Cyber Essentials Requirements
Cyber Essentials is a government-backed, industry-supported scheme that helps organisations of all sizes protect themselves against common online threats. It is a simple but effective way to demonstrate your commitment to cyber security and gain a competitive edge in the digital marketplace. Cyber Essentials certification can also help you comply with data protection regulations and meet the requirements for certain government contracts.
But what are the Cyber Essentials requirements and how do they change? In this blog post, we will explain everything you need to know about the scheme and how it can benefit your organisation.
What is Cyber Essentials?
Cyber Essentials is a set of basic technical controls that organisations should have in place to protect themselves against common online security threats. These threats include phishing, malware, ransomware, hacking, and denial-of-service attacks. These attacks are often carried out by relatively unskilled individuals who exploit basic vulnerabilities in your IT systems. They can cause significant damage to your reputation, productivity, and profitability.
Cyber Essentials helps you to address these vulnerabilities and prevent the most common attacks. By following the scheme’s guidance, you can improve your cyber security posture and reduce your risk of becoming a victim of cyber crime.
There are two levels of certification:
- Cyber Essentials: This is the self-assessment option that gives you protection against a wide variety of the most common cyber attacks. You need to complete a questionnaire and submit it to a certification body for verification. The questionnaire covers five technical control themes: firewalls, secure configuration, security update management, user access control, and malware protection.
- Cyber Essentials Plus: This is the more rigorous option that requires a hands-on technical verification by a certification body. The verification involves testing your IT systems and devices to ensure that they meet the Cyber Essentials standards. The verification covers the same five technical control themes as Cyber Essentials, but with more depth and detail.
Why should you get Cyber Essentials?
There are many benefits of getting Cyber Essentials certification for your organisation, such as:
- Reassuring your customers and suppliers: By displaying the Cyber Essentials badge on your website and marketing materials, you can show that you take cyber security seriously and that you have taken steps to protect your data and systems. This can help you build trust and confidence with your existing and potential customers and suppliers, especially if they are concerned about cyber security or have experienced a cyber attack themselves.
- Attracting new business opportunities: By having Cyber Essentials certification, you can differentiate yourself from your competitors and gain a competitive advantage in the digital marketplace. You can also access new business opportunities that require Cyber Essentials certification, such as certain government contracts that involve handling sensitive or personal information.
- Improving your cyber security awareness and practices: By following the Cyber Essentials guidance, you can improve your cyber security awareness and practices across your organisation. You can also identify any gaps or weaknesses in your IT systems and devices and take action to address them. This can help you prevent or minimise the impact of cyber attacks and reduce the costs of recovery and remediation.
- Complying with data protection regulations: By having Cyber Essentials certification, you can demonstrate that you have taken steps to comply with data protection regulations, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. These regulations require organisations to implement appropriate technical and organisational measures to protect personal data from unauthorised or unlawful processing, accidental loss, destruction, or damage. Cyber Essentials can help you meet these requirements and avoid potential fines or sanctions.
What are the 2023 changes to Cyber Essentials?
On 23rd January 2023, the National Cyber Security Centre (NCSC) published an updated set of requirements for the Cyber Essentials scheme1. These changes, called the ‘Montpellier question set’, come into force on 24th April 2023 and will replace last year’s Evendine question set.
The changes are part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats. The changes aim to make the scheme more accessible, flexible, and relevant for different types of organisations and IT environments.
Some of the main changes include:
- The definition of ‘software’ is updated to clarify where firmware is in scope
- A statement on why asset management is important in Cyber Essentials
- A link to the NCSC’s BYOD guidance is added for information
- Clarification on including third party devices
- The ‘Device unlocking’ section is updated to reflect that some configuration can’t be altered because of vendor restrictions
- The ‘Malware protection’ section is updated
- New information about how using a zero trust architecture affects Cyber Essentials
You can find more details about the changes in this document from the NCSC.
How can Forensic Control help you get Cyber Essentials?
At Forensic Control, we are passionate about demystifying and democratising cyber security for businesses of all sizes. We strive to make cyber security approachable, understandable, and effective, breaking down the barriers of complexity and uncertainty that often surround this crucial aspect of modern business.
We are committed to empowering our clients with the knowledge and tools they need to protect their digital assets and the integrity of their operations.
One of our main business areas is certifying organisations to Cyber Essentials and Cyber Essentials Plus. We have extensive experience and expertise in helping organisations of all sectors and sizes achieve certification. Our team will guide you through the whole process, from scoping and preparation to assessment and verification.
Once you are certified we can also help you maintain your Cyber Essentials certification and keep up with the latest changes and updates. We can provide you with ongoing cyber security monitoring, management, and improvement services that will help you stay ahead of the evolving cyber threats and regulations.
If you are interested in getting Cyber Essentials certification or want to learn more about how we can help you with your cyber security needs, please contact us today. We would love to hear from you and discuss how we can work together to make your organisation more secure and resilient in the digital age.