SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 9 - 18 minutes)

Cyber Essentials Certification - Submission Process

Hot

meeting 4784909 1280

The final stage of the Cyber Essentials process is to submit your questionnaire responses for assessment. Here we explore some of the things organisations get wrong that may lead to failure in Certification, and what to do about these things.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.

 

Introduction

 What happens once you've completed your responses to online Submission Questions and want to submit them for Certification Assessment? We are going to explore how we’ve helped complete the submission responses so that they are consistent with the controls that would be expected to be in place. Not all Small Organisations do this correctly, as they often just want to do what they are told to do to achieve the Certification, rather than to be more secure.

Default sample awareness and knowledge infographic

What Organisations get Wrong about the Submission Process

The Cyber Essentials Certification compliance is not that complex, especially if the person (or ideally a small team) completing it, is methodical and has used all the correct information to complete the required information. Many of the things we include here are things we have mentioned previously, but we have seen organisations not do the right things early and only realise when they get to this stage and then panic -hence the reason for us to include some of them here again. The following are some of the things we have seen that some organisations get wrong:

  • Not having a clear understanding of what the Certification will help the organisation achieve in terms of additional benefits that cannot be achieved without it. It may just be as simple as provide confidence to customers, or for compliance purposes to be able to participate in supplying services to government departments; knowing the end goal is vital.
  • Not agreeing or sticking to a specific scope for the Certification – as an organisation progresses through the process, it becomes apparent that the scope is either too wide or too narrow, and the team start to amend the scope unofficially. This sometimes ends up with the information collected to be too much or too little than required. Examples include:
  • Not including the home sites of Directors who mainly work from home.
  • Not including or excluding specific office sites in line with the purpose of having the Certification.
  • Not knowing which hardware or software are used at the sites which are within scope.
  • Not having a complete asset list of hardware and software.
  • Not having information on which devices and applications have configuration settings enabling them to be updated automatically or just manually or can only be updated with an administrator account.
  • Not having a complete list of which assets are in which office sites.
  • Not having a complete list of which operating system version are running on each device.
  • Not having a handle on the network connections and equipment to categorically answer the questions accurately.
  • Not having a dedicated member of staff responsible for the security function.
  • Not having a board member responsible for overseeing the governance processes.
  • Not having basic processes in place for new, moving and leaving staff to be authorised for use and access to devices and other assets like data.
  • Not having basic policies which help answer some of the questions to demonstrate that the organisation does what it does consistently because it has considered the importance of that aspect of security by creating a policy document.
  • Not having the most up-to-date question set, or the question set originally downloaded is missing the newer requirements.

As can be seen most of the things that Organisations get wrong here are as a result of getting things wrong somewhere earlier in the process.

Purpose of the Submission Process?

The submission process enables a quick and simple approach for organisations to answer self-assessment questions; used to determine whether the Organisation undertakes appropriate actions and activities to reduce 80% of the obvious vulnerabilities attackers exploit. If they are taking the appropriate processes, then the organisation has demonstrated the minimum necessary to be in compliance with the Certification’s requirements to be awarded the Certificate.

As obvious as it is, from a Small Organisation’s perspective, the purpose of the submission process is to provide the minimum appropriate information to demonstrate compliance, so that it can achieve the Certification. The focus here is on ensuring not providing extra information, which means not providing any additional or confidential information which may enable attackers to use it against the organisation. It does not mean not answering the questions, but does mean answer only what is asked with evidence of compliance by reference to policies and procedures.

The best way to look at this, is to view the process as the quickest way to provide the absolute minimum information on taking appropriate action and activities to protect the organisation.

Impact of Getting the Process Wrong

The impacts of not getting the process right include the following:

  • Delay in applying for government or corporate contracts to supply services.
  • Impact on expected or planned revenue.
  • A requirement to allocated extra time or resources to respond with the items that the organisation has failed to comply with.
  • A possible amendment or reduction in the scope to exclude those sites of scope items which may require too much effort or resources to comply with on this occasion.

We have not known any organisation to give up the Certification if it failed on any major non-compliances. Each time, it meant that the organisation had to go back and either take corrective action or supply additional information. But either way it meant extra calls or meetings to discuss and agree the action or response the organisation would take, and then to re-submit; all of which takes time and delays the benefits to be achieved.

Default sample Threat Map infographic

 

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.


Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 


Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information

Images from https://www.pixabay.com.