Cyber Essentials: Difference between revisions

Browse history interactively ← Previous edit Next edit →Content deleted Content addedVisual WikitextInline

Revision as of 19:13, 8 February 2021 editRobidy (talk \| contribs)Extended confirmed users878 edits →Assurance framework: note recertification is mandatory.Tag: Visual edit ← Previous edit		Revision as of 20:28, 8 February 2021 edit undoRobidy (talk \| contribs)Extended confirmed users878 edits Improve article to clarifyTag: Visual edit Next edit →
Line 3:		Line 3:
	It was developed in collaboration with industry partners, including the Information Security Forum (]), the Information Assurance for Small and Medium Enterprises Consortium (]), and the British Standards Institution (]), and it is endorsed by the UK Government.<ref>{{Cite web\|url=https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/317481/Cyber_Essentials_Requirements.pdf\|title=Cyber Essentials Scheme\|last=\|first=\|date=\|website=\|publisher=HM Government\|access-date=9 September 2016}}</ref> It was launched in 2014 by the ].<ref>{{cite web\|title='Cyber Essentials' scheme launched\|url=http://ico.org.uk/news/current_topics/cyber-essentials\|publisher=ICO\|accessdate=1 July 2014}}</ref>		It was developed in collaboration with industry partners, including the Information Security Forum (]), the Information Assurance for Small and Medium Enterprises Consortium (]), and the British Standards Institution (]), and it is endorsed by the UK Government.<ref>{{Cite web\|url=https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/317481/Cyber_Essentials_Requirements.pdf\|title=Cyber Essentials Scheme\|last=\|first=\|date=\|website=\|publisher=HM Government\|access-date=9 September 2016}}</ref> It was launched in 2014 by the ].<ref>{{cite web\|title='Cyber Essentials' scheme launched\|url=http://ico.org.uk/news/current_topics/cyber-essentials\|publisher=ICO\|accessdate=1 July 2014}}</ref>

			To maintain certification, organisations are required to undergo re-certification on an annual basis.
	==Assurance framework==
⚫	~~Organisations~~ ~~can~~ ~~earn~~ two levels of certification~~, or badges~~:<ref>{{cite web\|title=Cyber Essentials Scheme Assurance Framework\|url=https://www.cyberstreetwise.com/cyberessentials/files/assurance-framework.pdf\|publisher=HM Government\|accessdate=1 July 2014}}</ref><ref>{{cite web\|last1=Hotchin\|first1=Jenny\|title=Mitigating the risks created by cyber attacks\|url=http://www.smeweb.com/index.php?option=com_content&view=article&id=4891:mitigating-the-risks-created-by-cyber-attacks&catid=64:features&Itemid=102\|accessdate=1 July 2014}}</ref>
	* Cyber Essentials: Organisations self-assess their systems, and this assessment is independently verified.
⚫	* Cyber Essentials Plus: Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.

	~~Annual recertification is required.~~ Certifying Bodies are~~, in turn,~~ licensed by Accreditation Bodies, which have been appointed by UK government.		Certifying Bodies are licensed by Accreditation Bodies, which have been appointed by UK government.

			==Certification==
⚫	As of September 2019, there were five accreditation bodies including: APMG, CREST, IASME, IRM security and QG.<ref>{{Cite web\|url=https://www.cyberaware.gov.uk/cyberessentials/get.html\|~~title~~=~~Cyber Essentials~~ - ~~OFFICIAL SITE~~\|website=www.cyberaware.gov.uk~~\|access-date=2017-03-01~~}}</ref>
		⚫	The Cyber Essentials program provides two levels of certification:<ref>{{cite web\|title=Cyber Essentials Scheme Assurance Framework\|url=https://www.cyberstreetwise.com/cyberessentials/files/assurance-framework.pdf\|publisher=HM Government\|accessdate=1 July 2014}}</ref><ref>{{cite web\|last1=Hotchin\|first1=Jenny\|title=Mitigating the risks created by cyber attacks\|url=http://www.smeweb.com/index.php?option=com_content&view=article&id=4891:mitigating-the-risks-created-by-cyber-attacks&catid=64:features&Itemid=102\|accessdate=1 July 2014}}</ref>

