Cyber Essentials Is Evolving – How The Changes Impact You?
In a step to standardise the Cyber Essentials certification standards, the IASME Consortium is the sole Cyber Essentials Partner (formerly accreditation body) of the National Cyber Security Centre, from 1 April 2020, and the other four accreditation bodies will no longer be active in the scheme.
The National Cyber Security Centre (NCSC) is the authority on behalf of HMG to designate accreditation bodies for Cyber Essentials. If you have a Cyber Essentials certification (or Cyber Essentials PLUS) or are considering applying for one, we clarify the sweeping changes you should learn.
What is the Cyber Essentials Scheme?
Cyber Essentials is a UK Government scheme that sets out five basic security measures to protect organisations from about 80 per cent of common cyber attacks.
The certification phase of the scheme is designed to help companies of any size demonstrate their dedication to cyber security – all while keeping the method easy and low cost.
Why is Cyber Essentials Changing?
There was ambiguity between organisations [working towards CE] and the certification bodies, with five Cyber Essentials accreditation bodies in the mix: CREST, APMG International, IRM, QG Management Standards and the IASME consortium.
The prevailing opinion was that the accreditation bodies were not operating to a level that was appropriate. For example, if you worked with a CREST-affiliated certification agency, then you would have a different experience than if you worked with one IRM affiliate.
How does that affect applications / renewals for certification?
A switch to a single Cyber Essentials partner would of course add improvements to the scheme. The below highlights key April 2020 changes:
The biggest and most noticeable improvement to the scheme is to pick IASME as a partner instead of using five separate accreditation bodies. This will ensure that there is a more systematic approach between certifying bodies to determine Cyber Essentials.
For the most part, the assessments themselves remain identical to those carried out pre-April 2020. The most significant change to the assessments is with the core Cyber Essentials accreditation. Beginning April, this is consisting only of a questionnaire on self-assessment, indicating an external vulnerability check is no longer part of Cyber Essentials. The self-assessment will also provide more ‘free text’ than previous accreditation bodies might have used to, promoting greater contact between the assessor and the company being assessed to ensure that all assessment standards are properly met.
There are also small improvements to the Cyber Essentials Plus programme, with more in-depth scans being carried out as part of the assessment to ensure adequate coverage of the internet-facing network.
A company will first pass the assessment of Cyber Essentials before they can take the assessment of Cyber Essentials Plus. To take the Cyber Essentials Plus assessment, this must have been completed within the last three months. Organizations will be tested simultaneously for the Cyber Essentials and Cyber Essentials Plus assessments as long as they complete the Cyber Essentials assessment successfully.
If a Cyber Essentials assessment fails, then there are two days for a company to fix problems that are eligible for a retest. Otherwise they’ll need to wait a month for Cyber Essentials to be reassessed.
If a Cyber Essentials Plus assessment fails, then a company will have 30 days to fix the problems. If issues are not remedied during this time, then the Cyber Essentials Plus assessment will fail and the Cyber Essentials certificate will also be revoked.
If a Cyber Essentials or Cyber Essentials Plus certification is successfully obtained, then the certification will only remain valid for one year from the date of passage. This would enable the maintenance of controls, rather than only passing the initial assessment.
How does Teceze help?
Teceze as a certifying agency is in a position to certify all Cyber Essentials and Cyber Essentials Plus organisations. Our experts have the requisite expertise to conduct these evaluations. Through consulting and monitoring experience, Teceze is also able to provide advice on how to improve the baseline controls. This gives more insight into their security posture to organisations and enables recommendations for change to be made.
And if you would like our support to be accredited (or recertified) by Cyber Essentials, pop up your information in the form on our inquiry page and we will be in touch.
The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.
Cyber Essentials Plus still has the Cyber Essentials trademark but for Cyber Essentials Plus a hands-on technical verification is carried out.