Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks.
The scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against Internet-borne threats.
From 1 October 2014, the government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.
The obvious benefit to becoming certified is that a business can demonstrate to their customers that their data is adequately protected and that they take cyber security seriously.
The cost can vary depending on which certifying body you choose, and whether you need no, little or a lot of help with the application. A list of certifying bodies can be found here.
Completing the Application... my experience
Prior to completing the application I was quietly confident that we would be able to obtain the certification with very little additional work... however I was wrong and it does go into some depth (as you would expect from an assessment developed by CESG, the information security arm of GCGQ).
I managed to find a sample questionnaire on the web (click here to download) which was very similar to the online questionnaire you will submit as part of the application. I worked through this as preparation tool.
Although a lot of the questions cover the basics (i.e. perimeter firewalls, client firewalls, anti-virus, password policies), some questions did prompt me to rethink how we do things currently, and also things we should be doing that we perhaps hadn't thought about previously (for example, you may have the technology in place, but lacking in documentation, processes, logging and auditing).
Once confident I had answered the questions to an acceptable level, I booked with my chosen certifying body, IT Governance http://www.itgovernance.co.uk and their 'Do It Yourself' option.
I was set up with a logon to the Cyber Essentials portal where I was presented with a number of sections to complete as part of the application. (It's worth noting that once registered to the portal there is no specified time limit that the application needed to be submitted by, so I was 'free to take my time')
The sections included
- Confirm details of the business you are completing the application for
- Scope of the application (write a short statement of locations/systems that are included within the scope and any systems that are excluded)
- Questionnaire (very similar to the questionnaire I prepared with)
- Public IP addresses (the certifying body performs a port scan to check for any ports that are open that shouldn't be - I used 'Shields Up', a free webpage based tool, to test this myself beforehand)
Each step requires approval before you are able to move onto the next.
If you pass, you receive a certificate which covers you for 12 months and a branding pack which can be used on your website to tell your visitors you are Cyber Essentials certified!
Should you fail, you can retake for a smaller fee. Depending on what you fail on, you may seek some extra help from your certifying body.
Reapply for cyber essentials in 12 months’ time, or look to complete the more stringent ‘Plus' certification.