Changes to Cyber Essentials

Posted on by

April 2020 has seen some major changes to Cyber Essentials. As a certification body of the scheme we want to keep you informed with information on what’s different.

What is the Cyber Essentials scheme?

Cyber Essentials from the NCSC (the National Cyber Security Centre, an organisation providing cyber security advice and support for public & private sector) is a government-backed and industry-supported scheme that is designed to help organisations protect themselves against common online threats. It provides a basic cyber security standard that, when implemented, gives protection against most low-level, basic cyber threats.

There are 5 ‘technical’ areas that are focused on in the assessment:

  • firewalls
  • secure configuration
  • access controls
  • malware
  • patch management

The scheme is considered by the Government as the minimum protection that a business should have in place and is strongly recommended.

Why do we need the scheme?

Cyber crime is not going away, it is continually on the increase with cyber criminals finding new ways to attack and breach organisations’ networks every day. And it’s not just the large, corporate businesses that are attacked. SMEs (Small and Medium sized Enterprises) are as much at risk, often with bigger consequences to the business itself. Hiscox data has found the average cost of a cyber attack to an SME is a staggering £25,736, this cost can be the difference between being able to continue trade or not for small businesses.

To have a Cyber Essentials certificate demonstrates to customers, partners and business peers that cyber security is taken seriously and has been addressed. Proof of what cyber security measures an organisation has in place is becoming ever-more important, and with the continual increase in cyber crime, will become a fundamental requirement rather than a nice-to-have. The Government and MOD (Ministry of Defence) have already made Cyber Essentials certification a mandatory requirement for any businesses wanting to bid on their contracts.

Why has Cyber Essentials changed?

The NCSC is continually striving to make the UK a safer place to live and work online, and by standardising the Cyber Essentials process, is one step closer in achieving this. Having one accreditation body creates a more dependable, reliable foundation for businesses to work from and ensures the basics of cyber security can be clearly understood.

Since its launch in 2014 over 30,000 UK businesses have gained Cyber Essentials certification and this figure is continuing to grow. From this the NCSC recognised the need to review the scheme to ensure it was still fit for purpose.

The finding has been that, with the 5 accreditation bodies and multiple certification bodies, certification processes were being delivered in many differing ways. The process has been considered too complicated and businesses are looking for more assistance in implementing the tasks required to achieve certification. With confusion over the range of assessments’ content – and therefore validity of certificates – the scheme needed reviewing. Technology use has also moved on since the inception of the Cyber Essentials scheme such as Cloud and shared office services.

What has changed about Cyber Essentials?

Where there was previously 5 accreditation bodies each with their own certification bodies, the scheme is now managed by just 1. With a solid foundation in mind, the NCSC put together a demanding tender process to determine which accreditation body would be awarded the partnership – of which, the IASME (Information Assurance for Small and Medium Enterprises) Consortium was ultimately chosen. 

As the sole partner, this allows the Cyber Essentials accreditation process to be streamlined and simplified, and therefore creates a consistent standard of expertise for accreditors and certifiers who are implementing the scheme.

Through IASME, all certification processes have been standardised and now have to be completed using the IASME self-assessment questionnaire.

How does it affect businesses?

Although a certification process, the NCSC’s key objective for Cyber Essentials is to educate and organisations and businesses on the basics of good cyber security and help them maintain this.

Technical standards remain the same for the moment, but there have been a number of updates to support the objective and for businesses to get the best value from the scheme including:

  • Certification scope – making it easier and more intuitive to understand what a certificate covers
  • Measurement – introducing ways to measure the impact of Cyber Essentials implementation
  • Additional levels – establishing whether there is any requirement for additional levels, whether below and / or above the current options of Cyber Essentials and Cyber Essentials Plus
  • Advisory services – to assist businesses in improving and maintaining their basic IT security

Therefore businesses will find the scheme offers the increased support they’d highlighted as key to implementing the cyber security measures.

As a UK Government backed scheme, Cyber Essentials is a well-recognised certification that is continually growing in reputation, and becoming a necessary certification for businesses to have as cyber crime constantly increases. Organisations that fail to implement basic cyber security measures will soon gain a reputation for poor security which will increasingly lead to a failure to maintain custom and win new business.

“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships.”  – Gartner

That means potential partners, businesses and your prospective clients may well be checking on security credentials before they even consider working with a company.

What is Cyber Essentials Plus?

Cyber Essentials Plus logo

Cyber Essentials Plus in the next step on from the basic Cyber Essentials certification. It has the same simplicity of approach and the protections a business needs to put in place are the same, but for Cyber Essentials Plus certification a hands-on technical verification is carried out by the certification body, which offers a higher level of assurance.

Here to help

As a certification body, Logically Secure can support you through every step of the Cyber Essentials self-assessment process and check the assessment for certification.

We also provide certification for Cyber Essentials Plus, physically testing the 5 technical areas.

For more information and to enquire about certification contact us here.

To find out more on the changes visit the NCSC updated Cyber Essentials FAQ page where you can access the full summary.