UK Government launches “Cyber Essentials” badge


The UK Government has launched a new cyber security certification framework called “Cyber Essentials“.

This is part of a continuing effort to get business to take cyber security seriously in the wake of the recent Target, ebay and other breaches. It follows the UK’s 2012 initiative on “10 Steps to Cyber Security”. It is backed by the American International Group Inc, British Insurance Brokers Association, the International Underwriting Association, Marsh and Swiss Re as well as the UK Government.

What does Cyber Essentials involve?

Basically, the organisation self-assesses its systems against Cyber Essentials requirements. The assessment is then independently verified. This is the low cost option.

Organisations can also be independently tested (so called “Cyber Essentials Plus”). Certification bodies will offer the test and verification searches.

Cyber Essentials concentrates on five key controls:

• Boundary firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management.

What does this achieve?

Cyber Essentials will offer a basic level of “cyber hygiene” but will not address more advanced targeted attacks that many of the big brands have suffered recently. It isn’t a comprehensive risk management programme of the sort that large organisations will be required to have in place. So all that money spent on ISO 27000 has not been wasted!

Nevertheless, Cyber Essentials aims to provide “basic protection from the most prevalent forms of threats coming from the Internet” and “cost effective basic cyber security for organisations of all sizes”.

Any impact for large organisations?

Large organisations may be tempted to get the badge. It can’t do any harm in dealing with consumers at a time when consumer unease about cyber security risk is increasing.

UK Government has also said that it will require all suppliers bidding for certain contracts which are assessed as “higher risk” to be Cyber Essentials certified. They say that this is likely to include ICT and personal and sensitive information handling contracts. So, many who provide services to the public sector will almost certainly need the badge.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.