What is The IASME Cyber Essentials Scheme?
Cyber Essentials is a government-backed qualification that has been continuously developed to ensure better cyber security and technical resilience for UK businesses of all sizes. Just as the NCSC Cyber Assessment Framework (CAF) is specific to Operators of Essential Services, Cyber Essentials is for all businesses and organisations, from sole traders to large corporations and public bodies.
The History of Cyber Essentials and IASME
IASME were originally responsible for developing assurance standards across a wide range of information areas, which the government has adopted over time. Later, IASME and the Information Security Forum (ISF) consortium first rolled out The Cyber Essentials scheme in 2014. The assessment questions and requirements have developed in line with the cyber threat landscape over time. The National Cyber Security Centre (NCSC) oversees Cyber Essentials, which has now selected IASME Consortium as the only accreditation body from an original five bodies in 2019. The Phenna Group acquired IASME Consortium in 2021.
Why do we need Cyber Essentials?
Whatever your size, if applying for government contracts, you will require Cyber Essentials certification if you are dealing with any personal or sensitive information. Also, you will require certification for providing technical products and services of varying types. More private industries now require certification, especially those closely aligned with public bodies. In fact, this fits with the recent development of more profound supply chain compliance and IASME’s initial objectives: to improve supply chain security.
Other Reasons to Acquire Accreditation
As well as requirements from your clients and partners, other reasons to become Cyber Essentials certified are:
- To have detailed oversight and management of your critical IT systems.
- Preventing disruption and threats to your business by identifying risk areas and correcting them.
- Your company is protected against cyber threats and attacks, leading to peace of mind.
- Proactively promoting good industry practice and cyber security in your supply chain.
Certification Types
Cyber Essentials Standard
Companies complete the primary accreditation by self-answering around 160 questions. The questions are answered online through the Cyber Essentials Questionnaire. On completion, you then submit the questionnaire to IASME, who will mark your answers and reply with corrective or preventative actions, request more information or pass the certification. If you do not pass on the first attempt, IASME will draw your attention to areas that may require more detail or elaboration. The standard certification covers these five main technical control areas:
- Boundary firewalls and internet gateways
- Secure configuration
- Access controls
- Malware protection
- Patch management
Cyber Essentials Plus
If you have passed the Cyber Essentials certification, you can apply for Cyber Essentials Plus, which involves an independent technical audit of your company’s security controls. For example, the audit may include penetration testing by cyber security experts, a deeper analysis of the configuration of your networks and hardware, and an investigation of sample sets of user devices.
What is the Scope of Requirements for Certification?
Based on the five technical control areas, it is worth understanding what devices, systems and services are in scope when preparing your Cyber Essentials Checklist.
The Boundary of Scope Diagram:
In scope:
- Home working and devices used when home or remote
- All cloud services used and related MFA
- Password management
- User access controls
- Thin clients as well as typical desktops and laptops
- All AD provisioning
- All devices, including BYOD and this management and security controls
- Update management tools
- Services
- Network and network boundary controls (Firewalls and Internet Gateways)
- Patches and Updates
Cyber Essentials Readiness Tool/Checklist
IASME has developed a readiness tool to prepare companies for taking the Cyber Essentials Questionnaire. The readiness tool is a valuable set of conditional questions that can draw your attention to the details of the five leading technical control areas. Below are some examples of the questions asked in the Cyber Essentials Readiness Tool:
| Readiness Tool Questions |
|---|
| Has someone in your organisation a list of all hardware devices that you use. For instance types of laptops, smart phones, firewalls, routers ? |
| Do you use thin clients? |
| Do you own or rent servers? |
| Do you have a list of all software / firmware used on devices within your organisation? |
| Do you have any virtualisation infrastructure within your organisation? |
| Do you have automatic update enabled on all your software? |
| Do you use software that is no longer in support? |
| Do you have a firewall (or router with a firewall) between your business network and the internet? |
| On your firewalls and internet gateways - have you changed all the passwords away from the default passwords and are they difficult to guess and more than 8 characters? |
| If you thought the passwords were known (someone left and knew the password or something happened like the same password used elsewhere was discovered) would you know when and how to change it? |
| Do you have services enabled that are accessible externally? |
| Can you configure your internet routers or hardware firewalls over the internet? This might be in place if you have a third party IT company managing those devices on your behalf. |
| Have you configured your internet routers or your hardware firewalls to block all other services being advertised to the internet? |
| Do you have a list of all the cloud services you use in your organisation? |
| Have you enabled MFA on all accounts to access all the cloud services that you use? |
| Have you located and understood the ‘shared responsibility’ security arrangement for each of the cloud services you use? |
| Have you been through the devices that you have and disabled the software that you dont use? |
| Have you ensured that all the accounts on your devices and cloud services are only those that are used as part of your day to day business? |
| Is "AutoRun" or "AutoPlay" disabled on all of your systems? |
| For mobile devices, do you set a locking mechanism on your devices to access the software and services installed? This might be a pin number, a password, face-scan or fingerprint. |
| Do you ensure that all default passwords on all devices are changed? |
| Do you have something written down to advise all users how important it is to use different passwords for different systems? |
| Do you make sure that each user requires their own username and password and there are no shared username / passwords? |
| Do you have something written down to advise all users about creating good passwords? Does your policy specify the technical controls to manage the quality of passwords used within your organisation? Does the policy include a process for when you believe that a password or an account has been compromised? |
| Is there support in place to help employees choose unique passwords for their work accounts? |
| Have you put measures in place to protect accounts against brute-force password guessing? |
| Are all of your computers, your laptops, and your mobile phones protected against malware by using one of these options? |
| Is there a process you follow in order to create a new user account? |
| Have you a process for tracking user accounts of people who join or leave? |
| Is there a process that is followed before a member of staff is given an administrator account? |
| Do you have a process for ensuring that employees do not use administrator accounts for day to day activities such as browsing the internet and checking emails? |
| Do you have a system for backing up your organisational data? |
How Much does Cyber Essentials Cost?
The standard costs are:
- Micro Organisations (0-9 employees) £300 + VAT
- Small Organisations (10-49 employees) £400 + VAT
- Medium Organisations (50-249 employees) £400 + VAT
- Large Organisations (250+ employees) £400 + VAT
Cyber Essentials Plus costs around £1400 + VAT in addition to the above.
What Policies and Procedures will we require for Cyber Essential Accreditation?
We recommend having the following policies developed or reviewed to not only prepare for Cyber Essentials, but also to have maintainable areas of reference for all of the core areas of your business:
- Acceptable Use Policies – Email and Internet
- Clean Desk and Screen Policy
- Document/Data Classification Policy
- Asset Management and Disposal Policy
- Social Media/Internet Use Policy
- Information Security Policy
- Password Management Policy
- Change Policy
- Cryptographic Controls Policy
- Removable Media Policy
- Mobile Devices and Remote Working Policy
- Access Controls Policy
How Often Do We need to Recertify?
Every 12 months. The question set changes each year – so it is advisable to check the latest version of the readiness tool.
Cyber Essentials Insurance
While not related to Cyber Essentials training, having certification has many benefits, as does having cyber insurance. If you are interested in acquiring cyber insurance, please look at the competitive options given by PolicyBee.
How We Can Help with Cyber Essentials Policies and Procedures
We work with Government Bodies, Local Authorities, private companies, non-profits, and NGOs to align their policies and procedures with information security best practices. Please complete the enquiry form below if you would like more information. You may also be interested in our article on the Cyber Assessment Framework (NCSC CAF).
