Achieving HM Cyber Essentials through Self-Assessment – Part 1

Part 1 – The Cyber Essential Levels

Cyber crime continues to pose a valid and growing threat for every business, large or small.

In direct response to this threat, the UK HM Government began working with IASME (the Information Assurance for Small and Medium Enterprises consortium) and the ISF (the Information Security Forum) in June 2014 to develop “Cyber Essentials“, technical controls to be used by organisations to mitigate the risks associated with common Internet-based threats.

Most risk management business leaders agree. According to Willy Stoessel, Director of The Swiss Re Group, a Zurich-based risk-management insurance group, “The Cyber Essentials Scheme will positively impact the wider UK economy by raising the bar for opportunist attackers.”

What Cyber Essentials will also invaluably do is help bring UK businesses inline with the cyber security compliance requirements to meet the upcoming GDPR which will apply to the UK from 25th May 2018.

The Two Levels

The full Cyber Essentials scheme enables organisations to gain one of two levels of certification. By creating two options, organisations have a choice over the cost and level of their assurance.

Cyber Essentials (Level 1)

This level requires the organisation to complete a self-assessment questionnaire.

Once completed, the responses are then to be independently reviewed by an external certifying body.

Cyber Essentials PLUS (Level 2)

In addition to the requirements of Level 1, this level also requires that the organisation’s systems are tested using a range of tools and techniques.

While larger businesses may have the resources to effectively handle the majority of criminal activities over the Internet, smaller businesses can be at a disadvantage because of their more limited resources. Level 1 allows smaller firms in particular to protect themselves adequately while Level 2 adds additional testing procedures.

Both Cyber Essentials documents are provided free for downloading by any organisation and can immediately put them into place. However, once the organisation is certified, the Cyber Essentials badge can be displayed by the business effectively notifying customers, clients, partners, and other interested parties providing independent assurance that the organisation have the proper protections in place and take cyber security seriously. This not only boosts the organisation’s reputation but also provides a competitive selling point by showing that there have been independent assurance that the organisation has the protections in place correctly.

Stage Definitions

Stage 1 – Cyber Essentials (self-assessment)

• This stage of certification provides a basic level of confidence allowing an organisation to have the basic skills necessary to respond appropriately to basic levels of attack.

• At this stage, the scope must be declared in order to continue based on the required network boundaries, locations and management control.

• The organisation then must identify the enterprise IT systems that it believes would be at risk from Internet-based threats or persons with low levels of technical capability.

• The organisation must then declare its compliance with the Cyber Essentials requirements.

• Once the declaration is signed by the organisation’s CEO or equivalent to endorse its accuracy, it is then sent to a Certification Body for verification and awarding of the certificate.

Stage 2 – Cyber Essentials (independently tested)

• This stage contains all the parts of Cyber Essentials plus additional features.

• At this stage, the implemented controls are tested against low-level Internet-based risks.

• This stage tests both inside and outside vulnerabilities of the system.

• Individual controls can be tested to make sure they have been implemented correctly or various attack scenarios can be created to determine if they compromise the system’s capabilities.

Cyber Essentials Plus offers a somewhat higher level of assurance by utilising an independent testing regime.

Organisations must re-certify once each year, or more frequently when required to meet specific customer or procurement requirements.

[c2a]