Cyber Essentials (UK)

Cyber Essentials (UK) | CDA.Wiki | CDA.Wiki

# Cyber Essentials (UK)

Definition

Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organizations protect themselves against the most common cyber attacks. Developed by the National Cyber Security Centre (NCSC) in partnership with industry, the scheme defines five technical security controls that, when properly implemented, can prevent approximately 80% of cyber attacks. The certification comes in two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (verified by an external assessor through hands-on testing).

How It Works

Cyber Essentials defines five foundational security controls:

1. Firewalls: Ensure that devices connected to the internet are protected by a properly configured firewall or equivalent network device. This includes boundary firewalls, host-based firewalls, and router configurations. Default administrative passwords must be changed, and only necessary network services should be accessible.

2. Secure Configuration: Configure computers, devices, and software to reduce vulnerabilities. Remove unnecessary software, change default passwords, disable auto-run features, and ensure only necessary user accounts exist with appropriate privileges.

3. User Access Control: Control who has access to data and services. Use unique user accounts, grant only the access needed for each role, implement strong password policies (minimum 8 characters for regular accounts, 12 for administrative), and use multi-factor authentication where available.

4. Malware Protection: Protect against malware through at least one of: anti-malware software configured for automatic updates and scanning, application whitelisting, or sandboxing. Keep anti-malware signatures updated and scan files automatically on access.

5. Security Update Management (Patching): Keep devices and software up to date. Apply critical and high-severity patches within 14 days of release. Remove unsupported software or isolate it from the network. Enable automatic updates where possible.

Certification process:

Cyber Essentials: Complete an online self-assessment questionnaire verified by a certification body. Valid for 12 months. Cost: approximately 300-500 GBP.
Cyber Essentials Plus: Includes all of the above plus hands-on technical verification by an external assessor who tests the controls on a sample of devices and systems. Valid for 12 months. Cost: approximately 1,500-5,000+ GBP depending on organization size.

Since April 2023, the scheme has been updated to include requirements for cloud services, home working devices, and multi-factor authentication.

Why It Matters

Cyber Essentials is mandatory for UK government contracts involving the handling of sensitive or personal information. Beyond government procurement, it has become a widely recognized baseline standard across UK industries. Insurance providers often offer better terms to certified organizations. Supply chain partners increasingly require it as a minimum security standard.

The scheme succeeds because of its simplicity. Rather than overwhelming small and medium businesses with comprehensive frameworks like ISO 27001 or NIST CSF, Cyber Essentials focuses on five actionable controls that address the most common attack vectors. This makes it achievable for organizations without dedicated security teams.

The data supports its effectiveness. NCSC analysis shows that Cyber Essentials controls mitigate the vast majority of commodity cyber attacks: phishing, ransomware, password attacks, and exploitation of unpatched vulnerabilities.

Real-World Applications

Government Suppliers: Organizations bidding on UK government contracts involving sensitive data must hold current Cyber Essentials or Cyber Essentials Plus certification.
SMEs: Small businesses use Cyber Essentials as an affordable, achievable first step in cybersecurity maturity.
Supply Chains: Large enterprises require Cyber Essentials certification from their suppliers as a minimum security baseline.
Insurance: Cyber insurance providers use certification status as an underwriting factor, sometimes offering premium discounts.
Education: Schools, universities, and academies in the UK are required to achieve Cyber Essentials certification.

CDA Perspective

Cyber Essentials maps to CDA's Security Posture & Hygiene (SPH) domain under the Autonomous Posture Command (APC) methodology. We view it as an excellent starting point, not a destination. The five controls align closely with our foundational posture assessment in M-SPH-R01.

CDA's operational approach:

M-SPH-R01 assesses current implementation of all five Cyber Essentials controls as part of the initial security posture baseline
M-SPH-B01 remediates gaps to achieve certification readiness
M-SPH-H01 implements continuous monitoring to maintain compliance between annual recertifications

CDA recommends Cyber Essentials Plus (externally verified) over the basic self-assessment. Self-assessment introduces the risk of unconscious gaps. External verification provides genuine assurance that the controls are working as intended.

For organizations outgrowing Cyber Essentials, CDA provides a clear escalation path through the PDM domains to more comprehensive frameworks like ISO 27001 and NIST CSF.

Key Takeaways

Cyber Essentials defines five foundational security controls that prevent approximately 80% of common attacks
Two certification levels: self-assessment and externally verified (Plus)
Mandatory for UK government contracts involving sensitive or personal data
Five controls: firewalls, secure configuration, access control, malware protection, and patching
Critical patches must be applied within 14 days of release
An achievable, affordable starting point for cybersecurity maturity, especially for SMEs

Table of Contents

Definition

How It Works

Why It Matters

Real-World Applications

CDA Perspective

Key Takeaways

Related CDA Missions

Discussion

The Academy

The Command Post

The Armory