Approved and vetted Cyber Essentials
The Cyber Essentials scheme is a cybersecurity standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to show that they are addressing cybersecurity effectively and mitigating the risk from Internet-based threats.
There are two types of certification: Cyber Essentials and Cyber Essentials Plus. The first is the basic standard focusing on:
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
If you choose to go for Cyber Essentials Plus, the key differentiator is the inclusion of a technical review of the organisation’s workstations and this additional phase of testing increases the validity of certification considerably, by providing evidence of compliance against the following scenarios:
- Can malicious files enter the organisation from the Internet through either web traffic or email messages?
- Should malicious content enter the organisation, how effective are the anti-virus and malware protection mechanisms?
- Should the organisation’s protection mechanisms fail, how likely is it that the organisation will be compromised due to failings in the patching of the organisation’s workstations?
Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance. However, it does come at an additional cost, which will factor in the decision-making process. Ultimately the decision on which level to certify against will be influenced by an organisation’s cybersecurity stance and those of its business partners, suppliers, and stakeholders.
Once an organisation has been assessed against the Cyber Essentials security criteria and passes, it will receive the relevant Cyber Essentials award (badge) based on the level of certification achieved, which demonstrates it has achieved a fundamental level of cybersecurity.