Cyber Essentials Requirements
IT Infrastructure Requirements
There are several specific stipulations regarding infrastructure configuration, such as encryption, updates, protection software, firewalls, passwords, user privileges, and more.
Password Policy
There are minimum requirements for the password policy - length, complexity, and expiry. The standard requirement is for a 12-character complex password; however, this may be reduced to 8 characters if other password-related controls are in place.
BYOD Requirements
Bring Your Own Device (BYOD) refers to devices that access business data but are owned by individuals. Depending on the organisation’s requirements, BYOD may or may not be in scope for the assessment. If they are, specific provisions typically apply to ensure they are suitably secure to handle business data.
Mobile Device Requirements
The same comments apply as for BYOD. Mobile devices that can access company data, such as email, should be included in the scope of Cyber Essentials. If they are, specific revisions typically apply to mobile devices to ensure they are suitably secure to handle business data.
Home Working Requirements
Ideally, home workers should use company-owned devices, which will be covered by the company’s security policies and controls. Since January 2022, home networks are not in scope for Cyber Essentials, but devices used must have an internal ‘software’ firewall enabled. Whether BYOD or company-owned, homeworker devices are in scope for Cyber Essentials and must comply with the requirements.
Supported Operating Systems
Almost any fully supported operating system is permitted, as long as the vendor is actively monitoring vulnerabilities and providing patches in a timely manner.
Vulnerability Scan Requirements
Cyber Essentials requires that devices must have an active and effective mechanism to identify, prevent, and remove threats from the system.
How does Cyber Essentials compare to other certifications?
ISO27001 Requirements
Both are certifications applicable to almost every sector of business.
ISO27001 is an ongoing management system that operates within and drives the business, providing ongoing feedback for continuous improvement. It covers a range of topics around data security, much broader than just IT systems. Compliance with Cyber Essentials will help with eventual compliance with ISO27001.
DSPT Requirements
The Data Security and Protection Toolkit (DSPT) is a set of criteria specifically for businesses with access to NHS patient data and systems.
DSPT effectively requires an ongoing management system embedded within the business, similar to ISO27001. It covers a range of topics around data security, much wider than purely IT systems.
IASME Requirements
IASME is the accreditation body appointed by the National Cyber Security Centre (NCSC) to operate the Cyber Essentials programme. It provides training for assessors, sets the self-assessment questions, and monitors the performance of Certifying Bodies (CBs).
NIST Compliance Requirements
The NIST programme is a framework for US businesses to understand and control their cybersecurity. It covers five general areas that businesses should consider as part of their cyber protection measures. There are no specific requirements, nor is it assessed. It is similar to the code of best practice provided by NCSC for UK businesses.
SOC 2 Compliance Requirements
SOC 2 is a certification aimed at service providers (cloud computing, software-as-a-service, etc). It evaluates the effectiveness of an organisation's controls around security, availability, integrity, and privacy. SOC 2 may be either a point-in-time report or part of an ongoing management system.
Cyber Essentials and GDPR
GDPR is mandatory for all UK businesses. Both GDPR and Cyber Essentials are applicable to every sector.
GDPR's scope concerns how businesses manage the data they hold about individuals (Personal Data) - how they use it, ensure it is secure, dispose of it, and their responsibilities to the individual. It does not specify the details of IT systems but requires that personal data is kept secure. Cyber Essentials certification will satisfy these security requirements without further justification.
Cyber Essentials Renewal
The certification process needs to be completed annually. However, subsequent certifications are relatively straightforward (assuming the IT infrastructure is similar) because Cyber Essentials operates as a self-assessment process. Organisations answer a series of questions addressing the scope of the assessment, their employees, devices, work locations, etc.
Here is a helpful tool to assess your readiness for Cyber Essentials - https://getreadyforcyberessentials.iasme.co.uk/
You can download the Standard, Question Set, and Cyber Essentials Plus Test Specification from the IASME website here - https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
The five key controls assessed are:
- Firewalls & Routers
- Software Updates
- Malware Protection
- AccessControls
- Secure Configuration
In addition, staff training is considered an important part of the process, and Flex IT provides an online course for clients to use.
All answers must be signed-off by a board member or equivalent, after which the answers are marked by an independent assessor.
Parts of the Cyber Essentials self-assessment questions can be difficult to understand without a technical background. Additionally, businesses often need to strengthen their general IT security and train staff. So if you need more help, you are in the right place. We have a wealth of experience and resources to support your journey to certification.
Our breadth of experience and wide selection of solutions cover the following core areas: Security, Business Continuity, IT Support and Infrastructure provision. We can ensure your organisation is properly equipped to comply with both Cyber Essentials and Cyber Essentials Plus.
Want to know more? Contact us!