Confidence, Credibility, and World-class Security: Understanding the Cyber Essentials scheme

Cyber security is both more complex and more critical than ever before. For organisations ranging from start-ups to global leaders, an increasingly complex range of threats must be given careful consideration, as customers expect clear evidence that their sensitive data will always remain fully secure.

With so many factors to consider, and new ones appearing on a near-daily basis, developing robust cyber security can seem like an overwhelming prospect at first. Fortunately, the Cyber Essentials scheme provides a proven, recognised roadmap for establishing a true security culture within companies, helping them stay several steps ahead of global bad actors.

What is CE / CE+?

Cyber Essentials is a Government-backed scheme that focuses on the implementation of industry-recognised cyber security controls. The certification is designed to be accessible to organisations of all sizes and sectors and is suitable for anyone looking to develop a robust cyber security posture, able to evolve as the threat landscape does.

The Cyber Essentials certification is broken into two tiers: Cyber Essentials (CE) and Cyber Essentials+ (CE+). Organisations would normally aim to achieve CE first, which involves completing a self-assessment questionnaire that is then independently verified by the Information Assurance for Small and Medium Enterprises (IASME).

Usually, organisations who have achieved CE would then look to achieve CE+, which, if they choose to do so, they must do within the first three months of achieving CE, or have to start the process again. For CE+, organisations must undergo a more rigorous, onsite assessment of their cyber security measures, which includes a vulnerability scan.

The Cyber Essentials scheme covers the following key areas:

  • An assessment of firewall and boundaries, in order to optimise network security.
  • Secure Configuration. Organisations must ensure that their computers and network devices are properly “hardened”, i.e. configured to reduce vulnerabilities and eliminate potential attack vectors.
  • Security Update Management. An assessment of organisations’ patch management processes, ensuring they’re keeping their systems up-to-date by implementing security fixes as they become available and acting on the very latest threat intelligence.
  • User Access Control. This involves confirming whether the organisation has implemented Multi-Factor Authentication (MFA) and is taking appropriate measures to control user accounts and access within their networks.
  • Malware Protection. Ensuring an organisation has appropriate endpoint protection on their systems (i.e. anti-virus) and has measures in place to restrict the execution of untrusted software.

Why is it important?

At a time when building consumer confidence is critically important, CE and CE+ provide clear evidence to your customers and prospects that you are committed to maintaining the highest standards of cyber security, and both willing and able to comply with key Government frameworks – both now and in the future. As universally recognised standards, verified by independent cyber experts, being able to display either certification is a clear indicator that an organisation – whatever its size – is working proactively to maintain the integrity of its customers’ data.

Furthermore, not only do CE and CE+ provide a clear roadmap for implementing current cyber best practice, they also provide a clear roadmap for establishing a culture of continuous improvement, providing the leading edge as the cyber threat landscape evolves.

How can Xpertex help?

If you are ready to earn the CE or CE+ certifications, our skilled consultants are here to provide you with the edge you need to pass with flying colours, working closely throughout every step of the process.

Not only does enterprise-class cyber security underpin everything we do, we ourselves are CE+ accredited, with a deep knowledge of the current standard and requirements, along with the wider security landscape. This puts us in an excellent position to guide you through the audit process, providing both advisory and technical support to ensure these standards are not only in place, but properly embedded within your company culture. This way, you will not only be fully prepared for your audit, but have a strong foundation on which to build, helping you retain your certification when future audits roll around.

Indeed, we do not put any organisation through a CE+ audit until we’re certain they will pass. The first step of this journey is therefore a Cyber Risk Assessment (CRA), which gives us an insight into the current state of your organisation and its strengths and weaknesses. Once we are sure you have every element in place to ensure a successful audit, we will bring in a trusted IASME-certified auditor to conduct the assessment.

To discuss your own Cyber Essentials journey, and how Xpertex can support you, don’t hesitate to contact us.


Related articles