CYBER ESSENTIALS

The Cyber Essentials programme has been designed to help protect organisations operating in cyberspace.  It is both size and industry agnostic, although it is found to be very suitable for small/medium size enterprises. 
Cyber Essentials has been designed to mitigate the most common internet-borne threats.
It is part of the UK's National Cyber Security Programme and is now mandatory for any organisation wishing on bid on UK central government contracts.
This guide provides valuable information for any organisation looking to certify against Cyber Essentials.
As a Certifying Body for IASME, Synovum can carry out Cyber Essentials assessments, Cyber Essentials Plus technical audits and a IASME Governance Standard/GDPR readiness audits. 
 
Depending on your requirements, your organisation can be certified against Cyber Essentials, Cyber Essentials Plus and the IASME Governance Standard at the same time.  Please contact us for further information.
Cyber Essentials Certification

This certificate is awarded upon successful verification of an organisation's self- assessment submission of the Cyber Essentials  questionnaire.

 

Cyber Essentials covers the following areas:

  • Boundary Firewalls and Internet Gateways – these are devices designed to prevent unauthorised access to or from private networks. Good setup of these devices is important for them to be fully effective.

  • Secure Configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.

  • Access Control – ensuring only those who should have access to systems have access and at the appropriate level.

  • Malware Protection – ensuring that virus and malware protection is installed and is up to date.

  • Patch Management – ensuring that the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

Being certified to Cyber Essentials provides the following benefits:

  • Demonstrates to customers that your business takes cyber security seriously.

  • Provides some clarity on the essential security controls your business needs to have in place.

  • Identifies areas within organisations where there is room for improvement for existing security controls.

  • Automatic cyber liability insurance for UK domiciled organisations with less than £20m turnover (terms apply).

Depending on your organisation's in-house knowledge/skill levels, we offer an option for a consultant to work with you to complete to complete the assessment documentation.  Please contact us for further information regarding the Cyber Essentials certification options outlined below.

 

Option One

Self-assessment  - no assistance

  • Access to assessment portal

  • Formal verification of submitted questionnaire

  • Issue of Cyber Essentials report and award of Cyber Essentials (subject to successful verification)*

Option Two

Self-assessment with some assistance 

  • Access to assessment portal

  • Pre-submission readiness review

  • Formal verification of questionnaire

  • Telephone/email support during certification process 

  • Issue of Cyber Essentials report and award of Cyber Essentials (subject to successful verification)*

Option Three

Full assistance

  • Initial call to discuss assessment scope/infrastructure etc.

  • Access to assessment portal

  • Production of initial questionnaire responses in conjunction with client

  • Pre-submission readiness review

  • Formal verification of questionnaire

  • Telephone/email support during certification process 

  • Issue of Cyber Essentials report and award of Cyber Essentials (subject to successful verification)*

* If initial submission is unsuccessful, advice will be provided as to improvements to be made. Re-verification will then be provided at no additional cost.

Cyber Essentials Plus Certification

This certificate is awarded upon successful completion of an independent technical audit of the organisation.  This technical audit is carried out onsite using industry standard tools.  Please contact us for further information regarding Cyber Essentials Plus certification.

 

CE Test scope

  • Up to one day* of on-site/remote testing including the following: 

  • Audit of externally facing IP addresses at organisational perimeter for potentially exposed ports/services 

  • Vulnerability assessment of web based applications (if used)

  • Desktop/laptop/mobile device vulnerability assessment (patches/updates)

  • Issue of test report and award of Cyber Essentials Plus (subject to successful verification)**

* If more than one day on-site is required, due to organisational size/complexity or as the result of client technical issues, this may result in additional charges being incurred by the client.

** If initial submission is unsuccessful, advice will be provided as to improvements to be made. Re-verification will then be provided at no additional cost.

IASME Governance Standard certification

The IASME governance standard was developed as an affordable and achievable alternative to the ISO/IEC-27001:2013 standard for information management security systems.

It allows organisations to demonstrate that they have formal governance measures in place and that they are taking care of both their own and more importantly their customers' information.

Compliance with the IASME standard can also be viewed as a first step for organisations looking to implement the ISO standard, as many foundation elements are contained within the IASME standard.

The scope of the IASME governance standard covers the following areas and correspond with the NIST Cybersecurity Framework headings:

  • Identify

    • Planning

    • Organisation

    • Assets

    • Assessing the Risks

    • Legal and Regulatory landscape

    • People

  • Protect

    • Policy Realisation

    • Physical & Environmental Protection

    • Secure Business Operations

    • Access Control

  • Detect and Deter

    • Malware and Technical Intrusion

    • Monitoring, Review & Change

  • Respond and Recover

    • Backup and Restore

    • Incident Management

    • Business Continuity,  Disaster Recovery and Resilience

In terms of compliance options, organisations can complete the IASME Governance questionnaire (which includes Cyber Essentials and GDPR-related questions) and carry out a 'self-assessment' which is subsequently verified;  alternatively they can complete the questionnaire and receive an on-site verification audit.  If an organisation passes the on-site audit they are awarded the IASME 'Gold certification'.

The IASME standard compliance 'option' is often included with the Cyber Essentials or Cyber Essentials Plus certification (which requires an on-site visit) or it can be carried out as a separate item following initial certification to Cyber Esentials/Plus.  Please contact us for further information regarding IASME Governance standard certification.

 

IASME standard (self-assessment)

  • Access to assessment portal

  • Verification of questionnaire responses

  • Telephone/email support during certification process 

  • Award of IASME compliance (subject to successful verification)**

IASME standard (on-site audit)

  • Access to assessment portal

  • Formal verification of questionnaire through on-site audit visit (up to one day*)

  • Telephone/email support during certification process 

  • Award of IASME Bronze/Silver/Gold level compliance (subject to successful verification)**

* If more than one day on-site is required, due to organisational size/complexity or as the result of client technical issues, this may result in additional charges being incurred by the client.

** If initial submission is unsuccessful, advice will be provided as to improvements to be made. Re-verification will then be provided at no additional cost.

General Data Protection Regulations (GDPR) readiness

The GDPR is a new set of regulations introduced to ensure data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

The UK's Information Commisisoners Office (ICO) has produced a guide for business to help them ensure that they are compliant with these regulations and can be found here.

 

The GDPR readiness 'option' can be included with the Cyber Essentials or Cyber Essentials Plus certification (which requires an on-site visit) or IASME Governance Standard Audit or it can be carried out as a separate item following initial certification to Cyber Essentials/Plus.  Please contact us for further information regarding GDPR readiness assessment.

© 2019 Synovum Limited