The Cyber Essentials scheme has been developed by the UK Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.
Cyber Essentials and Cyber Essentials plus are the same standard, CE+ offers the additional protection of a vulnerability test whilst CE is by verified self-assessment only.
The Cyber Essentials Scheme focuses on Internet-originated attacks against an organisation’s IT system. Many organisations will have particular additional services, e.g. web applications, that will require additional and specific controls beyond those provided by Cyber Essentials. Cyber Essentials concentrates on five key controls. These are: