CYBER ESSENTIALS

What is the Cyber Essentials (CE) Scheme?

The UK government launched the Cyber Essentials scheme to help small and medium sized organisations define and measure basic levels of security hygiene. The scheme defines a series of technical and procedural controls to mitigate the risks associated with cyber threats.
As a CREST affiliated company, Nettitude is able to issue both Cyber Essentials and Cyber Essentials Plus certification, with the option of a pre-assessment if required.

Cyber Essentials Certification Benefits

Through certifying against the Cyber Essentials scheme, organisations are able to:

• promote and demonstrate that they have undertaken essential precautions in minimising their cyber risk.
• satisfy client, suppliers, insurers and industry regulators including businesses tendering for government contracts.
• gain assurance of the security posture of their systems IT systems and networks.

For further information on the scheme and it’s benefits please see https://www.cyberessentials.ncsc.gov.uk/getting-certified/

Cyber Essentials Assessment Areas

The primary security controls that are assessed during a Cyber Essentials or Cyber Essentials plus are:

• Internet Perimeter Security – establishing the exposure of Internet facing systems, presence of appropriately secure firewall controls and security posture of those systems.
• Access and Authentication Controls – validation of appropriate authentication mechanism to protect an organisation’s application or infrastructure from unauthorised access.
• Security Patch Management – verification of the application of security patches across Operating system and application.
• Malware and Endpoint Protection – a review of the presence and effectiveness of anti-virus and endpoint protection solutions.
• Secure Configuration – checks to ensure systems are configured in the most secure way and common vulnerabilities through implementation weaknesses have been addressed.

Cyber Essentials vs Cyber Essentials Plus

Both schemes consist of the same core cyber security assurance activities however the Cyber Essentials Plus assessment includes additional checks and provides a greater depth and breadth of the cyber security posture of an organisation providing an enhanced certification and greater peace of mind.

 

  • Self-assessment Questionnaire – The organisation is required to complete a self-assessment questionnaire that covers some of the basic technical and procedural controls that are needed to be in place.
  • External Vulnerability Scan – The vulnerability scans offer a deeper level of assurance by scanning the network perimeter of all internet connected locations for infrastructure and web application vulnerabilities, including dedicated hosting platforms.
  • Internal Workstation and Mobile Device Security Audit – This stage assesses a sample of workstations for configuration and patching related vulnerabilities. A CREST qualified consultant will conduct a full build review against your standard workstation builds and mobile devices. Common malware will be delivered via emails and web browsing to assess perimeter protections using email (phishing) and web browsing (drive-by) threats to assess the effectiveness. This element is typically delivered onsite.

What Happens after a Cyber Essentials Assessment?

Once a vulnerability scan and self-assessment questionnaire have been completed, the organisation will be validated against the first stage of the Cyber Essentials scheme. Whilst there is no official expiration, Nettitude recommend this exercise is repeated at least annually.
When an organisational successfully passes a Cyber Essentials Assessment, Nettitude will issue a Cyber Essentials Certificate. Nettitude is also able to offer pragmatic advice and guidance on how any identified gaps or security weaknesses can be addressed.

Cyber Essentials Pre-assessments

When Nettitude initially engage with organisations, the team undertake a gap analysis to measure the organisations existing controls against what is required by Cyber Essentials. Having conducted this assessment, Nettitude then provide the organisation with a clear road map on how to bridge the gaps and reduce their risks associated with a cyber breach. As the organisation moves towards entry level certification, Nettitude can provide on-going guidance and assistance to ensure all elements of the assessment are being