The idea of securing your Information Technology from cyber attackers may have brought you to the point of selecting what type of scheme you should choose. Check out the difference in the benefits and procedure of Cyber Essentials and Cyber Essentials Plus certification to decide the best for your organisation.
Cyber Essentials scheme is a government-organised scheme for ensuring that every organisation and business can secure their data from the increasing cyber attacks and hackers. There are two types in this scheme that include both independent assessment as well as an external body involvement. The former type is called Cyber Essentials, and the latter is Cyber Essentials Plus.
Cyber Essential is a scheme that helps you to assess your cyber system security with your organisation’s resources and demonstrate the certification through the verification of certification body. In the Cyber Essentials Plus scheme, the certification body appoints an expert to assess and improve the technical controls of your organisation before certification.
The five technical controls covered for Cyber Essentials certification.
-
Boundary Firewalls and Gateways: Hardware and software devices are well maintained to prevent unauthorised access from other networks.
-
Secure Configuration: The configuration of all systems in your venture are in a secured manner as per the needs.
-
Access Control: Access on the systems are secured to the level that only those who should have access are allowed to and in the restricted level.
-
Malware protection: Updating the available malware protection and installing them if not available.
-
Patch Management: Installing latest supported versions of applications and patches for secured operation.
These are the basic technical controls that are necessary for security assurance in any information technology of an organisation, to be safe from basic cyber attacks. When a company do self-assessment, they are told to assess these areas and provide evidence to prove their security availability. But in the Plus scheme, there are some extra areas and techniques acquired by the certification body team while assessment.
-
Vulnerability scanning at user endpoints and servers that are facing internet exposure
-
Scanning for checking any vulnerabilities available at the infrastructure facing the external internet
-
Method of checking vulnerability by guessing passwords of exposed services
-
Testing by sending email attachments
-
Tests using browser downloading
-
Reviewing mobile devices
In the Cyber Essentials Plus scheme, in addition to the five technical control security testing, these areas are also covered by the expert assessors. These practical testing in every unauthenticated accessible servers and gateway, connected with the online world, will further ensure the safety of your system.
In addition to these points, the external assessor may also check other networks and hardware servers for high assurance in the security completion. Clouds services as Software as a Service (SaaS) are mainly considered out of scope in these schemes, while software installation by users come under the scheme’s scope.
All you need to do is to select an accreditation body from the government approved bodies and select an appropriate certification body according to your business type, budget, and type of security needed. The body you choose will help you to get your Cyber Essential certification and badge.