Cyber Essentials is a government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.
Cyber-attacks cost organisations thousands of pounds and can cause huge disruption. Businesses big and small can be targets if they don’t have the proper measures in place to protect them.
Cyber Essentials shows you how to prevent the most common attacks and protect your business.
Cyber Essentials is designed to fit with whatever level or commitment you are able to sustain. There are two levels of certification:
- Cyber Essentials certification
- Cyber Essentials Plus certification
There have been a number of changes to the Cyber Essentials scheme as of April 2020. The certification now has an expiry date of 12 months which encourages maintenance of controls. The Information Assurance for Small and Medium Enterprises (IASME) has now been chosen as the single accreditation body for the certifications.
Cyber Essentials helps prevent the vast majority of cyber-attacks. Even a simple virus or piece of malware could result in your business facing consequences like:
- loss of company and client data
- disruption to cash flow
- staff time taken up trying to resolve the issue
- trading delayed / stopped
- damage to your hard-earned reputation
- losing customers
- fines or prosecution (loss of data could breach the Data Protection Act)
Self-help Cyber Essentials helps you familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT.
Cyber Essentials recommend five technical controls that you should put in place to put you and your organisation on the path to better cyber security. The five controls are:
- Using a firewall to secure your internet connection
- Make sure you have the most secure settings to secure your devices and software
- Control access to your data and services
- Protect yourself from viruses and other malware
- Keep your devices and software up to date
You can find out more about self-help Cyber Essentials and what you can put in place today on the Cyber Essentials website
From 2018, suppliers awarded any new government contract worth more than £25,000 will need to commit to adopting Cyber Essentials, or a higher standard, within 12 months.
From 2020, all suppliers in receipt of contracts valued at more than £25,000 will need to demonstrate adherence to Cyber Essentials or a higher standard.
These requirements apply unless the contract is subject to a specific internal exemption signed by the Treasurer of the States. Exemptions may be granted in exceptional circumstances where the information security risk is judged to be low and a supplier represents significantly better value for money than alternatives and/or where substitutes are not readily or practically available. We are committed to securing our data and promoting the adoption of robust cyber security standards by Jersey businesses.
Cyber Essentials can help your organisation in many ways, including:
- reassuring customers that you take cyber security seriously
- listing on our directory of organisations awarded Cyber Essentials
- attracting new business with the promise you have cyber security measures in place
- allowing you to bid for government contracts
In the future Cyber Essentials will be a mandatory requirement for suppliers of government contracts which involve handling personal information and providing some ICT products and services.
This self-assessment option gives you protection against a wide variety of the most common cyber-attacks. The certification process has been designed to be light-weight and easy to follow. Pre April 2020, this process involved organisations completing a self-assessment questionnaire, the responses of which were reviewed by an external certifying body. It also included an external vulnerability scan. This process has now changed as of April 2020 and an external vulnerability scan is no longer part of Cyber Essentials. The self-assessment will now include more ‘free text’ than organisations may have been used to with previous accreditation bodies, encouraging more communication between the assessor and organisation being assessed to ensure all assessment criteria are appropriately met.
Cyber Essentials Plus
The protections you need to have in place are the same as the Cyber Essentials certification, but this time the verification of your cyber security is carried out independently by a Certification Body. As of April 2020, the Cyber Essentials Pluscertification also has minor changes, with more in-depth scans being carried out by the assessor to ensure internet facing technology is sufficiently covered.
The first step to gaining your Cyber Essentials / Plus certification is to select a Certification Body. You have the option of choosing a local certification agency or a UK agency.
Option 1 – Local certification agencies
With the April 2020 Accreditation body change, only one local company can now provide the CE certification locally, their information can be found here: Local certification agencies
Option 2 – UK accreditation bodies
Select a Certification agency through the IASME Certification bodies on the IASME website. Read the details about each of these companies and choose one which feels like a good fit for your organisation.
It is the Certification Bodies which will perform your evaluation and award your Cyber Essentials Certificate.
If an organisation is successful in obtaining a Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification, the certification will only remain valid for a year from the date of passing. This is to encourage controls to be maintained rather than be implemented to just pass the initial assessment.
Let Government of Jersey know once you’re certified
Organisations that are Cyber Essentials / Cyber Essentials Plus certified are listed on gov.je. Once you’re certified complete the online form and you’ll be added to the list.
For more information and guidance visit the UK government run Cyber Essentials website or the National Cyber Security Centre website.