What’s new with Cyber Essentials?
You may already be aware that changes to the way the Cyber Essentials scheme is delivered came into effect on 1st April 2020. But what exactly were those changes and what do they mean for your business?
The UK Government has an ambition to make the UK the safest place to live and do business online. Cyber Essentials is a key tool in realising that ambition. Jointly owned by the National Cyber Security Centre (NCSC), a part of GCHQ, and the Department for Digital Media and Sport (DCMS), Cyber Essentials is a cross Government schemeaimed at encouraging organisations of all sizes to implement the most important 5 technical controls. These are controls which are proven to provide effective protection against the most common internet threats.
For the last five years, five different commercial organisations, Accreditation Bodies, have been contracted to deliver the scheme, each through a set of trained and licenced Certification Bodies. During 2018 the NCSC ran an extensive consultation exercise to review the Cyber Essentials scheme. A number of recommendations emerged from the consultations but there was also a very clear message to continue with the scheme. it was also clear that changes were needed to make it less confusing for the customer and raise the bar on assessor skills and experience. You can see more information on NCSC’s rationale behind the changes here.
In direct response to the consultation, NCSC decided to move away from delivery via 5 Accreditation Bodies to just one Cyber Essentials Partner. The role of Cyber Essentials Partner was put out to tender and won by The IASME Consortium who had been one of the original Accreditation Bodies and was also involved in helping write the original Cyber Essentials requirements. This move to a sole Partner took effect on 01 April 2020.
Although the new partnership model means just one Cyber Essentials Partner, the need for an UK wide network of Certification Bodies remains. As of 01 April, all Cyber Essentials Certification Bodies must have been trained and licensed by IASME. A further change means that all Certification Bodies and their respective assessors now meet, and maintain, minimum standards agreed with NCSC in order to achieve that license.
There has also been a change to the certificates themselves. From 01 April 2020, a 12-month expiry date was formally introduced.
By choosing IASME as the Cyber Essentials Partner, the practice of including automatic cyber insurance for all UK based companies with less than £20m turnover unless they opt out is applied across the whole scheme. The insurance is focused on providing technical and legal incident response. This will help provide resilience in supply chains with a large number of SMEs if they are required to hold Cyber Essentials certification.
In addition to highlighting the changes, it is equally important to outline that many aspects of the Cyber Essentials scheme have not changed. NCSC carried out a review of the five technical controls and believe that these are still the correct and appropriate controls to focus on. The 5 technical controls covered relate to access control, secure configuration, software updates, malware protection and firewalls & routers. IASME and NCSC will continue to review the controls to ensure they remain current against threat trends.
If you have previously certified under a non IASME organisation you may experience further changes such as a requirement to provide more detail in your assessment answers. However, it is still the same 5 controls that are being assessed. If you have any further queries about the changes, please contact IASME or your nearest Certification Body.. If you’d like to stay in touch and get the latest updates, please follow us IASME via LinkedIn.
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements.