HMG announces Cyber Essentials Scheme

As part of the UK government's long-term strategy to address the increasing threats around cyber risk HMG has announced its Cyber Essentials Scheme.

The scheme identifies and focuses on five principal areas that businesses of all types and sizes must consider as "the essential" foundation of their cyber security.

Cyber Essentials provides guidance on how to implement the important first steps to manage cyber risk and following industry feedback will link to a cyber assurance program that will provide the option of independent certification for those organisations able to meet set criteria. Certification awarded can be at Bronze, Silver or Gold that will provide businesses with the opportunity to verify the effectiveness of their measures and demonstrate them to their key stakeholders.

The Cyber Essentials Scheme following nearly a year of industry consultation that resulted in feedback from business indicating a new approach was needed. The result is a relatively straightforward and easy to apply "cyber hygiene" process that embeds and evidences basic measures that will address approximately 80% of the risks that are most commonly encountered. The approach taken provides an excellent foundation for businesses who have yet to properly structure their approach to the demands and challenges presented by threats to the integrity of their networks and information.

It is hoped that organisations will use the Cyber Essentials Scheme to take their first structured steps in identifying the specific risks their organisation faces and examining how their infrastructure may be vulnerable to more sophisticated threats.

Cyber Essentials complements existing guidance (10 steps to cyber security and cyber security: what small businesses need to know) in place.

As part of the announcement of the Cyber Essentials Scheme organisations have been invited to comment on the draft assurance framework which is open until 7 May 2014. The assurance framework will be used by independent certification companies to determine the capabilities and levels of assurance achieved by organisations.

Commenting on key features of the Cyber Essentials Scheme, Russell Price, Chairman of the Continuity Forum, said “We welcome this initiative from government. The scheme provides clarity the business on what is the "minimum requirements" expected of them to meet their obligations to their customers, staff and other stakeholders. The measures outlined will protect organisations, large and small, from the most common threats and reduce the levels of disruption and improve substantially the security of most businesses who have yet to act."

Price continues "it is important for all businesses to really think long and hard about how they may be vulnerable in this digital age. This means a change of culture for most, and a more structured link to their other Risk and Business Continuity activities. Despite the ability of the CES to mitigate many cyber risks, a significant number of businesses will be vulnerable to more sophisticated attack and exploitation from techniques not addressed by the scheme. Consequently, it is vital that businesses really understand the type of risk and threats they are likely to face and develop approaches that are likely to involve more sophisticated mitigation and protection capabilities."

Government will be developing a portfolio of products and services under the scheme that will help address specific sectors or issues and will continue to offer specific support and guidance through CESG and B I S.

You can download the details on the Cyber Essentials Scheme below:
 

The feedback form for the assurance scheme and an example from CREST of how the assessment would operate in practice is avaiable below:

We would like to hear your thoughts on this initiative form BIS and you can contact us directly HERE!