11 October 2016

For organisations that want to demonstrate that they take cyber security seriously but aren’t quite ready for ISO 27001, Cyber Essentials certification could be the answer. In this latest blog, Redscan provides an overview of this recognised scheme designed to help protect businesses against hackers, malware and other common threats.

 

Cyber Essentials is a government-backed and industry recognised initiative designed to raise cyber security awareness and help businesses mitigate common internet-based threats that have the potential to cause severe financial and reputational damage.

UK Government research suggests that three quarters of small business have suffered from an information security breach at some point, and with a continual stream of high-profile cases in the news, many organisations are waking up to the advantages of implementing defensive measures that adhere to recognised standards.

Organisations that have achieved Cyber Essentials certification not only benefit from enhanced protection of vital data and assets, they enjoy many commercial and competitive advantages too. By demonstrating to customers, partners and regulators that security is taken seriously, certified organisations receive preferential treatment when bidding for key contracts, reduce the risk of being subjected to legal action in the event of a breach, and can even take advantage of free cyber security liability insurance.

For small and medium-sized organisations, Cyber Essentials represents a quick and cost-effective way to demonstrate a growing maturity to cyber security prior to undertaking of a more comprehensive assessment such as ISO 27001. By establishing itself as a set of minimum de-facto standards of cyber-hygiene, SC Magazine has hailed the scheme as ‘potentially having a greater impact on improving information security in the UK than any other single initiative.’

Discover what it takes to pass

The Cyber Essentials security framework is based on analysis of common attack vectors that affect a wide range of enterprise-level and corporate IT systems. These include threats such as malware infections, social engineering attacks and hacking.

By requiring organisations to complete a self-questionnaire, businesses are alerted to common vulnerabilities affecting key assets including network devices, firewalls, websites and applications. Exposures range from in-secure configuration of devices through to unsafe credentials and out-of-date software.

Completion of the Cyber Essentials questionnaire is ideally suited to IT professionals with a knowledge of the participating company’s network infrastructure and assets. Answering the required questions takes just a few hours, however large organisations that have multiple sites should allow for more time. An advantage of the scheme is that organisations are able to define the scope of the assessment so certification can be sought for an entire business or a sub-set of it.

Upon completion, a business owner or company director must sign off the questionnaire and forward it to a qualified Cyber Essentials certification body, such as Redscan, for independent verification. Certification is awarded in the event that the organisation avoids a ‘major fail’ status across all of the outlined framework. Any minor fails or observations are detailed in a final summary report.

Talk to our security experts about Cyber Essentials certification for your business.

The benefits of Cyber Essentials Plus

Cyber Essentials Plus is a more advanced level of certification and is recommended for businesses that want to undertake a more detailed assessment to demonstrate a higher level of security assurance. Unlike the core qualification, Cyber Essentials Plus requires companies to undergo an on-site inspection by Redscan, or other certification body, to verify the findings of the in-house questionnaire and identify vulnerabilities that a self-assessment could easily overlook.

Certification with Cyber Essentials Plus also involves internal and external vulnerability assessments to assess vulnerabilities affecting company IP addresses and websites. It also requires testing of a company’s ability to block malicious email content and attachments.

In the instance that an organisation undergoing Cyber Essentials Plus certification has multiple sites within the scope of the assessment, a sample of up to 30% of the defined estate may need to be visited.

A great starting point to achieve ISO 27001

For organisations serious about limiting their exposure to threats, Cyber Essentials certification is an excellent way to demonstrate awareness of common security vulnerabilities. The scheme is a great precursor to more robust information security management standards and frameworks like ISO 27001, which involve more intensive assessment of people, processes and technology. Organisations looking to achieve Cyber Essentials certification will quickly discover that obtaining a recognised cyber security standard offers many commercial and reputational benefits.

About Redscan

Redscan is a UK-based provider of managed threat detection and incident response services that help businesses defend against today’s sophisticated cyber-attacks. As one of the highest accredited security companies in the UK and an ISAME licensed Cyber Essentials certification body, Redscan possess the skills and expertise to help organisations manage their information security risk.

Talk to our security experts about Cyber Essentials certification for your business.

back to all posts