Cyber Essentials is changing – our overview

As the IASME* Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed. We also share some of our tips for passing Cyber Essentials PLUS (CE+), which offers a higher level of assurance.

On April 1st, IASME will become the National Cyber Security Centre’s (NCSC) only CE Accreditation Body (AB). It will replace the current 5 Accreditation Bodies that have each had their own Certification Bodies (CBs).

This new arrangement, which the NCSC is keen to describe as a ‘partnership’, will greatly simplify matters and lead to a consistent minimum standard of expertise for everyone involved in implementing the scheme.

Ascentor and IASME

IASME and Ascentor go back a long way. In 2014, Ascentor was the first company to get external assessors trained and licensed to assess against the IASME Governance Standard – a cyber security standard which would be an affordable and achievable alternative to ISO27001 and includes CE assessment and GDPR requirements.

Why you need Cyber Essentials – the threat is still real

The CE Scheme is government-backed and industry-supported and designed to help organisations protect themselves against common online threats. It sets out an organisational cyber security standard that, if applied appropriately, will protect businesses from the vast majority of low level basic cyber threats.

The scheme focuses on 5 key areas or ‘technical controls’ – focused on firewalls, secure configuration, access controls, malware and patch management.

CE is recommended by the government as the minimum protection all businesses should have. Obtaining it sends out a reassuring message to customers that you have taken cyber security and the threats faced seriously. If you’re bidding for a Government or MOD contract, you’ll find it’s mandatory.

Some six years after its launch, cybercrime still appears in the news on an almost daily basis – but it’s not just the large and high-profile organisations that are targeted by cyber criminals. Many smaller businesses don’t realise they are at risk too, which can be a very costly misunderstanding.

To illustrate this, the 2019 Cyber Security Breaches Survey issued by the Department for Digital, Culture, Media & Sport found the number of SME businesses reporting cyber attacks to be 60%, large businesses 61% and high-income charities 52%.

Why is Cyber Essentials changing?

Over 30,000 UK businesses have gained CE certification since its launch in 2014 and this number is growing year on year. However, the NCSC wanted to check that it was still serving its purpose.

It found that, with all the different ABs and CBs, things were being done in different ways. The user journey to certification was perceived as complicated; organisations wanted more than certification – they wanted help in implementing the controls and maintaining them. There was confusion about the scope of CE assessments and about the validity of certificates – a cause for concern for those looking for confidence in their supply chain.

The NCSC also recognised that organisations use technology in different ways than when the scheme started – such as the cloud and shared office services.

Being a certification process, the NCSC wanted to ensure that the focus on achieving the certificate didn’t stop the main objective – of educating organisations on good cyber security and getting everyone understand the basics.

So, what is changing?

In short, a number of updates that will add value to the scheme. These include:

Advisory services – to help organisations improve their basic IT security.
Measurement – introducing ways to measure the difference implementing CE is making.
Feedback on controls – to ensure that the scheme keeps pace with the technology CE customers are using and new or emerging cyber threats.
Additional levels – establishing whether there is a need for additional levels, both below and above the current options of CE and CE+.
Scope of certification – making it easier and more intuitive to understand what a certificate covers which in turn will help those who rely on CE or CE+ certificate for the security of their supply chain.
Automation – exploring innovative automated technical solutions to deliver certification services.

However, after a review, there are no plans to change the technical standards ahead of transition to IASME. The success of the CE Scheme means that it remains at the heart of the UK Government’s National Cyber Security Strategy.

The NCSC has recently updated its Cyber Essentials FAQ page on the changes and we recommend you visit this for a full summary.

Gaining certification from April 1st

All certification processes will be standardised through IASME and will need to be completed using the IASME self-assessment questionnaire.

Having been involved since the beginning, Ascentor has extensive experience of working with the IASME documentation. While certification is possible through any IASME appointed Certification Body from April 1st, we have recently revised our own routes to certification.

Recognising that some organisations would benefit from on-going support throughout the process, we now offer two routes to certification for both CE and CE+. There’s our Expert Support route and the Self-Service option.

Tips for passing Cyber Essentials PLUS

We believe it is worth the extra work and investment – take a look at what’s involved in our “Tips for Passing CE+” article. It covers everything from vulnerability scans, antivirus (AV) checks, email checks and checking for the latest software; it also shares some of our preparation tips and an insight into our process. Read it here.

To give you confidence in passing CE+, rest assured that in every case where clients have followed our advice at CE+ level, they’ve passed first time.

In conclusion

In standardising the CE certification process, the NCSC is looking to make the UK the safest place to live and work online. It not only wants the process to be more streamlined and consistent for organisations – but it wants to see the process both educate and inform – ensuring that everyone understands the basics of cyber security.

Over the years, we’ve worked closely with IASME and are looking forward to how they will develop the CE Scheme once they are the sole NCSC certification partner.

*IASME is an abbreviation of Information Assurance for Small and Medium Enterprises

Share this article: