In many previous episodes, we’ve mentioned Cyber Essentials Certification as a way of demonstrating a certain level of cyber security controls. But what is it and how does a Small Organisation get it? Can your Small Organisation really get it working on your own or do you need an expert? This is the first of our seven-part series on How to Certify in Cyber Essentials Basics, without paying an expert to do the work for you.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

Introduction

This is the first in a series of seven episodes focused entirely on Cyber Essentials (CE) and of a Virtually Informed campaign to help SMOs get more secure. We would like to see as many SMOs as possible to take up the challenge and be more secure and be security conscious than ever before.

Before we look at some of the specific areas of controls that the Cyber Essentials Scheme concentrates on (which we’ll do in future episodes), in this episode we look at some of the high-level pointers and preliminaries that will help any organisation get started in the right way. But let’s start with understanding the background and provide some context as to why the Certification came about.

This episode is based on years of past experience of having previously helped other organisations like banks, insurance companies, start-ups and other SMOs as a Certifying Body, and achieving it for the organisations we have worked for.

Cyber Essentials Facts

There’s a lot of information out there on CE, let’s just clear up some of the basics here that we need to cover relevant to understanding the Scoping aspect we look at later.

• Cyber Essentials is a UK Government Certification Scheme, which originates from the Government’s commitment to both cyber security in its supply chain and working with smaller organisations. The requirement was for a scheme that would ensure that small organisations are protected from the most common attacks and where they would be able to implement a set of controls without too much effort and expense.
• The Scheme is owned by the National Cyber Security Centre (NCSC) which is the UK Government’s technical authority and is contracted out to the IASME as the Accreditation Body, which oversees the certification through a network of Certifying Bodies.
• The CE certification is an organisation certification rather than a product or technical certification, which is primarily aimed at small organisations; though it's good for any organisation regardless of size.
• There are two levels of certification:
  • Cyber Essentials Basic – which is the entry level, self-evaluation certification and intended for organisations to be able to complete the Certification on their own, without the need or use of an external consultant. But because many of the Certifying Bodies are actually consultancies, there is a tendency to assume that it is not possible to complete it without a consultant; which is completely wrong, and that is what we are attempting to help with today. Any organisation that wants to undertake the next level (Plus), must complete the CE Basic first.
    • The five areas of controls that self-evaluated here are:
      • Secure Internet Connections (Firewalls and routers);
      • Secure devices and software (Secure configuration);
      • Controlled access to data and services (Access control);
      • Protection from malware (Malware protection), and;
      • Keeping devices and software updated (Software updates).
    • We’ll explore each of these control areas in more detail in the next few episodes.
  • Cyber Essential Plus – this is achieved through a technical review and testing the areas of controls that are assumed in CE Basic by a Certifying Body. This will include a proportion of end verification of a certain number of end point devices, the internal network and the outward facing network. The CE Plus is beyond the scope of what we are going to cover today, especially since we cannot demonstrate how SMOs can undertake to complete the project without a Certifying Body.
• The UK Government has made CE Basic a minimum mandatory Certification for all outsourced suppliers – which means that if an organisation has ISO 27001, they don’t need to undertake CE Basic or Plus. However, since most Small Organisations don't have any of the ISO certifications (which are comparatively more expensive to obtain) it makes sense for them to complete this certification. 
• The cost of the CE Basic Certification is £300+ VAT, where a consultant is not employed. However, for small organisations, it is worth bearing in mind that within the price there is a small element of cyber insurance cover during the period that the organisation is certified. Both CE Basic and Plus last for one year from the date of Certification and renewal is required.

The sources to go for further information are: NCSC and IASME, as they are able to provide impartial information on the Scheme.

What’s most Confusing about Cyber Essentials Basic

There are a few areas which are worth clarifying where we have seen some confusion, sometime accidently and other times intentionally (by a few vendors).

• There are many types of certifications in cyber security, which include:
  • Organisational certifications – of which CE (both Basic and Plus) and ISO 27000 series are examples. The purpose of the organisational certifications are to be able to provide assurance that the organisation has implemented the required set of controls.
  • Technology certifications – examples of these include those for encryption and Wi-Fi. They provide vendors with the specification that must be met on the one hand and the assurance for customers that the requirements are being met.
  • Product certifications – examples of these include certifications for the security of IoT products (IASME and UL both have certifications for IoT products).
• Cyber Essentials is an organisational certification, not a product certification. There are some product vendor businesses who upon achieving the Certification had their marketing teams call the the Scheme "the highest level of product certification". This is wrong. Remember, this is first and foremost an organisational certification, and secondly, it enables an organisation to show that they have got the right processes at the very basic level to be secure (not the highest).
• CE Basic is a self-assessment Certification – it can be completed without the use of a paid consultant or a Certifying Body. Only the CE Plus requires the use of a Certifying Body.
• If the purpose is to be able to undertake work with the UK Government, most services will only require CE Basic, where CE Plus is required, it will be clearly stated. Where there is a requirement for any technology or product certifications, these will also be clearly stated.
• Other certifications that may be offered include the IASME Governance Certification, the UK Police Digitally Aware Certification. The value that either of these, and the many other certifications is outside what we cover here. There may be value in these depending on what the organisation is trying to achieve from gaining the Certification.
• Finally, the CE Certifications must be renewed yearly. For those organisations which require certifications, they want to know that what was done to achieve the certification wasn't just a one-off exercise, but that the work to maintain security has continued since then.

We hope that within these seven Blogs we can encourage as many Small Organisations as possible to complete the whole CE Basic Certification themselves, just as it was intended when it first came out.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Images from https://www.pixabay.com.