isms.online’s cyber essentials top tips after our recertification success banner

ISMS.online’s Cyber Essentials Top Tips After Our Recertification Success

We’re thrilled to share that ISMS.online has achieved recertification to Cyber Essentials, the UK government-backed cybersecurity scheme. Our recertification confirms that we have continued to address vulnerabilities and implemented effective cybersecurity controls across the business, ensuring a robust defence against a range of cyber threats. 

You can review ISMS.online’s Cyber Essentials certification and the many other cyber standards we maintain in our Trust Centre.

With our successful recertification to Cyber Essentials, we’re sharing information about the Cyber Essentials scheme, insights from our IMS Manager, Mike Jennings, into what we learned during recertification, and the approaches your organisation can take to achieve certification.

What Is Cyber Essentials?

The Cyber Essentials scheme, backed by the UK government, allows organisations to demonstrate their commitment to cybersecurity and prevent the most common cyber attacks, which often rely on an organisation’s lack of preparedness.

Certification is required for organisations bidding for some government contracts, such as those which involve handling sensitive and personal information or providing certain technical products or services.

Cyber Essentials covers five core areas:

  • Firewall implementation
  • Secure configuration of network and user devices
  • Security update management
  • User access control
  • Malware protection

Levels of Cyber Essentials Assessment

Cyber Essentials involves a self-assessment. Organisations assess themselves against the five areas covered by Cyber Essentials, and a qualified assessor independently verifies the information provided.

Cyber Essentials Plus is a technical audit in which an assessor visits the organisation’s offices to conduct tests. It must be completed within three months of Cyber Essentials certification.

The cost of Cyber Essentials certification depends on the size of your organisation and, for Cyber Essentials Plus, the size and complexity of your network.

Why Should My Organisation Get Cyber Essentials Certified?

Mike Jennings, IMS Manager at ISMS.online, says: “Not only does Cyber Essentials ensure that you are running your organisation securely by providing best-practice basic information security policies and controls, but it also enhances your reputation as a trusted supplier. In addition, certification can provide a level of ‘free’ cyber insurance subject to certain criteria.”

If you already are ISO 27001 and ISO 27701 certified, there are several reasons you may consider Cyber Essentials certification for your business:

  • You may have a customer that contractually requires your organisation to be certified (and, as mentioned, certification is often a need for government contracts)
  • Cyber Essentials certification builds trust and reassures customers that you have specific technical implementations
  • You can better secure your IT systems against cyber attacks
  • Certification may attract new prospects and new business in the knowledge that you have cyber security measures in place
  • Upon Cyber Essentials certification, your organisation may be eligible for free cybersecurity insurance. Full details are available at IASME.co.uk.

Mike shares: “Having an ISO 27001 compliant information security management system (ISMS) helps enormously in achieving Cyber Essentials certification, as many of the policies and controls are already established and can provide evidence to satisfy the CE requirements, making the process more efficient. 

“There are some subtle differences in the information required for CE compared to ISO 27001; however, with the help of the CE framework provided by ISMS.online, this information is easily recordable and accessible, all in one place.”

How to Approach Cyber Essentials Certification

An updated set of requirements for IT infrastructure (v3.1) was issued in April 2023 by the National Cyber Security Centre (NCSC). This set of requirements, known as the Montpelier profile, is a vital read for all organisations considering assessment to understand what is required for Cyber Essentials compliance. In fact, as part of the certification process, you’ll be asked if you’ve read this document.

You can also download the complete question set in preparation for the assessment and before submitting your answers via the online portal. The question set can be downloaded for free from the IASME website. An invitation to the online portal is sent to your nominated representative once the assessment fee has been paid.

A Cyber Essentials readiness tool is also available from IASME to help your business prepare for compliance.

Mike says, “There is certain information that you have to share for Cyber Essentials that is not a requirement for ISO standards’ compliance. This mainly relates to identifying the software builds of the End User asset base to ensure that they comply with the latest releases that are still supported by security upgrades. 

“This highlights the subtle differences between CE and ISO 27001 compliance, where CE is more rigid and binary in its requirements compared to ISO 27001 that is risk based and allows for some flexibility dependent on the level of risk and how that is managed.”

How ISMS.online Approached Cyber Essentials Recertification

Your IT manager’s involvement is vital to the assessment, as you must specify all user and network devices, including operating system version numbering and any cloud services used.

With our IT manager involved, we put together our dedicated Cyber Essentials assessment team. The team then reviewed the Cyber Essentials requirements document and question set to identify any areas needing any potential policy or configuration changes.

Mike adds: “This was a re-certification of CE, so we were already aware of the Montpelier requirements, although it was necessary to check whether any subtle changes occurred in requirements compared to last year. There seemed to be more granularity required in OS build levels to satisfy requirements this year. We also had to upgrade one of our systems’ OS levels.”

We also considered the scope of the assessment. As with other types of certifications like ISO 27001, we recommend that the whole organisation be included in the scope of your Cyber Essentials assessment. Your organisation is only eligible for free cyber insurance if the whole organisation is in scope.

Once the scope was decided, the team answered questions covering the five technical areas relating to our network and user devices. The list below is not exhaustive, and references should always be made to the requirements document and question set. That said, important considerations include:

  • Firewalls must be deployed at network boundaries. If home workers are using devices without a VPN, software firewalls need to be included in the devices’ operating systems.
  • You must detail all user and network devices, including operating systems, versions, and mobile devices. Note: Although not a specific Cyber Essentials control, asset management should be considered a core security function and can help your organisation meet the technical controls
  • All the cloud services that your organisation uses are also in scope
  • All applications’ high-risk and critical security updates must be installed within 14 days of release. This also includes firmware on firewalls and routers
  • You must have technical controls and policies for user and admin accounts and authentication. Multi-factor authentication needs to be used for all cloud services
  • All devices must be protected from malware either by having anti-malware software installed and/or limiting the installation of applications, e.g. by using an app store.

If you have already implemented information security controls or are compliant with ISO 27001, your existing policies will help answer some questions.

ISMS.online’s Top Tips for Achieving Cyber Essentials

  1. Use the Requirements for IT Infrastructure (v3.1) document to ascertain what is considered in and out of scope concerning bring your own device (BYOD), remote working, wireless devices, user devices and cloud services.
  2. Responsibility for the implementation controls, whether the organisation or the cloud provider, will depend on the type of cloud service: IaaS, PaaS, or SaaS.
  3. The Montpelier question set also provides guidance indicating where the requirement is mandatory for compliance. Your Cyber Essentials assessment team should review the question set before submission.
  4. Before it can be submitted to the independent assessor, the self-assessment response must be attested by a member of the organisation’s executive team.
  5. You may receive some feedback for further clarification or required changes. You must complete any changes within two working days before re-submission.

Once you have successfully completed the process, you will be notified that you have passed the Cyber Essentials certification. Certification lets your organisation demonstrate to your customers and prospects that you have secured your IT against cyber-attacks. Your certificate will be valid for 12 months.

Your Cyber Essentials Success Story Starts Here

If you’re looking to start your journey to Cyber Essentials compliance, ISMS.online can help.

Our compliance platform enables a simple, secure and sustainable approach to data privacy and information management with Cyber Essentials and over 100 other frameworks, including ISO 27001, NIST, GDPR, HIPAA and more. Unlock your competitive advantage today.

Author

Christie Rae

Christie is a content marketing specialist at ISMS.online. With over seven years' experience, she aims to write informative, engaging content and has worked across a range of industries including cybersecurity, software as a service, tech and pharmaceuticals.

View all posts by Christie Rae

Related Posts

Streamline your workflow with our new Jira integration! Learn more here.