We are very pleased and proud to have achieved Cyber Essentials and Cyber Essentials Plus in the last couple of months, not only because it is a demonstration of how seriously we take our clients’ data security but also because it shows that we can ‘walk the walk’ when it comes to the advice that we give our clients. (Note that you don’t need to get Cyber Essentials before Cyber Essentials Plus – you can go straight to the Plus level.)
In some ways our set up is simple (7 staff, no offices, consuming Microsoft 365 services and protected by MDM, MFA and Mimecast) but the remote nature of our work and the lack of the usual infrastructure such as servers or a corporate network caused some head scratching – more for our auditors, Lawyer Checker, than ourselves!
Whilst not enforced on businesses, the Government have indicated that Cyber Essentials is to be the minimum accreditation expected. However, there is still some confusion for some over whether Cyber Essentials is all that is required, why you might aim for a higher-level accreditation and, if so, whether this should be Cyber Essentials Plus or an internationally recognised standard such as ISO 27001.
Cyber Essentials
Cyber Essentials is a UK government scheme, also supported by the NCSC (National Cyber Security Centre). Some clients will expect you to have this accreditation as a minimum and may include it in their supplier due diligence.
The certification process is managed by the IASME Consortium (IASME). You can initiate the accreditation process by contacting them directly or by engaging a supplier such as Lawyer Checker.
At present, Cyber Essentials certification is £300 plus VAT and is achieved by completing an online questionnaire-style audit which is assessed directly by IASME. You can engage a supplier to help with this. Generally, they will provide a service for you to self-certify through them, with minimal assistance, at the same £300 plus VAT costs. They will then offer different levels of support, on a costs scale, to either guide you through the process or run the process for you, and to assist with resolving issues.
The assessment covers five key elements:-
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Security update management
The questions are based on ensuring that each of these elements are protected in the event of relatively unsophisticated cyber incidents (which account for around 80% of attacks).
Once you submit your questionnaire you will receive a response which shows whether you have passed or failed on each question. If you have failed it may be a case of providing additional information or the issue may be so significant that you will not pass unless you make changes to address it. For example, if you have any servers that are out of support and no longer receiving security patches, this will be a major failure and you will need to upgrade those servers in order to achieve Cyber Essentials accreditation.
The NCSC provide a Cyber Essentials questionnaire to help you consider whether you are ready to take this step https://getreadyforcyberessentials.iasme.co.uk/questions
Cyber Essentials Plus
Cyber Essentials Plus essentially covers the same five key elements and protective measures as Cyber Essentials but it is externally audited to ensure you have implemented the processes and practices you have stated. In our case, Lawyer Checker scanned our devices to assess for vulnerabilities and adherence to patching and security policies . Some clients may require you to have this external verification to demonstrate your commitment to data security.
There are many suppliers that will provide this auditing service at an average cost of around £1,500 plus VAT (although this does appear to vary significantly across the suppliers reviewed).
ISO 27001
ISO 27001 is an international standard accreditation for information security, published by the International Organisation for Standardisation (ISO), in partnership with the International Electrotechnical Commission (IEC). It provides a framework for effective Information Security Management Systems (ISMS) and covers legal, physical and technical protective measures.
The aim of this accreditation is based on protecting three aspects of information:-
- Confidentiality: only the authorised persons have the right to access information.
- Integrity: only the authorised persons can change the information.
- Availability: the information must be accessible to authorised persons whenever it is needed.
These core aspects need to be established and maintained across 14 domains:-
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control (both physical and logical access)
- Cryptography
- Physical and environmental security
- Operations security (IT systems, including operating systems and software)
- Communications security
- System acquisition, development and maintenance
- Supplier relationship
- Information security incident management
- Information security aspects of business continuity management
- Compliance
There are 114 safeguards that need to be in place across these domains and a range of mandatory documents and records that must be maintained to support the accreditation.
It is not simply a technology-based assessment, it requires standards across all aspects of the business and a review of all processes that manage the flow of data whether via electronic or physical methods.
Achieving the required standard often requires training for those involved within the business, and the outcomes are reviewed by external auditors on a yearly basis.
There is no standard pricing for undertaking ISO 27001 accreditation. The audit costs are based on a range of factors and there will be costs in relation to changes required within the business and resourcing costs associated with achieving and maintaining the accreditation. Many suppliers will however provide a free of charge ‘readiness’ assessment.
Summary
The recommendation is of course that you should challenge yourself to at least achieve the Cyber Essentials accreditation, and ideally the Plus level. However, if you are providing services internationally, you feel that you need to have a more robust approach to information security or your clients are indicating that they expect you to have it, then you should consider ISO 27001.
Regardless of which certification route you go down it is essential you don’t just assume you are untouchable because you have successfully been audited. The real drive of these accreditations is to show you have the appropriate systems, policies and processes in place, that your staff are “aware” and that you are living and developing your approach rather than it being simply a tick box exercise.