Cyber crime continues to pose a valid and growing threat for every business, large or small.
In direct response to this threat, the UK HM Government began working with IASME (the Information Assurance for Small and Medium Enterprises consortium) and the ISF (the Information Security Forum) in June 2014 to develop “Cyber Essentials“, technical controls to be used by organisations to mitigate the risks associated with common Internet-based threats.
Most risk management business leaders agree. According to Willy Stoessel, Director of The Swiss Re Group, a Zurich-based risk-management insurance group, “The Cyber Essentials Scheme will positively impact the wider UK economy by raising the bar for opportunist attackers.”
What Cyber Essentials will also invaluably do is help bring UK businesses inline with the cyber security compliance requirements to meet the upcoming GDPR which will apply to the UK from 25th May 2018.
The full Cyber Essentials scheme enables organisations to gain one of two levels of certification. By creating two options, organisations have a choice over the cost and level of their assurance.
Cyber Essentials (Level 1)
This level requires the organisation to complete a self-assessment questionnaire.
Once completed, the responses are then to be independently reviewed by an external certifying body.
Cyber Essentials PLUS (Level 2)
In addition to the requirements of Level 1, this level also requires that the organisation’s systems are tested using a range of tools and techniques.
While larger businesses may have the resources to effectively handle the majority of criminal activities over the Internet, smaller businesses can be at a disadvantage because of their more limited resources. Level 1 allows smaller firms in particular to protect themselves adequately while Level 2 adds additional testing procedures.
Both Cyber Essentials documents are provided free for downloading by any organisation and can immediately put them into place. However, once the organisation is certified, the Cyber Essentials badge can be displayed by the business effectively notifying customers, clients, partners, and other interested parties providing independent assurance that the organisation have the proper protections in place and take cyber security seriously. This not only boosts the organisation’s reputation but also provides a competitive selling point by showing that there have been independent assurance that the organisation has the protections in place correctly.
Cyber Essentials Plus offers a somewhat higher level of assurance by utilising an independent testing regime.
Organisations must re-certify once each year, or more frequently when required to meet specific customer or procurement requirements.