		⚫	] has incorporated the Cyber Essentials into the wider ] information assurance standard.<ref>{{Cite web\|title=Cyber Essentials Scheme – IASME\|url=https://www.iasme.co.uk/cyber-essentials-scheme/\|access-date=2016-09-07\|website=www.iasme.co.uk}}</ref>
⚫	Beginning April 2020, IASME have been chosen by the National Cyber Security Centre (NCSC) to be the sole Cyber Essentials Scheme Accreditation body.

		⚫	As with ], organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.
⚫	] has incorporated the Cyber Essentials into the wider IASME information assurance standard.<ref>{{Cite web\|url=https://www.iasme.co.uk/cyber-essentials-scheme/\|~~title~~=~~Cyber Essentials Scheme – IASME~~\|website=www.iasme.co.uk~~\|access-date=2016-09-07~~}}</ref>

			===Cyber Essentials===
⚫	As with ], organisations may choose to limit the scope of certification to a certain subset of their business.
			Commonly referred to as mark your own homework, organisations self-assess their systems, and then complete an online assessment, the answers are then independently verified.

			There is no third party verification of the accuracy of the answers.

			=== Cyber Essentials Plus ===
			The same as the basic but with independent validation by an accredited third party.

		⚫	Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.

	==Controls==		==Controls==
	The five ~~main~~ technical controls are:		The five technical controls are:
	#Boundary ]s and internet gateways		#Boundary ]s and internet gateways
	#]		#]
Line 26:		Line 32:
	#] management		#] management

	Cyber Essentials guidance breaks these down into finer details. These controls can be mapped against the controls required by ], the ], and ],<ref>{{cite web\|title=Requirements for basic technical protection from cyber attacks\|url=https://www.cyberstreetwise.com/cyberessentials/files/requirements.pdf\|publisher=HM Government\|accessdate=1 July 2014}}</ref> although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.		Cyber Essentials guidance breaks these down into finer details.

			These controls can be mapped against the controls required by ], the ], and ],<ref>{{cite web\|title=Requirements for basic technical protection from cyber attacks\|url=https://www.cyberstreetwise.com/cyberessentials/files/requirements.pdf\|publisher=HM Government\|accessdate=1 July 2014}}</ref> although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.

	==History==		==History==
Line 32:		Line 40:

	After the ], ] refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and plan to spend a further £150 million to address key cyber security weaknesses over the next two years.<ref>{{cite news \|title=Health chiefs refuse to foot £1bn bill to improve NHS cyber security \|url=https://www.buildingbetterhealthcare.co.uk/news/article_page/Health_chiefs_refuse_to_foot_1bn_bill_to_improve_NHS_cyber_security/147855/cn164706 \|accessdate=27 November 2018 \|publisher=Building Better Healthcare \|date=15 October 2018}}</ref>		After the ], ] refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and plan to spend a further £150 million to address key cyber security weaknesses over the next two years.<ref>{{cite news \|title=Health chiefs refuse to foot £1bn bill to improve NHS cyber security \|url=https://www.buildingbetterhealthcare.co.uk/news/article_page/Health_chiefs_refuse_to_foot_1bn_bill_to_improve_NHS_cyber_security/147855/cn164706 \|accessdate=27 November 2018 \|publisher=Building Better Healthcare \|date=15 October 2018}}</ref>

		⚫	As of September 2019, there were five accreditation bodies including: APMG, CREST, ], IRM security and QG.<ref>{{Cite web\|title=Cyber Essentials - OFFICIAL SITE\|url=https://www.cyberaware.gov.uk/cyberessentials/get.html\|access-date=2017-03-01\|website=www.cyberaware.gov.uk}}</ref>

		⚫	Beginning April 2020, ] have been chosen by the National Cyber Security Centre (]) to be the sole Cyber Essentials Scheme Accreditation body.

