As of 1st October 2014 all suppliers bidding for certain types of government information handling contracts will require to be Cyber Essentials certified. The scheme has been set up to provide additional protection for information that is held by the UK Government and to encourage wider adoption of the certification throughout the public and private sectors.
The UK Government launched guidance in 2012 to encourage organisations to assess whether they were managing cyber risks effectively. With enhanced awareness of cyber security issues and associated risks, it has become increasingly important for organisations to implement robust cyber security measures, especially if undertaking work on behalf of government.
Following the issuance of guidance, organisations were asked to provide evidence about the standards used. The feedback suggested that none of the existing standards used actually met the requirements of UK Government. The UK Government consulted with industry from November 2013 to April 2014 and the Cyber Essentials Scheme is the result of this consultation.
The Cyber Essentials Scheme, which was officially launched on 5th June 2014, lays out a set of 5 controls that organisations can implement to achieve a "sound foundation" of compliance. These key controls are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
The Scheme is designed to be affordable for organisations of all sizes with costs directly linked to the size of the organisation and the level of security that an organisation seeks to obtain. The Scheme offers two options: Cyber Essentials or Cyber Essentials Plus certification. These options give organisations a choice as to the level of assurance that they wish to achieve. There are, of course, cost implications linked to obtaining a Cyber Essentials Plus certification. However, the initial costs may be outweighed by the benefits of securing public sector work.
Certification will be carried out by individual Certification Bodies which will work competitively with each other and set market rates for certification. On completion of the certification process an organisation will be able to publicise the Cyber Essentials badge on its website and other documentation.
An important point to note is that certification only provides a snapshot of the organisation's cyber security compliance at a certain date; similar to what an MOT test certifies about a car on a particular testing date. To maintain strong cyber security an organisation should continue to implement additional measures and update systems on a regular basis to reduce cyber security risks. Furthermore, there is also a requirement for an organisation to recertify annually.
The Cyber Essentials Scheme can be viewed here.