The Cyber Essentials Scheme identifies the security controls that organisations must have
in place within their IT system in order to have confidence that they are beginning to
mitigate the risk from internet-based threats.
The Scheme focuses on five essential mitigations within the context of the ‘10 Steps to
’. It provides organisations with guidance on implementation as well as
offering independent certification for those who need it. Whilst providing a basic but
essential level of protection in itself, organisations who believe they are good at cyber
security can also make this a selling point – demonstrating to their customers that they
take cyber security seriously.
In 2012 HMG launched its ‘10 Steps to Cyber Security’ guidance to encourage
organisations to consider whether they were managing their cyber risks. It raised the need
for company Boards and senior executives to take ownership of these risks and enshrine
them within their overall corporate risk management regime. This initiative continues to
gain traction. However, government analysis of continuing attacks and feedback from
industry vulnerability testers has identified that a number of security controls are still not
being applied, leaving organisations vulnerable to threat actors with low levels of technical
We view the adoption of an organisational standard for cyber security as the next stage on
from the 10 Steps to Cyber Security guidance - enabling businesses, and their clients and
partners, to have greater confidence in their ability to reduce the risk posed by threat
actors with low levels of technical capability, independently tested where necessary.
The Cyber Essentials Scheme follows on from a call for evidence on a preferred
organisational standard in cyber security carried out by Government together with industry,
which concluded in November 2013.
Government has therefore worked with industry to develop new requirements. This is the
'Cyber Essentials' scheme, which focuses on basic cyber hygiene. IASME, Information
Security Forum (ISF), and the British Standards Institution (BSI) have collaborated on the
project. Other organisations, including professional bodies and individual businesses, have
provided technical advice.
There are three proposed levels of certification:
- Bronze tier – based on a self-assessment
- Silver – based on an independently verified testing process
- Gold – based on an independently verified testing process combined with an audit
In summer 2014, organisations will be able to engage with a company like CNS Group to be independently verified for certification.
The Cyber Essentials Scheme covers five key areas
Secure configuration basics
- The security measures required when building and installing computers and network devices to reduce unnecessary vulnerabilities.
Boundary firewalls and internet gateways
- Providing a basic level of protection where an organisation connects to the Internet.
Access control and administrative privilege management
- Protecting user accounts and helping prevent misuse of privileged accounts.
- Keeping the software used on computers and network devices up to date and resisting low level cyber attacks.
Malware protection basics
- Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for virus removal, which will protect your computer, your privacy, and your important documents from attack.