	==See also==		==See also==

Revision as of 20:28, 8 February 2021

Cyber Essentials is a United Kingdom government information assurance scheme that is operated by the National Cyber Security Centre (NCSC). It encourages organisations to adopt good practice in information security. Cyber Essentials also includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI), and it is endorsed by the UK Government. It was launched in 2014 by the Department for Business, Innovation and Skills.

To maintain certification, organisations are required to undergo re-certification on an annual basis.

Certifying Bodies are licensed by Accreditation Bodies, which have been appointed by UK government.

Certification

The Cyber Essentials program provides two levels of certification:

IASME has incorporated the Cyber Essentials into the wider IASME information assurance standard.

As with ISO/IEC 27001, organisations may choose to limit the scope of certification to a certain subset of their business and this must be disclosed on their certificate.

Cyber Essentials

Commonly referred to as mark your own homework, organisations self-assess their systems, and then complete an online assessment, the answers are then independently verified.

There is no third party verification of the accuracy of the answers.

Cyber Essentials Plus

The same as the basic but with independent validation by an accredited third party.

Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.

Controls

The five technical controls are:

Boundary firewalls and internet gateways
Secure configuration
Access control
Malware protection
Patch management

Cyber Essentials guidance breaks these down into finer details.

These controls can be mapped against the controls required by ISO/IEC 27001, the Standard of Good Practice for Information Security, and IASME Governance, although Cyber Essentials has a narrower focus, emphasising technical controls rather than governance, risk, and policy.

History

The Cyber Essentials scheme was launched on 5 June 2014. Several organisations were quickly certified by the end of June. Since October 2014, Cyber Essentials certification has been required for suppliers to central UK government who handle certain kinds of sensitive and personal information. This is intended to encourage adoption by businesses wishing to bid for government contracts. Insurers have suggested that certified bodies may attract lower insurance premiums. Over 30,000 Cyber Essentials certificates have been awarded to businesses and organisations.

After the WannaCry ransomware attack, NHS Digital refused to finance the £1 billion which was the estimated cost of meeting the Cyber Essentials Plus standard, saying this would not constitute value for money and that it had invested over £60 million and plan to spend a further £150 million to address key cyber security weaknesses over the next two years.

As of September 2019, there were five accreditation bodies including: APMG, CREST, IASME, IRM security and QG.

Beginning April 2020, IASME have been chosen by the National Cyber Security Centre (NCSC) to be the sole Cyber Essentials Scheme Accreditation body.

References

"Government scheme shows who can be trusted on cyber security". Telegraph. 5 June 2014. Retrieved 1 July 2014.
"Cyber Essentials Scheme" (PDF). HM Government. Retrieved 9 September 2016.
"'Cyber Essentials' scheme launched". ICO. Retrieved 1 July 2014.
"Cyber Essentials Scheme Assurance Framework" (PDF). HM Government. Retrieved 1 July 2014.
Hotchin, Jenny. "Mitigating the risks created by cyber attacks". Retrieved 1 July 2014.
"Cyber Essentials Scheme – IASME". www.iasme.co.uk. Retrieved 2016-09-07.
"Requirements for basic technical protection from cyber attacks" (PDF). HM Government. Retrieved 1 July 2014.
"First seven SMEs bite on Government's flagship Cyber Essentials scheme". Computer World. 30 June 2014. Retrieved 1 July 2014.
"Cyber essentials scheme: overview". GOV.UK. Retrieved 1 July 2014.
"Cyber risk and the UK's Cyber Essentials Scheme". Computer Weekly. June 2014. Retrieved 1 July 2014.
"Government launches Cyber Essentials security scheme". 6 June 2014. Retrieved 1 July 2014.
"Matt Hancock's Cyber Security Speech". Retrieved 7 July 2017.
"Health chiefs refuse to foot £1bn bill to improve NHS cyber security". Building Better Healthcare. 15 October 2018. Retrieved 27 November 2018.
"Cyber Essentials - OFFICIAL SITE". www.cyberaware.gov.uk. Retrieved 2017-03-01.

External links

Categories: