Cyber Essentials Scheme

Industry cyber security has really taken off since our post 12 months ago bringing its importance to the attention of Small and Medium-sized Enterprises (SME).

Our post encouraged our readers’ awareness of the October 2012 Government Communications Headquarters’ (GCHQ) 10 Steps to Cyber Security advice: “Don’t let cyber security become the agenda – put it on the agenda”.

Since then, the 2013 version of the ISO/IEC 27001 international standard for information security management was released in October last year and Regency Lead Auditors have been working hard with organisations in the UK and across Europe to help them meet the requirements of the Standard.

This summer saw the release of the UK Government’s Cyber Essentials Scheme (the Scheme). With industry backing, the scheme aims to promote a basic, but consistent level of information security throughout UK industry.

The Scheme echoes and supports the 10 Steps to Cyber Security, focusing however on only five technical security control areas, which are said to counter the most prevalent forms of low level non-persistent threats coming from the Internet. These control areas are as follow:

  1. Boundary firewalls and Internet Gateways. Organisational networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.
  2. Secure configuration. Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.
  3. User access control. User accounts, particularly those providing privileged access should be assigned only to authorised individuals; they should be managed effectively and provide the minimum required level of access.
  4. Malware protection. Computers exposed to the internet should be protected against malware infection through the use of malware protection software.
  5. Patch management. Organisations should keep operating system and application software sufficiently up-to-date in order to avoid the exploitation of emerging vulnerabilities.

The Scheme provides a baseline of information security measures, giving participating organisations an opportunity to demonstrate by certification their cyber security acumen to customers, investors, insurers – and their competitors.

The Scheme has two levels of certification: the first, Cyber Essentials – requiring an organisation to complete a self-assessment questionnaire and for that questionnaire to be independently reviewed and verified by an external certifying body; and, the second, Cyber Essentials Plus – requiring, by way of a certifying body’s external and internal vulnerability testing, technical verification of the evidence provided by the organisation.

The Scheme does not replace the 10 Steps to Cyber Security or indeed ISO/IEC 27001, the latter receiving the greatest volume of support from industry in a recent Government study[1], and which has business influencing recognition from the international community. We strongly encourage organisations with ambitions to meet these more robust objectives to maintain them.

Although far yet from being a legal or regulatory requirement for UK industry, from 1st October 2014 the UK Government will require that all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. Those organisations already complying with the 10 Steps to Cyber Security, and especially organisations certified to ISO/IEC 27001 against a relevant scope, should exceed the requirements of Cyber Essentials and Cyber Essentials Plus and have few problems in achieving certification against the Scheme, as the evidence provided to meet these requirements can be easily aligned.

Regency security consultants hold CESG Listed Advisor Scheme (CLAS) certification, are qualified ISO/IEC 27001 Lead Auditors and are experienced in offering advice to satisfy the stipulations set out by the Scheme from our numerous information security compliancy, certification and accreditation engagements amongst the public and private sectors in the UK and abroad. We are also extremely familiar with the vulnerability testing processes having established mutually supportive relationships with a number of testing organisations throughout the UK. Organisations in need of support to interpret the requirements of the Scheme are encouraged to call Regency to discuss their specific systems and needs.


[1] The Department for Business Innovation & Skills’ Call for Evidence on a Preferred Standard in Cyber Security.