Comment: Cyber Essentials is Evolving
Ian McGowan, Managing Consultant for Barrier Networks, discusses the importance of the Cyber Essentials certification scheme.
One of the most rewarding areas of my job at Barrier Networks is the satisfaction that I get from helping an organisation achieve an objective. Delivering technical projects and assisting with strategy and architecture challenges are fundamental to what we do at Barrier, but an area that has been surprisingly rewarding recently is Cyber Essentials.
Over the past couple of years, we’ve helped lots of organisations improve their cybersecurity posture into a position that is compliant with the Cyber Essentials certification scheme, many of whom deemed it to be a daunting task at the outset of the journey. The programme covers five core controls and while it can be challenging for small (and sometimes large!) companies to comply, getting them to the point of being issued that certificate is a good feeling.
It’s Time to Evolve.
The Cyber Essentials scheme was launched in 2014 and NCSC has announced that it is time for it to start evolving. NCSC remains fully committed to the scheme and has witnessed the benefits of it reflected in the organisations that have implemented it, stating that no significant cybersecurity breaches have impacted any of the certified companies since its inception.
The cybersecurity landscape is dynamic and in a constant state of flux due to the rapid development and adoption of technology within our society. To remain effective, it is necessary that the Cyber Essentials scheme evolves and improves iteratively so that the controls it mandates continue to have a positive effect.
Cyber Essentials is Helping Companies Become More Secure
The response NCSC have received regarding the effectiveness of Cyber Essentials has been positive, and that’s been our experience at Barrier, too. At the outset, it can appear daunting as implementing the controls will typically require a shift in how IT operations are conducted, especially when it comes to software update practices. However, once these changes have been implemented, it’s encouraging to see the difference in the organisation’s security posture and, of course, to see them rewarded with the certification for their efforts.
NCSC have been working closely with the public sector, industry, and cyber essentials bodies to understand how effective the scheme has been and to identify where improvements can be made. They are still working towards an official announcement, but the following key points have been communicated:
Single Accreditation Standard
This is a big change. When the scheme was first developed, NCSC appointed five ‘Accrediting Bodies’ which were responsible for managing ‘Certifying Bodies’. Barrier Networks are a Certifying Body, so we deal with the actual certification process and then report into our Accrediting Body. This approach has introduced some confusion as over time a slight variance in the standard being audited against has been introduced.
This has led to conflicting guidance on what is required to meet the standard and has resulted in an element of uncertainty about the remediation a company must implement. To address this NCSC will reduce the number of Accrediting Bodies from five down to one, and this should provide Certification Bodies and applications to the scheme with clear guidance on what is acceptable and what is not. There will be a transition path announced at a later date to make sure that all of the companies certified under the various Accrediting Bodies can converge under the single body.
New Criteria for Certification Bodies and Assessors
The five Accrediting Bodies mandate the standard that a Certifying Body and its Assessors must attain. Once a new single Accrediting Body has been appointed, there will be a single standard set for the qualification of becoming a Cyber Essentials Certifying Body and Assessor.
More to follow.
The changes to the Accrediting and Certifying Bodies won’t be the end of the overhaul, but it looks like NCSC are waiting for a single Accrediting Body to be appointed before any further changes are developed. The Cyber Essentials framework is reasonably straightforward once you are familiar with the controls required, but it’s not unusual to find organisations that are struggling to piece it all together when they first approach it.
Amongst other improvements being considered, NCSC is reviewing whether an affordable advisory service can be implemented to help companies in this situation. You can read more about the planned changes in the links below: