What is the Cyber Essentials (CE) scheme?
The UK government launched the Cyber Essentials scheme to help small and medium-sized organisations define and measure basic levels of security hygiene. The scheme defines a series of technical and procedural controls to mitigate the risks associated with cyber threats.
As a CREST-affiliated company, LRQA Nettitude is able to issue both Cyber Essentials and Cyber Essentials Plus certifications, with the option of a pre-assessment if required.
The Cyber Essentials scheme focuses specifically on five key controls – firewalls, secure configuration, access control, malware protection, and patch management. Meeting criteria in each demonstrate foundational security hygiene for organisations and gaining certification shows customers and partners that your company has implemented these baseline technical controls to mitigate common cyber vulnerabilities and attacks.
Cyber Essentials Certification Benefits
Through certifying against the Cyber Essentials scheme, organisations are able to:
• Promote and demonstrate that they have undertaken essential precautions in minimising their cyber risk.
• Satisfy client, suppliers, insurers and industry regulators including businesses tendering for government contracts.
• Gain assurance of the security posture of their systems IT systems and networks.
For further information on the scheme and its benefits please see here.
Cyber Essentials Assessment Areas
The primary security controls that are assessed during a Cyber Essentials or Cyber Essentials Plus are:
• Internet Perimeter Security – establishing the exposure of Internet-facing systems, presence of appropriately secure firewall controls and security posture of those systems.
• Access and Authentication Controls – validation of appropriate authentication mechanisms to protect an organisation’s application or infrastructure from unauthorised access.
• Security Patch Management – verification of the application of security patches across the Operating system and application.
• Malware and Endpoint Protection – a review of the presence and effectiveness of anti-virus and endpoint protection solutions.
• Secure Configuration – checks to ensure systems are configured in the most secure way and common vulnerabilities through implementation weaknesses have been addressed.
Cyber Essentials vs Cyber Essentials Plus
Both schemes consist of the same core cyber security assurance activities however the Cyber Essentials Plus assessment includes additional checks and provides a greater depth and breadth of the cyber security posture of an organisation providing an enhanced certification and greater peace of mind.
Cyber Essentials Plus also takes certification a step further by requiring a simulated attack assessment to validate that controls are properly effective if tested. Many UK government suppliers mandate CE certification as part of procurement and contracting processes. We offer streamlined annual renewal assessments to maintain your valid certification over time as threats evolve.
|Activity||Cyber Essentials||Cyber Essentials Plus|
|External vulnerability scan||✔||✔|
|Internal workstation and mobile device security audit||✖||✔|
- Self-assessment Questionnaire – The organisation is required to complete a self-assessment questionnaire that covers some of the basic technical and procedural controls that are needed to be in place.
- External Vulnerability Scan – The vulnerability scans offer a deeper level of assurance by scanning the network perimeter of all internet connected locations for infrastructure and web application vulnerabilities, including dedicated hosting platforms.
- Internal Workstation and Mobile Device Security Audit – This stage assesses a sample of workstations for configuration and patching related vulnerabilities. A CREST qualified consultant will conduct a full build review against your standard workstation builds and mobile devices. Common malware will be delivered via emails and web browsing to assess perimeter protections using email (phishing) and web browsing (drive-by) threats to assess the effectiveness. This element is typically delivered onsite.
What Happens after a Cyber Essentials Assessment?
Once a vulnerability scan and self-assessment questionnaire have been completed, the organisation will be validated against the first stage of the Cyber Essentials scheme. Whilst there is no official expiration, LRQA Nettitude recommends this exercise is repeated at least annually. When an organisational successfully passes a Cyber Essentials Assessment, LRQA Nettitude will issue a Cyber Essentials Certificate. LRQA Nettitude is also able to offer pragmatic advice and guidance on how any identified gaps or security weaknesses can be addressed.
Cyber Essentials Pre-assessments
When LRQA Nettitude initially engage with organisations, the team undertake a gap analysis to measure the organisations existing controls against what is required by Cyber Essentials. Having conducted this assessment, LRQA Nettitude then provide the organisation with a clear road map on how to bridge the gaps and reduce the risks associated with a cyber breach. As the organisation moves towards entry level certification, LRQA Nettitude can provide on-going guidance and assistance to ensure all elements of the assessment are being catered for.