Cyber Essentials Scheme – government cyber security ‘standard’ published

by Richard Anning on 09.04.2014 14:49
Following on from BIS’s consultation and call for evidence last year on a preferred organisational standard for cyber security, the government has just published the Cyber Essentials Scheme. This consists of a set of requirements for basic technical protection from cyber-attacks as well as a proposed assurance framework. Organisations that are assessed against the framework will be able to use a Cyber Essentials badge to publicise the fact.

The government is looking for feedback on the proposed assurance framework by 7 May.

Full details of the new scheme and framework are on the government website.

The ‘requirements’

The Cyber Essentials Requirements document outlines five basic technical controls designed to provide protection against ‘threat actors with low levels of technical capability’. Compliance with these controls is likely to provide protection against the majority of internet based cyber-attacks.

The five controls consist of:

1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management.

Full details are included in the government publication, including cross references to other supporting standards and guidance.

The assurance framework

The proposed framework offers organisations assurance through independent assessment against the five controls outlined above. Organisations will be able to choose a level of assessment that is appropriate for their business needs. (The proposed assurance framework provides three levels of assessment – bronze, silver and gold.) Once assessed, a certificate (badge) will be issued that the organisation can use to show that it has been assessed at that level, implying it takes cyber security seriously and is an organisation that can be trusted to do business with. The framework will also enable security professionals with the right skills to carry out assessments and certify that organisations have implemented controls in the requirements document.

The government is seeking feedback on the proposed assurance framework and has posed a number of ‘exam questions’. These include comments on the three tiers, the duration of certification and what qualifications might provide competence to certify at a particular level.

Ways to feed in

The closing date for feedback is 7 May 2014.

There are a number of possible areas of opportunity for ICAEW members – if anyone would like to discuss these, we plan to hold a short workshop for members to provide input, details to be confirmed. You can also contact me direct to discuss or provide feedback. You can also provide feedback direct to BIS using the form on their website.

The full scheme will be launched in summer 2014 when organisations who demonstrate compliance against one of the three tiers will acquire a certification badge. BIS have also put out a request for early adopters of the scheme, so please let me know if you would like to be in the vanguard of users of the scheme.