In 2012, HM Government launched the 10 Steps to Cyber Security guide to encourage organisations to consider their cyber security measures, and to ascertain whether organisations thought they were managing their cyber risks sufficiently. The guide was extremely well received, and raised awareness within company boards and amongst senior executives. Business leaders were encouraged to take ownership of their cyber risks and to build them into their overall corporate risk management regime.
Whilst the initiative gained good traction, HM Government’s analysis of continuing cyber attacks, and feedback from the cyber security industry at large, was that a number of security controls were still not being implemented effectively. This posed a concern for HM Government. With a remit to tackle cyber crime and a desire to make UK one of the most secure places in the world to do business in cyberspace, it was clear to HM Government that further initiatives were required.
The adoption of an organisational standard for cyber security was therefore seen as the next step on from the 10 Steps to Cyber Security guide. The rationale behind this was that it would enable organisations and their customers and partners, to have greater confidence in their ability to measure and reduce basic cyber risks, as they would be independently assessed, where necessary.
HM Government, together with industry, instigated a call for evidence on a preferred organisational standard in cyber security. Concluding in November 2013, the feedback received was that none of the existing standards for cyber security met the requirements, and that industry was prepared to help HM Government develop something more appropriate. The new requirements have now been embedded in the Cyber Essentials scheme.
The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.
The scheme focuses on the following five essential mitigation strategies within the context of the 10 Steps to Cyber Security guide.
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
It provides organisations with clear guidance on implementation as well as offering independent certification for those who want it.
Whilst providing a basic but essential level of protection, the Cyber Essentials scheme enables organisations that believe they are practicing robust cyber security to benefit by making this a unique selling point thereby enabling business. Upon certification, they can then demonstrate to their customers that their data is adequately protected and that they take cyber security seriously.
There are two levels of certification which are described here.