The UK Government has launched a new cyber security certification framework called “Cyber Essentials“.
This is part of a continuing effort to get business to take cyber security seriously in the wake of the recent Target, ebay and other breaches. It follows the UK’s 2012 initiative on “10 Steps to Cyber Security”. It is backed by the American International Group Inc, British Insurance Brokers Association, the International Underwriting Association, Marsh and Swiss Re as well as the UK Government.
What does Cyber Essentials involve?
Basically, the organisation self-assesses its systems against Cyber Essentials requirements. The assessment is then independently verified. This is the low cost option.
Organisations can also be independently tested (so called “Cyber Essentials Plus”). Certification bodies will offer the test and verification searches.
Cyber Essentials concentrates on five key controls:
• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management.
What does this achieve?
Cyber Essentials will offer a basic level of “cyber hygiene” but will not address more advanced targeted attacks that many of the big brands have suffered recently. It isn’t a comprehensive risk management programme of the sort that large organisations will be required to have in place. So all that money spent on ISO 27000 has not been wasted!
Nevertheless, Cyber Essentials aims to provide “basic protection from the most prevalent forms of threats coming from the Internet” and “cost effective basic cyber security for organisations of all sizes”.
Any impact for large organisations?
Large organisations may be tempted to get the badge. It can’t do any harm in dealing with consumers at a time when consumer unease about cyber security risk is increasing.
UK Government has also said that it will require all suppliers bidding for certain contracts which are assessed as “higher risk” to be Cyber Essentials certified. They say that this is likely to include ICT and personal and sensitive information handling contracts. So, many who provide services to the public sector will almost certainly need the badge.