Cyber Essentials Scheme

Cyber Essentials can help to prevent 80% of cyber attacks

According to the UK Government, around 80% of cyber-attacks could be prevented if businesses put simple cyber security controls in place. However, not all organisations are getting these basics right. Only 58% have assessed themselves against the governments "10 Steps" cyber security guidance and only 30% of boards receive regular cyber security intelligence*.

The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in the 10 Steps to Cyber Security were not being implemented effectively, and that no existing, individual standard met its specific requirement, the government developed the Cyber Essentials scheme. This scheme focuses on 5 key areas:

• Secure Configuration
  Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities
• Boundary Firewalls and Internet Gateways
  Providing a basic level of protection where an organisation connects to the Internet.
• Access Control and Administrative Privilege Management
  Protecting user accounts and helping prevent misuse of privileged accounts.
• Patch Management
  Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks
• Malware Protection
  Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.

*Department for Business and Innovation Skills Cyber Governance Health Check Jan 2015.

Cyber Essentials and Cyber Essentials Plus

The Cyber Essentials scheme requires the completion of a self-assessment questionnaire which BSI will grade, and then to undergo and pass a remote vulnerability scan. You will receive a full report detailing the findings of the grading and vulnerability scan, which you can use to make improvements and close gaps in your cyber security. If the two are successful, you will be awarded a Cyber Essentials certificate.

Organizations need to achieve Cyber Essentials before progressing on to Cyber Essentials PLUS. For the Cyber Essentials PLUS assessment, an expert assessor will visit your premises to complete an onsite audit of your technology and work stations.

Government contracts

Crown Commercial Services

The Cyber Essentials scheme is mandatory for organisations handling personal information and providing certain ICT products and services to central government contracts. It is listed as a requirement to gain entry to many central government frameworks and has been mandated by the Crown Commercial Service since 2014.

MOD contracts and DEF STAN 05-138

Depending on the Risk level of a contract, the MOD can mandate certification to the Cyber Essentials scheme for the supplier.

MOD contracts are assigned one of five risk levels, which is determined on a per contract basis. These risk levels are: Not applicable, Very Low, Low, Moderate and High.

Only contracts with no MOD Identifiable Information can be classed as "Not applicable". Contracts that involve handling "Secret" or "Top Secret" information are expected to be classed as Moderate or High.

Not applicable – No certification requirements, but Cyber Essentials recommended as good practice

Very Low – Maintain Cyber Essentials certification

Low –Maintain Cyber Essentials Plus and 16 additional controls

Moderate – Cyber Essentials Plus, with thesame requirements as Low, but with 16 additional controls

High – Cyber Essentials Plus, with the same requirements as Moderate and Low, but with 12 additional controls

Full details of all of the controls can be found in DEF Stan 05-138 here.