Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.
Backed by the UK government and overseen by the National Cyber Security Centre (NCSC). It encourages organisations to adopt good practices in information security.[1] Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.
The certification underwent substantial changes in January 2022 which included bringing all cloud services into scope and changes to the requirements on multi-factor authentication, passwords and pins.[2]
The Cyber Essentials program provides two levels, the first is self-certification and the second requires independent validation of claims made:[3] [4]
Commonly referred to as mark your own homework,[5] organisations self-assess their systems, and then complete an online assessment. The online assessment is marked by a Cyber Essentials Assessor who provides feedback on any areas where improvements could be made.
There is no independent validation of the accuracy of the answers at this level.
The cost for Cyber Essentials starts from £300 and is subject to VAT in the UK. The pricing model is tiered based on the number of employees and more information can be found on the IASME website.
The same as the basic but with independent validation by an accredited third party.
Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.
The cost for the Plus accreditation is dependent on the complexity of the environment but for a simple SME would typically cost around £1,400 and subject to VAT within the UK.[6]
IASME has incorporated the Cyber Essentials into the wider IASME information assurance standard.[7]
As with ISO/IEC 27001, organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.
The five technical controls are:
Cyber Essentials guidance breaks these down into finer details.
These controls can be mapped against the controls required by ISO/IEC 27001, the Standard of Good Practice for Information Security, and IASME Governance,[8] although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.
The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June.[9] Since October 2014, Cyber Essentials certification has been required for suppliers to the central UK government who handle certain kinds of sensitive and personal information.[10] This is intended to encourage adoption by businesses wishing to bid for government contracts.[11] Insurers have suggested that certified bodies may attract lower insurance premiums.[12] Over 30,000 Cyber Essentials certificates have been awarded to businesses and organisations.[13]
It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI), and it is endorsed by the UK Government.[14] It was launched in 2014 by the Department for Business, Innovation and Skills.[15]
After the WannaCry ransomware attack, NHS Digital refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and planned to spend a further £150 million to address key cyber security weaknesses over the next two years.[16]
As of September 2019, there were five accreditation bodies including APMG, CREST, IASME, IRM security and QG.[17]
Beginning in April 2020, IASME has been chosen by the National Cyber Security Centre (NCSC) to be the sole Cyber Essentials Scheme Accreditation body.
In January 2022 the pricing model will change to a tiered model based on the number of employees, this is to better reflect the more complex nature of assessing larger organisations.[18] Cloud services, BYOD, home working, thin clients and MFA will see big changes as part of the assessment.[19]