Cyber Essentials Checklist: Requirements to Meet

Cyber Essentials: An Introduction

Launched almost ten years ago, Cyber Essentials is a UK government-backed scheme designed to provide basic cyber security for a variety of organisations. Aimed to help protect against common cyber threats, such as hacking, phishing, and malware, by attaining Cyber Essentials, a company demonstrates that it has taken the necessary steps to protect its systems and information.

To become Cyber Essentials certified, an organisation must undergo a self-assessment questionnaire that covers five key technical controls: boundary firewalls, secure configuration, access control, malware protection, and security update management. This process is overseen by the National Cyber Security Centre (NCSC), with the questionnaire being reviewed by an independent certification body.

In addition to helping defend against common cyber threats, Cyber Essentials can also aid organisations in complying with industry regulations and standards. For instance, companies that handle sensitive information, (such as personal or financial data), are likely required to demonstrate their cyber security measures as part of their broader regulatory obligations.

Cyber Essentials Checklist

1. Familiarize yourself with the Cyber Essentials scheme: Understand the purpose and requirements of the Cyber Essentials certification and its relevance to your organisation's cybersecurity.
2. Determine eligibility: Confirm that your organisation is eligible for Cyber Essentials certification. The scheme is open to businesses of all sizes, including public and private sector organisations in the United Kingdom.
3. Self-assessment questionnaire: Obtain the Cyber Essentials self-assessment questionnaire provided by the National Cyber Security Centre (NCSC). This questionnaire covers five essential technical controls, each of which are explained in detail below.
4. Evaluate your organisation's cybersecurity measures: Review your organisation's existing cybersecurity practices and policies against the requirements outlined in the self-assessment questionnaire. Identify any gaps or areas that need improvement.
5. Implement necessary security measures: Take appropriate actions to address the identified gaps and enhance your organisation's cybersecurity. This may involve implementing firewalls, configuring systems securely, controlling access to data and systems, deploying malware protection solutions, and establishing processes for regular security updates.
6. Document your cybersecurity measures: Maintain clear documentation of the security measures you have implemented. This documentation will be reviewed during the certification process.
7. Seek external verification: Engage an independent certification body that is authorised to assess Cyber Essentials certifications. The certification body will review your self-assessment questionnaire and supporting documentation to verify your compliance with the scheme's requirements.
8. Certification review: Cooperate with the certification body during the review process. Respond to any queries or requests for additional information promptly and accurately.
9. Certification issuance: Upon successful review and verification, the certification body will issue the Cyber Essentials certification to your organisation, confirming your compliance with the scheme's standards.
10. Renewal and maintenance: Maintain your cybersecurity practices and periodically review and update your security measures. The Cyber Essentials certification is valid for one year, so consider renewing it annually to ensure continued protection and compliance.

Technical Controls - Requirements

These following five technical controls collectively contribute to a robust cybersecurity posture and are essential for achieving Cyber Essentials certification. It's crucial to review the detailed requirements and guidelines for comprehensive understanding and implementation of these controls.

Boundary Firewalls

-       Having firewalls implemented at the network perimeter, ensuring they are correctly configured to filter incoming and outgoing network traffic.

-       Identifying and documenting the network services that should be accessible from external sources and restricting access to only those necessary services.

-       Regularly reviewing firewall rules and configurations to ensure they remain effective and up to date.

Secure Configuration

-       Applying secure configurations to all devices used within your organisation, including desktops, laptops, servers, and network devices.

-       Removing or disabling any unnecessary user accounts, services, or software to minimize potential vulnerabilities.

-       Regularly updating and patching software and devices with the latest security updates to address known vulnerabilities.

-       Implementing strong and unique passwords for user accounts and enforcing password policies that promote good password hygiene.

Access Control

-       Ensuring that user accounts have appropriate access privileges based on the principle of least privilege, granting only the minimum permissions required for their roles.

-       Implementing multi-factor authentication (MFA) for user accounts, especially for remote access or administrative functions.

-       Regularly reviewing user accounts and access privileges to remove any unnecessary or outdated access rights.

-       Monitoring and logging user access activities to detect and respond to any suspicious or unauthorized access attempts.

Malware Protection

-       Deploying and maintaining up-to-date antivirus and anti-malware software on all devices.

-       Regularly updating malware signatures and scanning engines to ensure effective detection and protection against the latest threats.

-       Enabling automatic malware scanning and real-time protection features to detect and mitigate malware in real-time.

-       Educating users about safe browsing practices, avoiding suspicious downloads, and reporting any suspected malware incidents promptly.

Security Update Management

-       Implementing a process to identify, evaluate, and apply security updates and patches for all software and devices used within your organisation.

-       Regularly reviewing and testing new updates before deployment to ensure compatibility and stability.

-       Establishing a mechanism to promptly address critical security patches and updates to mitigate known vulnerabilities.

-       Keeping an inventory of all software and devices in use and ensuring that updates are applied consistently across the organisation.

Further Requirements for Cyber Essentials

In addition to the key steps mentioned earlier, and the technical controls, there are a few other requirements to consider when pursuing Cyber Essentials certification:

Supporting documentation: Prepare and maintain supporting documentation that demonstrates your organisation's adherence to the Cyber Essentials requirements. This documentation may include policies, procedures, configuration settings, network diagrams, and evidence of security updates.

Time frame: The certification process typically takes several weeks, considering the time required for self-assessment, implementing necessary security measures, and engaging with the certification body for review and verification.

Self-assessment accuracy: Ensure the accuracy and honesty of your self-assessment questionnaire responses. The certification body will rely on your provided information, and any misrepresentation or deliberate false information may result in the denial or revocation of certification.

Ongoing maintenance: Cyber Essentials certification is valid for one year. To maintain your certification, you should continue implementing and updating your cybersecurity measures, perform regular assessments, and address any identified vulnerabilities or gaps in your security controls.

Remember that the above checklist and guidance provides a general overview of the process and requirements, and it's advisable to refer to the official Cyber Essentials guidance and materials provided by the National Cyber Security Centre (NCSC) for more detailed information and specific requirements.