In the first of a series of articles on cyber security programmes and schemes, we talk to CRIBB Cyber Security’s Patrick Carolan to highlight the difference between cyber essentials and cyber essentials plus...
Patrick, when was cyber essentials introduced?
Five years ago, in 2014. The UK government Department for Business, Innovation and Skills released it to encourage the implementation of good practices in information security. The main goal of the certification is to essentially protect companies from internet threats.
What is / are the difference(s) between the two?
The only difference is that with cyber essentials plus there must be an independent verification of existing security controls in order to become certified. This assessment will verify that the five checks are in place:
1. Secure configuration
2. Internet gateways and boundary firewalls
3. Access control
4. Patch management
5. Malware protection.
Cyber essentials and cyber essentials plus are both security standards with a list of requirements that companies can try to meet but due to the fact that cyber essentials plus uses external verification measures, the certificate for that is often seen as being the more reliable of the two.
Could you give us a very simple breakdown of both standards?
Sure but remember, it's the same standard; the only difference is that with plus, you must achieve external verification.
The standard is backed by the UK government and is basically a certification scheme designed to provide companies with a solid cyber security baseline to implement or follow. It covers the five key controls that I mentioned before – configuration, gateways and firewalls, access control, patch management and malware protection – and when these are all in place in the correct way you can prevent the majority of cyber-attacks. For cyber essentials the certification process is an online questionnaire that is certified by an NCSC Assessor on behalf of the IASME Consortium.
We’ll come back to IASME in a moment but let's cover Cyber Essentials Plus...
Once a company has gained cyber essentials, they can then opt for cyber essentials plus which gives them the on-site technical assessment I have mentioned before. This is designed to verify and confirm that they are adhering to the cyber essentials standard and if they are, they will then receive the certification badge.
Why do companies need cyber essentials?
As I said before, any company that has these certificates can consider themselves pretty secure against cyber-attacks; in fact, they are seen to offer protection against around 80% of all attacks and on top of that, they demonstrate that your company is one that holds security controls in very high regard, something that’s becoming more and more important these days with the growth in cyber security threats.
How long does cyber essentials take to complete?
The cyber essentials self-assessment could be completed within 1 day or it could take a couple of weeks – it all depends upon the company involved and who is completing the assessment. Similarly, cyber essentials plus is also dependent upon those factors but also on others such as company size; for example, I have managed to complete audits within a couple of days for several smaller companies, usually with one day on-site and then another working remotely. Larger companies have taken longer, around 2-4 weeks on average maybe.
Do the certificates expire?
The certificates are valid for one year, after which you need to submit a fresh application.
You mentioned the IASME Consortium...
At the moment IASME is one of five companies that were appointed as Accreditation Bodies for assessing and certifying against the cyber essentials scheme. CRIBB Cyber Security has always offered cyber essentials in line with IASME, and just recently the NCSC announced that as of April next year, IASME would be their sole partner.
That’s a huge development.
It is and it’s a really positive one that should hopefully help encourage more growth and awareness of cyber security in general.
In a nutshell...
Cyber essentials and cyber essentials plus are based upon the same standard.
Cyber essentials = a ‘DIY’ step in the right direction that will improve your cyber defence.
Cyber essentials plus = once you have cyber essentials, cyber essentials plus provides an independent assessment of the security controls you currently have in place. This option is becoming ever more popular with companies seriously striving to achieve a robust cyber defence.
NB: You can only opt for cyber essentials plus if you have cyber essentials.
NCSC Assessor – An assessor approved by the National Cyber Security Centre; all assessors are fully trained and are required to pass relevant assessments and exams.
NCSC – The National Cyber Security Centre; an organisation of the UK Government that offers advice and support on how to avoid computer security threats for the private and public sectors.
Cyber essentials offers companies a solid and robust platform from which to build from, but it is not a comprehensive cyber security strategy. Speak with our experienced team today to learn more about how you can improve your cyber resilience, or read about our brand new Service Catalogue here (you can also download a copy)...