‘Government Supply Chain to use Cyber Essentials to better manage the security risks presented by third parties.’
Cyber Essentials is the Governments standard to encourage UK companies to attain a minimum level of security. Importantly, as of the 1st October 2014 any organisation bidding on projects published after this date will have to demonstrate that they comply with the standard.
Information currently is in good supply within public circles but is slow to get out to those most affected, “The Suppliers”, so what does it mean and what will we be expected to do?
Here are some guidelines for you:
What it means technically
All suppliers will need to demonstrate competent deployment of security defences in the following areas:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
How will suppliers find out
Suppliers will be informed of the requirement to be Cyber Essentials Certified in the pre-procurement phases of the project and be specified in the Contract Notice.
Who should suppliers approach
Government approved certification bodies which are currently accredited through the Certified Register of Ethical Security Testers (CREST)
When does a supplier have to do it by
A supplier should evidence the Cyber Essentials Certificate (basic or Plus) ideally before award, and definitely at the point where data is shared.
What costs are associated
Sec-1 Ltd offers 3 Standard services ranging from £400 to £1650 depending on the certificate requirement and the help that is needed. Services are completely hands off leaving the client to fulfil all of their own work to “fully managed” where we complete all documentation. The Standard services are based on a Small to Medium Enterprise with not more than 250 employees and 16 external IP Addresses (larger organisations will require a scoping exercise).
What is the frequency of certification
Certificates should not be more than 12 months old.
What is in scope
By default Cyber Essentials applies to the legal entity providing the goods/services rather than any wider corporate entity an organisation may be a part of. However organisations can reduce the scope of certification to only part of the legal entity.
What types of contracts does it apply to
The requirement only applies to new contracts advertised after 1 October 2014.
What about existing security requirements already in place
- Model Services Contract: Where requirements are greater than those set out in Cyber Essentials Plus the requirements take precedent, further discussion is advised with the Authority to establish where and how Cyber Essentials Plus can be used.
- Security Policy Framework: Cyber Essentials will cover some of the technical security measures
- ISO27001: Organisations holding ISO27001 will not automatically conform to Cyber Essentials since not all 5 controls will be included in scope for ISO27001 implementation. Most organisations with ISO27001 will have to adopt Cyber Essentials in addition to ISO27001
Sec-1 is certified by CREST to provide services under the “Cyber Essentials” scheme. Read more here, call 01924 284240 or email firstname.lastname@example.org.