check Jan 2015.


What are the benefits of the Cyber Essentials Scheme?

Before investing in defences, many organisations often want concrete evidence that they are, or will be targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate assessment of the threats that specific organisations face.

 However, every organisation is a potential victim. All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber attack.

As part of your risk management processes, you should be assessing whether you are likely to be the victim of a targeted or un-targeted attack; every organisation connected to the Internet should assume they will be a victim of the latter. Either way, you should implement basic security controls consistently across your organisation, and where you may be specifically targeted, ensure you have a more in-depth, holistic approach to cyber security**. Cyber Essentials can help you to:

  • Identify risks and put controls in place to manage or reduce them
  • Flexibility to adapt controls to all or selected areas of your business
  • Gain stakeholder and customer trust that your data is protected 
  • Demonstrate compliance and gain status as preferred supplier
  • Meet more tender expectations by demonstrating compliance

**Source: CESG 2015. Common Cyber Attacks: Reducing The Impact