Cyber Essentials (CE) is a base level security accreditation that demonstrates a security posture that is compliant the National Cyber Security Centre (NCSC) recommended guidelines for small to medium enterprises (SME). It allows funders, customers and staff to have confidence that organisational policy, processes, user practices and IT infrastructure provide a risk assessed and risk mitigated management of data related content transmission and utilisation.
Jisc members receiving ESFA monies are required to achieve this accreditation and then achieve the Cyber Essentials Plus (CE+) accreditation by September 2021. The Information Assurance for Small and Medium Enterprises consortium (IASME) are the governing body for CE accreditation, partnered to the NCSC. Both websites have a considerable amount of support advice and documentation available to assist you prior to submission of your security responses.
Predominantly, there are the sample question sets that can be downloaded and worked through locally to establish your current security posture and develop any improvement plan that may be required. The actual submission for accreditation has to be paid for and done via the IASME secure portal, current price is £300+VAT. You should initially start with the CE self-assessment preparation booklet. There are supplementary documents that may be of help to other areas of your organisation, particularly those dealing with GDPR aspects. The documents are pdf, although MS Excel formats can be applied for. For those looking to attain ISO27001, the FAQ pages contain a mapping of CE to the ISO27001 Annex A controls.
Considerations when answering the preparation booklet questions:
The standard has been written to apply to all SME in the UK. This may well be a single person business who has limited access to IT expertise and buys consumer grade IT equipment from a mixed economy of vendors. Jisc members are deploying IT services to meet an Enterprise service delivery model, ensure that your answers reflect this level of IT maturity.
Each question is posed in a manner where a ‘Yes’ or ‘No’ can be seen to be the CE compliant answer, if you are compliant with the question, then use the appropriate word as a prefix to your answer and then add any additional configuration statements that support your solution. This will help the assessor build their understanding of your service delivery model. Starting with a wordy descriptive dialogue may cause the assessor to construct a misleading image of your delivery model, requiring them to search for supplementary information to fill in gaps in their understanding. Assessors expect to spend approximately 1 hour on each assessment.
If you have queries about your current service and its compliance, then use the Jisc assistance available. Your Jisc account manager can direct you to our Subject specialists for one-to-one confidential support or use the Jisc CE drop-in-sessions if you don’t mind voicing your query in a more public forum, this is especially useful if you believe the answer will benefit others.
It is probable that you may need to improve some elements of IT infrastructure on site to achieve accreditation, this could be through configuration changes or perhaps upgrade or replacement of hardware. Both may affect the user experience and cause or force some changing in their usual practices, this may then cause complaint. The CE application does require the support and signature from senior leadership, they will need to be on-board to support what you need to do. It can be helpful to further promote this senior leadership involvement by recommending that they (and possibly Governors) undertake to attain the BS 31111 Cyber Risk And Resilience standard.