Finding the right solution for you, with help from our cyber security advisor
Ashley is an experienced cyber security advisor for IT Governance, who has carried out hundreds of Cyber Essentials Plus assessments. He also provides Cyber Essentials consultancy, helping customers become compliant.
Ashley is also a product evangelist for IT Governance, creating and sharing interesting content related to Cyber Essentials on social media.
We sat down to chat to him about the scheme, and which Cyber Essentials solutions are best for which organisation.
Let’s start with the basics: what is Cyber Essentials?
Cyber Essentials is a government-backed scheme intended to help UK organisations protect themselves from common, low-level cyber threats. It features five entry-level control themes that are inexpensive and easy for any organisation to implement:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
These are simple controls that any organisation can and should implement. Most threats originate from malware and phishing attacks. That’s why we [assessors] do email testing, and check that email attachments are being scanned properly.
These attacks aren’t difficult to execute, but are really common, and can be very damaging, so we test whether Outlook is properly blocking emails with malicious attachments, among other things.
Why should organisations consider certification?
Achieving Cyber Essentials certification allows organisations to prove that they’ve implemented basic, effective cyber security. That can be a very valuable tool for building trust with stakeholders, but it can also be a prerequisite for winning certain contracts, particularly government ones.
It’s not limited to governments, however – Cyber Essentials is becoming more popular across the UK, and more and more businesses are demanding Cyber Essentials or even Cyber Essentials Plus.
On top of that, certification can qualify you for reduced insurance premiums. In fact, receiving cyber insurance with a total liability limit of £25,000 is a part of the Cyber Essentials scheme itself. [Terms and conditions apply.]
That £25,000 is considerably higher than the cost of implementing the controls for most organisations, particularly smaller ones, so a good argument to bring to the table to convince senior management, should the earlier reasons not be enough to win their support.
What else do organisations need to know about certification?
The obvious thing that springs to mind is that the scheme has two tiers of certification:
- Cyber Essentials
- Cyber Essentials Plus
They both have the same technical requirements but have a slightly different certification process.
Cyber Essentials involves completing an SAQ [self-assessment questionnaire] that is independently verified, whereas the ‘Plus’ tier also involves a technical audit, with vulnerability scans and tests of in-scope systems.
Note: Please be aware that all ‘Plus’ applicants must first have achieved Cyber Essentials certification. Also, the technical audit must be completed within three months of achieving Cyber Essentials certification.
Who should consider Cyber Essentials Plus certification, rather than just Cyber Essentials?
Generally speaking, organisations wanting to strengthen and test their overall security to ensure they are fortified against evolving cyber threats.
One of the more specific reasons organisations go for the ‘Plus’ tier is because they’re going after a government contract, especially MoD contracts [Ministry of Defence contracts, for which Cyber Essentials Plus certification is a prerequisite]. But other organisations may demand it too – again, it’s becoming more popular in the UK.
The ‘Plus’ tier gives extra assurance to customers [and other stakeholders] that the technical controls are correctly implemented. The basic tier doesn’t involve any testing [technical audits or scans], whereas the ‘Plus’ tier will involve getting an experienced assessor to verify that the controls really are working as they should. It’s just going that extra mile.
Do you see organisations using Cyber Essentials Plus as a stepping stone to more demanding frameworks, such as ISO 27001?
Yes, I do see that a lot. Many organisations start with Cyber Essentials and Cyber Essentials Plus, then progress to the bigger frameworks, like ISO 27001.
But Cyber Essentials is more technical than ISO 27001. A large part of an ISO 27001 ISMS is based around documentation – so policies, procedures, etc. – but Cyber Essentials is purely focused on basic, technical controls. Nothing is particularly complicated in there. The tests are basic, but they’re also very important, as they’re about mitigating the most common threats [malware and phishing attacks].
Another difference between the Cyber Essentials scheme and ISO 27001 is that Cyber Essentials is more black and white – you either pass or fail it. ISO 27001 has far more flexibility around how you can meet the requirements, as it takes more of a risk-based approach.
Would you say that the black-and-whiteness of Cyber Essentials is a good thing?
Not always, no. This can make it difficult to meet its requirements, particularly for large organisations – their processes tend to involve far more steps than in smaller organisations. For example, a large organisation may well first test applications for malware in a sandbox – almost no small organisation would do that. This makes some questions [on the SAQ] difficult for them to answer.
IT Governance offers many Cyber Essentials packages. What guidance can you offer for customers trying to work out which one is right for them?
We do offer a lot of packages – but that means we can cater to a wide range of different needs. I’ll try to simplify.
For a new customer with no Cyber Essentials experience, I’d recommend one of the Get A Lot Of Help packages – these will really guide you through the process. If you’ve never done Cyber Essentials before, there are things that can catch you out on the day of the assessment, if you’re not prepared. This package gives you a full day – up to seven hours – of consultancy time.
If you go through the assessment every year, the process tends to be quite smooth. You’ll be much more prepared, and the basic Certification or Get A Little Help packages should be more than enough for your needs. The main difference between those is that the Get A Little Help package offers two hours of consultancy support; the Certification package provides less support.
In terms of what more experienced clients use that time for – usually things like going through the changes in the Cyber Essentials requirements. The NCSC [National Cyber Security Centre] typically updates those annually, though most changes are usually minor.
Clients – especially the Get A Lot Of Help customers, given the time they have available and the flexibility of the package – can use that time for whatever they want. That might include, for example, going through their scope to make sure it meets the requirements. Or it can be technical questions – we’ve got very experienced assessors on our team, who can offer guidance on what technical changes to make based on the scan report [but don’t personally make the changes, as fixes should be tested by the customer before they’re applied, so it’s a good idea for customers to have a technical person available].
Besides experience, what other questions should organisations ask themselves to figure out which package is right for them?
Experience really is the biggest one – if you’ve done the assessment before, you’ll need far less help.
Another differentiator is whether you’re familiar with the changes – how much research have you done? How confident are you that you understand them, and the other technical requirements? This often links to size – small organisations likely need a lot more help, as they often lack technical experience.
Scope is another big factor. If you’ve got a large, complicated scope, with lots of devices, that extra consultancy time of the Get A Lot Of Help package will often prove useful. That’s because those customers are more likely to have complicated technical questions, which simply require more time to answer properly.
What can customers expect if they decide to purchase a package from IT Governance? What’s the process?
The first thing that happens is you’ll receive an email from our service delivery coordinator, which contains useful guidance documents and the contact details for the assessor you’ve been assigned.
You’ll then set up an initial call with your assessor, who’ll take you through all the steps for Cyber Essentials and/or Cyber Essentials Plus, so you know what to expect, as well as answer any questions you have at that point.
By the way, that same assessor will stay with you throughout the process – including if you start with Cyber Essentials, then move on to Cyber Essentials Plus.
After that first call, assessors simply make themselves available to help – there aren’t any further ‘set’ calls. That said, a later meeting likely involves going through your SAQ answers, where our assessor provides feedback. We’ll also help you set up access to our portal and your SAQ, as well as confirm and submit your application.
For anyone who has more questions about Cyber Essentials, how can they get in touch?
I recommend emailing us at cyberessentialssupport@itgovernance.co.uk, though you could also call us on +44 (0)333 800 7000.