Does my business need Cyber Essentials?

Cyber Essentials helps keep businesses secure through the assessment of five controls:

  • The use and proper configuration of firewalls
  • The implementation of secure settings for devices and software
  • The use of access control management
  • The implementation of antimalware software and other methods
  • The configuration of automatic updates for devices and software

The certification is designed to secure organisations against a specific (although common) threat where an attacker is using publicly available tools and techniques, writes Cyber Security Technician Thomas Boughton.

IT managers may often ask “Why do I need Cyber Essentials if I already follow other standards?”

Like many other standards, the true value of Cyber Essentials is determined by how an organisation has implemented and followed the spirit of the standard.

Cyber Essentials assessments can only be carried out by registered Certification Bodies, which contrasts with some other alternative standards. For example, ISO/IEC 27001 can technically be assessed by any organisation, although it should be noted that for an independent assessment, the assessing body should be UKAS certified.

This means that unlike other certifications, you will always get an approved and independent assessment with Cyber Essentials.

Scoping for Cyber Essentials is also handled differently to it’s alternatives. Where in other assessments you may remove devices and networks from scope for various reasons, the scope definition in Cyber Essentials is strict in what can be removed. For example, if any mobile or end user devices handle company data, they must remain in scope.

Applying for Cyber Essentials can act as the first step towards effective cyber security in an organisation and can also be required for contracts and partnerships with other companies.

As all assessments are approved and independent, Cyber Essentials can also demonstrate “good practice” to stakeholders and other companies.

In conclusion, while there are many alternatives to Cyber Essentials, the benefits and affordability of the scheme cannot be ignored when compared to other standards if applied correctly, and with a realistic result in mind.

Indelible Data offers comprehensive support for both Cyber Essentials Basic and Cyber Essentials Plus. Our expert assessors can help you navigate the most awkward rules and requirements in Cyber Essentials. Please see below for more information.

This blog is based on an original article by the National Cyber Security Centre. Read the NCSC article here.