Guest Author: Changes to the Cyber Essential Scheme

3 Apr, 2020

About the Cyber Essentials Scheme

The scheme is a key tool in realising the UK Government’s ambition to make the UK the safest place to live and do business online. Jointly owned by the National Cyber Security Centre (NCSC), a part of GCHQ, and the Department for Digital Culture Media and Sport (DCMS), Cyber Essentials is a cross Government scheme aimed at encouraging organisations of all sizes to implement the 5 most important cyber security technical controls.  These controls have been seen to effectively protect against attacks from the most common internet threats and the scheme’s importance is highlighted in the National Cyber Security Strategy:

The vast majority of cyber attacks use relatively simple methods which exploit basic vulnerabilities in software and computer systems.  There are tools and techniques openly available on the internet which enable even low-skill actors to exploit these vulnerabilities.  Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats. 

The scheme has been around since 2014. During 2019 the NCSC ran an extensive consultation exercise to review Cyber Essentials. A number of recommendations emerged from the consultations but there was also a very clear message to continue with the scheme.  It was also clear that changes were needed; changes to make it less confusing for the customer and raise the bar on assessor skills and experience. You can see more information on NCSC’s rationale behind the changes here.

Changes are coming…

For the last five years, five different commercial organisations, called Accreditation Bodies, have been contracted to deliver the scheme, each through a set of trained and licenced Certification Bodies.  In direct response to the consultation, NCSC decided to move away from delivery via 5 Accreditation Bodies to just one Cyber Essentials Partner. This was a move designed to introduce greater consistency and clarity whilst enhancing the customer experience.  The changes will also make the scheme more accessible to organisations across all sectors. The role of Cyber Essentials Partner was put out to tender and won by The IASME Consortium who had been one of the first Accreditation Bodies and also involved in writing the original Scheme requirements. This move to a sole Partner will take effect on 01 April 2020.

Although the new partnership model will mean one Cyber Essentials Partner, the need for an UK wide network of Certification Bodies remains. From 01 April, all Cyber Essentials Certification Bodies must have been trained and licensed by IASME.  A further change means that all Certification Bodies and their respective assessors must meet, and maintain, minimum standards agreed with NCSC in order to achieve that license. These changes will help ensure regional support is available throughout the UK and provide end-users with the confidence and assurance that all approved Certification Bodies and assessors have proven standards and competence in this area.  It will also provide reassurance throughout the supply chain.

There will also be a change to the certificates themselves.  From 01 April 2020, a 12-month expiry date will be introduced.  Currently, although organisations are encouraged to re-certify annually, there is no expiry date. From April 2020 all certificates will need to be renewed annually.

By choosing IASME as the Cyber Essentials Partner, the practice of including automatic cyber insurance for all UK based companies with less than £20m turnover, unless they opt out, will be applied across the whole scheme.  The insurance is focused on providing technical and legal incident response. This will help provide resilience in supply chains with a large number of SMEs if they are required to hold Cyber Essentials certification.

If you have previously certified under a non IASME organisation you may experience further changes such as a requirement to provide more detail in your assessment answers.

Many aspects of Cyber Essentials are not changing in April.  NCSC carried out a review of the five technical controls and believe that these are still the correct and appropriate controls to focus on. The 5 technical controls covered relate to access control, secure configuration, software updates, malware protection and firewalls & routers. IASME and NCSC will continue to review the controls to ensure they remain current against threat trends.

The Benefits of Cyber Essentials

As a scheme, Cyber Essentials has grown to encompass a wider set of benefits.  For example, the assurance this certification provides has led to Cyber Essentials being either mandated or actively encouraged across an increasing number of private and most public sector contracts.  In that regard, Cyber Essentials is a tool that can help organisations gain and retain business opportunities.

The Cyber Essentials scheme is also recognised by the Information Commissioner’s Office which has outlined the scheme’s capacity to provide certain security assurances and help protect personal data in IT systems.

Whether you are new to Cyber Essentials or have been acquainted with it for some time, these important changes will be implemented from 01 April 2020.  You can also get the latest updates, by following IASME on LinkedIn.  If you would like sight of the question set ahead of applying, these can be found here.