The Cyber Essentials scheme addresses the need to create a baseline for UK cybersecurity, building on the government’s 10 Steps to Cyber Security guidance. The idea is to enable an independent assessment of the essential security controls that organizations should have in place to have a level of confidence that they are mitigating risks from internet-based threats.
The scheme has been developed following consultation with the British Standards Institution (BSI), information assurance for SMEs Consortium Ltd (IASME) and the Information Security Forum (ISF) as well as businesses and professional bodies. It’s funded by the government through the National Cyber Security Programme.
Also, CREST, the not-for-profit organization that represents the technical information security industry, has been working closely with CESG, the information security arm of GCHQ, to develop the assessment framework for the Cyber Essentials Scheme, which is now available for external consultation. CREST, through its membership, has managed a number of successful early pilot assessments against this framework.
“The Cyber Essentials scheme provides organizations of all sizes and from all sectors the assurance through independent assessment that they have key technical controls in place to manage certain cyber risks and can demonstrate that they have invested in cybersecurity,” said Ian Glover, president of CREST, in a statement. “We have to recognize that many organizations need to measure and prove that certain fundamental security controls are present and they need to achieve this in a cost-effective way.”
While for some organizations and systems this level of assessment will be sufficient, CREST expects that for the majority it will form the basis of more detailed penetration testing and other assurance related activities.
"We welcome this initiative, which fills an important gap in enabling organizations, particularly SMEs, to understand the most important technical aspects of cyber security protection,” said David Booth, managing director of IASME. “It fits nicely into IASME's wider governance approach to information assurance for small companies.”
Organizations can now self-assess themselves against the Cyber Essentials profile and implement the controls. The full scheme, including external assessment and adoption of an authorized Cyber Essentials badge, will be launched in summer 2014.