Guest Author: Changes to the Cyber Essential Scheme

3 Apr, 2020

If you have not yet come across the Government backed Cyber Essentials certification scheme, the chances are that you soon will.  In the last year almost 16,000 organisations have certified; a number which is growing significantly year on year. However, whether you are new to Cyber Essentials or not, there are imminent changes to the scheme that all organisations should be aware of.

About the Cyber Essentials Scheme

The scheme is a key tool in realising the UK Government’s ambition to make the UK the safest place to live and do business online. Jointly owned by the National Cyber Security Centre (NCSC), a part of GCHQ, and the Department for Digital Culture Media and Sport (DCMS), Cyber Essentials is a cross Government scheme aimed at encouraging organisations of all sizes to implement the 5 most important cyber security technical controls.  These controls have been seen to effectively protect against attacks from the most common internet threats and the scheme’s importance is highlighted in the National Cyber Security Strategy:

The vast majority of cyber attacks use relatively simple methods which exploit basic vulnerabilities in software and computer systems.  There are tools and techniques openly available on the internet which enable even low-skill actors to exploit these vulnerabilities.  Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats. 

The scheme has been around since 2014. During 2019 the NCSC ran an extensive consultation exercise to review Cyber Essentials. A number of recommendations emerged from the consultations but there was also a very clear message to continue with the scheme.  It was also clear that changes were needed; changes to make it less confusing for the customer and raise the bar on assessor skills and experience. You can see more information on NCSC’s rationale behind the changes here.

Changes are coming…

For the last five years, five different commercial organisations, called Accreditation Bodies, have been contracted to deliver the scheme, each through a set of trained and licenced Certification Bodies.  In direct response to the consultation, NCSC decided to move away from delivery via 5 Accreditation Bodies to just one Cyber Essentials Partner. This was a move designed to introduce greater consistency and clarity whilst enhancing the customer experience.  The changes will also make the scheme more accessible to organisations across all sectors. The role of Cyber Essentials Partner was put out to tender and won by The IASME Consortium who had been one of the first Accreditation Bodies and also involved in writing the original Scheme requirements. This move to a sole Partner will take effect on 01 April 2020.

Although the new partnership model will mean one Cyber Essentials Partner, the need for an UK wide network of Certification Bodies remains. From 01 April, all Cyber Essentials Certification Bodies must have been trained and licensed by IASME.  A further change means that all Certification Bodies and their respective assessors must meet, and maintain, minimum standards agreed with NCSC in order to achieve that license. These changes will help ensure regional support is available throughout the UK and provide end-users with the confidence and assurance that all approved Certification Bodies and assessors have proven standards and competence in this area.  It will also provide reassurance throughout the supply chain.

There will also be a change to the certificates themselves.  From 01 April 2020, a 12-month expiry date will be introduced.  Currently, although organisations are encouraged to re-certify annually, there is no expiry date. From April 2020 all certificates will need to be renewed annually.

By choosing IASME as the Cyber Essentials Partner, the practice of including automatic cyber insurance for all UK based companies with less than £20m turnover, unless they opt out, will be applied across the whole scheme.  The insurance is focused on providing technical and legal incident response. This will help provide resilience in supply chains with a large number of SMEs if they are required to hold Cyber Essentials certification.

If you have previously certified under a non IASME organisation you may experience further changes such as a requirement to provide more detail in your assessment answers.

Many aspects of Cyber Essentials are not changing in April.  NCSC carried out a review of the five technical controls and believe that these are still the correct and appropriate controls to focus on. The 5 technical controls covered relate to access control, secure configuration, software updates, malware protection and firewalls & routers. IASME and NCSC will continue to review the controls to ensure they remain current against threat trends.

The Benefits of Cyber Essentials

As a scheme, Cyber Essentials has grown to encompass a wider set of benefits.  For example, the assurance this certification provides has led to Cyber Essentials being either mandated or actively encouraged across an increasing number of private and most public sector contracts.  In that regard, Cyber Essentials is a tool that can help organisations gain and retain business opportunities.

The Cyber Essentials scheme is also recognised by the Information Commissioner’s Office which has outlined the scheme’s capacity to provide certain security assurances and help protect personal data in IT systems.

Whether you are new to Cyber Essentials or have been acquainted with it for some time, these important changes will be implemented from 01 April 2020.  You can also get the latest updates, by following IASME on LinkedIn.  If you would like sight of the question set ahead of applying, these can be found here.

Author Bio

Chris Pinder is Chief Operating Offices of the The IASME Consortium.  You can contact Chris and the team on 03300 882 752.

News Archive

  • News Archive

Featured News

Related Posts

Guest Author Post: Business Continuity and Resourcing Management – Facing Uncertainty with Innovation

19 Oct, 2020

Business resilience starts with the awareness of potential risk. It is built around strong organisational cultures, the promotion of emergent leadership, and investment in safe and secure workspaces and operations. With a job lost every 20 seconds since lockdown in March though, it became evident to us all that one of the main risks to business sustainability and continuity lies in the potential loss of talent, and the major disruption to operational continuity and internal resourcing capacity this brings.

Are you finding it difficult to ask for help?

7 Oct, 2020

If you’re finding things hard right now, you’re not alone. The coronavirus pandemic is affecting every area of our lives.  You might be feeling frustrated, low, worried, anxious or concerned for yours or your loved one’s health.  Whilst these are all common reactions, we each respond differently to such events and it’s important now, more than ever, that you to take care of yourself and ask for help if you need it.

Covid-19 Didn’t stop Sentinel Partners on their Road to Certification!

6 Oct, 2020

Back when things were ‘normal’, Sentinel Partners began their journey to certification but with lockdown putting physical visits on hold, we had to quickly adapt our services in order to continue to deliver a high level of service.   How would our new clients find this new dynamic way of working with us?

No more furlough merlot’s – Top Tips for returning to work after furlough

30 Sep, 2020

As the Government’s furlough scheme is set to end at the end of October, our Business Development Specialist, Stacey Humm, talks about her experience of furlough and gives her top tips for anyone returning to work shortly.