11th April 2016 News

The Cyber Essentials Scheme

To improve your digital defenses time is of the essence, due to rising security threats and cyber-attacks against businesses.  A good approach would be to follow the UK Government’s recently launched Cyber Essentials scheme.

Cyber Essentials

A road map and kite mark for businesses wishing to improve their cyber security.  Developed by Government and industry, the scheme aims to fulfil two key roles: –

  1. Firstly, to provide a clear statement of the basic controls, all organisations should implement to mitigate the risk from common internet based threats, within the context of the ‘10 Steps to Cyber Security’
  2. Secondly, through the ‘Assurance Framework’ it offers a mechanism for organisations to demonstrate that they have taken the essential precautions.

Cyber Essentials offers basic cyber hygiene measures which all types of organisations can implement.  Implementing these measures will significantly reduce your organisation’s vulnerability.

However, it does not provide a silver bullet to remove all cyber security risk.  Organisations facing these threats need to implement additional measures as part of their security strategy.

What does Cyber Essentials do?

Cyber Essentials defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.

Assurance Framework

Provides a staged approach towards embedding established and sustainable information risk management, from common Internet-based threats as well as the broader risks they may face.

Each stage adds confidence and it is for organisations to decide which they choose based on their assessment of risk, their customers’ expectations and cost considerations.  The framework supplements other information security certification arrangements and covers the basic controls needed to defeat most threats from the Internet.  The framework consists of two stages, leading to two levels of accreditation or ‘badges’ – Cyber Essentials and Cyber Essentials PLUS.

Cyber Essentials Accreditation

To acquire accreditation, it involves undertaking the following, with completion of stage 1 being a pre-requisite to stage 2.

Stage 1 – Cyber Essentials.   By responding to an online questionnaire covering the requirements for basic technical protection from cyberattacks you state your organisation’s compliance with Cyber Essentials requirements

Completed questionnaires are sent for review to a recognised body, who then undertake an external vulnerability assessment, testing that individual controls on your internet-facing network perimeter have been implemented correctly, and that there are no obvious vulnerabilities.

Stage 2 – Cyber Essentials PLUS.  Encompassing the same controls as Cyber Essentials, but using an independent testing regime, offering a higher level of assurance.

Scheme requirements

Cyber Essentials focuses on five key controls or requirements of your IT system as follows: –

  1. Boundary firewalls and internet gateways.  Correct setup of these devices either in hardware or software form is essential for them to be fully effective.
  2. Secure configuration – for the needs of the organisation.
  3. Access control – only those who should have access to systems or information have access through use of appropriate access measures.
  4. Malware protection – must be installed and up to date.
  5. Patch management – necessary patches have been applied.

Business benefits

Gaining accreditation delivers many key benefits to your business.

These include: –

  • Protection against most common cyber-attacks, therefore giving you peace of mind
  • Clear identification of areas for further improvement, even if you meet either of the two levels of accreditation.
  • Visible evidence that your business has taken a rigorous approach to protecting itself
  • The ability to respond to public sector tenders.


Making it happen

Put in place to protect companies against cyber-attacks involving relatively low levels of technical capability.  However, if you are serious about preventing attacks on your business it is likely you will need to do more.

Companies should enlist the expertise of their Managed Service Provider.  They will be able to assess your needs and what to do to achieve accreditation.

Back to blog list