ISMS.online Achieves Cyber Essentials Certification First Time
Table Of Contents:
We are delighted to share that ISMS.online has achieved Cyber Essentials certification, adding additional levels of trust to our services and confirming robust and effective cybersecurity controls across our organisation. You can review our certification and the many other cyber standards we maintain in our Trust Centre.
Having undergone the process of attaining Cyber Essentials (CE), we want to share some of what we learned along the way, defining the certification, why you might need to acquire it and what approaches organisations can take to achieve it.
What is Cyber Essentials?
Cyber Essentials, although less broad than standards such as ISO 27001, has a more technical slant concerning your devices and network configuration. It covers five areas:
- Firewall implementation
- Secure configuration of network and user devices
- Security update management,
- User access control
- Malware protection
Cyber Essentials represents the UK Government’s baseline standard for cybersecurity in the UK and is managed by the IASME consortium.
There are two levels of assessment:
-
Cyber Essentials
– is an independently verified self-assessment, where organisations assess themselves against five basic security controls, and a qualified assessor verifies the information provided.
-
Cyber Essentials+
– is a technical audit where an assessor visits the organisation’s offices to conduct tests. The CE+ audit needs to be completed within three months of CE certification.
The cost of Cyber Essentials certification depends on the size of your organisation and, for Cyber Essentials+, the size and complexity of your network.
Why Should Organisations Pursue Cyber Essentials Certification?
Why, you may ask, should you consider Cyber Essentials if you already are ISO 27001 & ISO 27701 certified? There may be several reasons:
- It is a contractual requirement from a customer (and often a need for Government contracts)
- Builds trust and reassures customers that you have specific technical implementations
- to secure your IT against cyber-attacks
- Attracts new business in the knowledge that you have cyber security measures in place
- An added benefit is that your organisation may be eligible for free cybersecurity insurance upon CE certification. Full details can be found at: IASME.co.uk.
Practical Approaches to Cyber Essentials Certification
A new set of requirements for IT infrastructure (v3.1), also known as the Montpelier profile, was issued earlier this year in April 2023 by the NCSC. This is an essential read for all organisations approaching assessment to understand the CE compliance requirements. A specific question asks if this document has been read as part of the certification process.
It is also good to download the complete question set in preparation for the assessment and before submitting your answers via the online portal. The question set can be downloaded for free from the IASME website. An invitation to the online portal is sent to your nominated representative once the assessment fee has been paid.
A Cyber Essentials readiness tool is also available from IASME to help prepare for CE if required.
How ISMS.online Approached Cyber Essentials Certification
We assembled a small team and reviewed the requirements document and the question set to determine any areas needing any potential policy or configuration changes.
It’s worth highlighting that it is required to specify all user and network devices, including operating system version numbering and any cloud services used. The organisation’s IT manager should be a vital team member involved in the assessment.
An early consideration for the team was the scope of the assessment. We recommend that the whole organisation be considered in scope for the assessment, as with other types of certifications. It is also noteworthy that your organisation is only eligible for free cyber insurance if the whole organisation is in scope.
It was then a matter of answering questions covering the five technical areas relating to our network and user devices. Not an exhaustive list and reference should always be made to the requirements document and question set; however, some important considerations are:
- Firewalls must be deployed at network boundaries – if home workers are using devices, not using a VPN, software firewalls need to be included in the OS of the devices.
- It is necessary to detail all user and network devices, including operating systems, versions, and mobile devices. Note: Although not a specific CE control, asset management should be considered a core security function and can help meet the technical controls.
- All the cloud services that the organisation uses are also in scope.
- All applications’ high-risk and critical security updates must be installed within 14 days of release. This also includes firmware on firewalls and routers.
- It is required to have technical controls and policies relating to user and admin accounts and authentication. MFA needs to be used for all Cloud services.
- All devices must be protected from malware either by having anti-malware software installed and/or limiting the installation of applications, e.g., by using an app store.
If you have already considered information security controls or are compliant with ISO 27001, your existing policies will help answer some questions.
Our Top Tips for Approaching Cyber Essentials
- The Requirements for IT Infrastructure (v3.1) document guides what is considered in and out of scope concerning BYOD, remote working, wireless devices, user devices and cloud services.
- Responsibility for the implementation controls, whether the organisation or the cloud provider, will depend on the type of cloud service: IaaS, PaaS, or SaaS.
- There is also guidance in the free-to-download Montpelier question set, indicating where the requirement is mandatory for compliance. The assessment team should review the question set before the submission via the portal.
- The self-assessment response has to be attested by a member of the organisation’s executive team before submission to the independent assessor can be completed.
- You may receive some feedback for further clarification or required changes. It is necessary to complete any changes within two working days before re-submission.
Once you have completed the process successfully, you will be notified that you have passed Cyber Essentials certification, and your organisation, too, can demonstrate to your customers and prospects that you have secured your IT against cyber-attacks. Your certificate will be valid for 12 months.
Your Cyber Essentials Success Story Starts Here
If you’re looking to start your journey to Cyber Essentials compliance, ISMS.online can help.
Our compliance platform enables a simple, secure and sustainable approach to data privacy and information management with Cyber Essentials and over 100 other frameworks, including ISO 27001, NIST, GDPR, HIPPA and more. Realise your competitive advantage today.