The Cyber Essentials Scheme – what changed on 1st April 2020?
If you have not yet come across the Government backed Cyber Essentials certification scheme, the chances are that you soon will. In the last year over 16,000 organisations have certified; a number which is growing significantly year on year. However, whether you are new to Cyber Essentials or not, there have been changes to the scheme that all organisations should be aware of.
Cyber threats are ever present, growing and do not discriminate by business sector or country borders. The UK Government has an ambition to make the UK the safest place to live and do business online. Cyber Essentials is a key tool in realising that ambition. Jointly owned by the National Cyber Security Centre (NCSC), a part of GCHQ, and the Department for Digital Media and Sport (DCMS), Cyber Essentials is a cross Government scheme aimed at encouraging organisations of all sizes to implement the most important 5 technical controls. These controls have been seen to effectively protect against attacks from the most common internet threats.
For the last five years, five different commercial organisations, called Accreditation Bodies, have been contracted to deliver the scheme, each through a set of trained and licenced Certification Bodies. Last year, the NCSC ran an extensive consultation exercise to review the Cyber Essentials scheme. A number of recommendations emerged including a very clear message to continue with the scheme. It was also clear that, to make the scheme less confusing for the customer and raise the bar on assessor skills and experience, changes were required. You can see more information on NCSC’s rationale behind the changes here.
The changes introduced to the scheme aim to make Cyber Essentials clearer and more accessible to organisations regardless of size or sector. The importance of this scheme to the business community is clearly highlighted in the National Cyber Security Strategy:
The vast majority of cyber attacks use relatively simple methods which exploit basic vulnerabilities in software and computer systems. There are tools and techniques openly available on the Internet which enable even low-skill actors to exploit these vulnerabilities. Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats.
In direct response to the consultation, NCSC decided to move away from delivery via 5 Accreditation Bodies to just one Cyber Essentials Partner. This is a move designed to enhance the customer experience by introducing greater consistency and clarity. The tender to become the NCSC’s Cyber Essentials Partner was won by The IASME Consortium, an organisation involved with the Scheme since the very start. This move to a sole Partner came into effect on 01 April 2020.
Although the new partnership model will mean one Cyber Essentials Partner, the need for an UK wide network of Certification Bodies (CBs) remains. As of 01 April, all Cyber Essentials CBs and their assessors must have been trained and licensed by IASME. This UK wide network of CBs will help ensure regional support is available throughout the UK and provide end-users with the confidence and assurance that all approved Certification Bodies and assessors have proven standards and competence in this area.
There has also be a change to the certificates themselves. From 01 April 2020, a 12-month expiry date was introduced. Previously, although organisations were encouraged to re-certify annually, there was no expiry date. As of 01 April 2020, all certificates will need to be renewed each year.
By choosing IASME as the Cyber Essentials Partner, the practice of including automatic cyber insurance for all UK based companies with less than £20m turnover unless they opt out will be applied across the whole scheme. The insurance is focused on providing technical and legal incident response.
Many aspects of Cyber Essentials did not change in April. NCSC carried out a review of the five technical controls and believe that these are still the correct and appropriate controls to focus on. The 5 technical controls covered relate to access control, secure configuration, software updates, malware protection and firewalls & routers. IASME and NCSC will continue to review the controls to ensure they remain current against threat trends.
As a scheme, Cyber Essentials has grown to encompass a wider set of benefits. The assurance this certification provides has led to Cyber Essentials being either mandated or actively encouraged across an increasing number of private and public sector contracts. In that regard, it is a tool that can help organisations gain and retain business opportunities. It is also recognised by the Information Commissioner’s Office who outlined the schemes capacity to provide certain security assurances and help protect personal data in IT systems.
Whether you are new to Cyber Essentials or have been acquainted with it for some time, these important changes are now in place. If you have previously certified under a non IASME organisation you may experience further changes such as a requirement to provide more detail in your assessment answers.
To start the process or for more information, please see the IASME website, or contact one of their Certification Bodies. If you have any queries about conducting the assessment, you can pose a question to their technical experts via the LinkedIn Cyber Essentials Advice Group. You can also keep up to date with the scheme in general via IASME’s main page on LinkedIn.