Академический Документы
Профессиональный Документы
Культура Документы
Title
VI-404576-TM
Version
Author
Issue Date
1
Michael Shuff
29 Jan 2015
Page 1
Summary
Cyber Essentials is a UK Government initiative launched in June 2014 with industry backing. It
allows companies to gain one of two available Cyber Essentials badges. Certification became
mandatory from October 2014 onwards to be eligible for certain UK Government contracts.
There are five technical controls stipulated in Cyber Essentials Requirements:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
This white paper explains the reasoning behind Cyber Essentials and answers the question: Should
my company become badged?
Contents
1
2
3
4
5
6
Introduction ..................................................................................................................................... 2
What is the Cyber Essentials Scheme - and will Business buy in? ................................................... 3
2.1
How does the scheme operate? Is it a 'Standards framework'? ............................................. 3
2.2
What is the Government's purpose in fostering Cyber Essentials? ........................................ 3
2.3
Why is the UK Government promoting 'cyber security assurance'? ....................................... 4
2.4
So what is wrong with ISO27001 when setting higher standards? ......................................... 5
2.5
Does Cyber Essentials involve any form of Risk Assessment?................................................. 5
2.6
Why do we need Cyber Essentials if ISO27001 is an option?.................................................. 6
2.7
What types of cyber threat does Cyber Essentials hope to combat? ..................................... 7
Technical Requirements for Basic Protection from Cyber Attack ................................................... 8
Cyber Essentials Controls: what they are, and what they're not! ................................................... 9
4.1
'Control Themes' presented in the Cyber Essentials Requirements ..................................... 10
4.2
Secure configuration and User access control ...................................................................... 11
4.3
Malware protection and Patch management ....................................................................... 15
How does Cyber Essentials deal with cloud service provision?..................................................... 18
5.1
Who will test cloud services for compliance with Cyber Essentials? .................................... 18
Conclusions .................................................................................................................................... 19
1 Introduction
In 2014, the UK Government launched an initiative to improve
cyber security by encouraging companies doing business in the UK
to acquire a "badge" proving they met security requirements.
There are two levels of badge: "Cyber Essentials" and "Cyber
Essentials Plus". A badge is good for one year, and an external
certifying body independently awards certificates. The cost of
certification is modest: not more than 400 for the basic level and
Page 2
2 What is the Cyber Essentials Scheme - and will Business buy in?
The Jury is assembling. What will businesses make of the Government's ideas on cyber security
controls, and is Cyber Essentials worth the cost?
The UK Government's Cyber Essentials Scheme
announced in April 2014 aims to drive awareness of
the risks posed by cybercrime, and help smaller
enterprises delivering products or services to the UK
public sector to defend their IT systems, networks and customers' data from attacks.
Government is widely encouraging its adoption and has made it mandatory for Central Government
contracts advertised after 1 October 2014 which feature characteristics involving handling of
personal information and provision of certain ICT products and services. Details are set out in Annex
A of the HMG Procurement Policy Note Use of Cyber Essentials Scheme certification. Action Note
09/14 25 September 2014
Page 3
BIS was tasked to work with domestic, European and global and commercial standards organisations
to stimulate the development of industry-led standards and guidance. This would help customers to
navigate the market and differentiate companies with appropriate levels of protection and good
cyber security products. Action 24 stated the aim:
Action 24: Encourage industry-led standards and guidance that are readily used and
understood, and that help companies who are good at security make that a selling point.
Fast forward three years: then Universities and Science Minister, David Willetts, said at the launch of
the Cyber Essentials Scheme in June 2014:
"Cyber Essentials is an easy to use cost effective way to help businesses and the public sector
protect themselves against the risks of operating online. ... Organisations will now be able to
easily demonstrate they are cyber safe - reassuring their clients, boosting confidence and
profitability. I encourage all organisations to adopt it."
However, by the time of the launch hosted by the ICAEW IT Faculty at Chartered Accountants Hall in
the City of London, Cyber Essentials was less of a 'standards framework' in the sense of ISO27001,
and more an MOT test for cyber security hygiene. Gone was any reference to the "kite-marked"
cyber security standards concept heralded in the 2011 Strategy.
What remained was the idea that the cyber security control requirements would be 'readily used
and understood' and that they would be a selling point for organisations that are good at putting in
place effective security.
This is the Cyber Essentials Scheme; aptly named since the mandated controls are essential to secure
any IT system connected to the Internet.
Page 4
cyber security. Just like their smaller counterparts, and despite the risks that they run, many it seems
have only a limited capability to implement the full range of controls necessary to achieve robust
cyber protection. The Cyber Security Strategy talks about modelling best practice on cyber security
in reference to Government's own ICT systems, in an effort to set strong standards among suppliers
to government to ensure they "raise the bar".
Page 5
given the nature of the threat, Government believes that action should begin with a core set of
security controls that all organisations large and small should implement. Cyber Essentials defines
what these controls are." [From the Cyber Essentials Scheme, Summary, June 2014, Addressing the
Threat, page 3].
So, no requirement for a risk assessment. However, is that good
news?
Should we care that Government is stepping in to define what
'core security' should be like in your organisation (assuming that
you do some business with Government and want to continue
doing so in the future)?
Moreover, is the 'cyber threat' serious enough to justify a
Government Scheme?
Leaving aside the Media hype, I would recommend that you read Sir Iain Lobban, then Director
GCHQ, who contributed a thought-provoking article entitled "Countering the cyber threat to
business" to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain
outlines for a business audience in non-technical terms the nature and scale of the threat to
businesses from cyberspace, why cyber security should be at the top of boards' agendas and the role
GCHQ is playing in helping counter the threats. You can read the full article in the Spring 2013 back
issue of Big Picture. Just follow the link on the IoD's website:
http://www.iod.com/influencing/big-picture/big-picture-archive/big-picture-spring-2013
In my view, the Cyber Essentials Scheme is long overdue. It is only designed to be a voluntary
undertaking for most organisations unless they fall within the categories listed in Annex A of the
Policy document (see above). Hence, it is unlikely to be taken as seriously as it should be by the
Boards of the UK's smaller enterprises, many of whom assume that they are too small to attract the
interest of professional cyber criminals. They miss the point that they can be a gateway to
confidential data held on their clients' computer systems. In addition, a great deal of today's
automated hacking software randomly identifies system vulnerabilities by attempting an intrusion
via the Internet and then exploiting IT security weaknesses. The fact that few people have spotted
your physical office address or that your company website attracts low numbers of visitors does not
make you safe.
Rather, the opposite is generally true, because your sense of security is completely false; therefore:
your cyber risk assessment processes and mitigation measures are likely to be equally unrealistic
when it comes to understanding the nature of the threats posed to data on your systems.
Page 6
In practice, few if any organisations adopting ISO 27001 would be foolhardy enough to choose a
control set that does not cover the fundamental technical issues relating to internet security in
particular; however, that is a story for another day. Cyber Essentials is here to stay.
As stated, the UK Government clearly believes that ISO 27001 is simply too big and unwieldy a
Standard for most organisations to invest in accredited certification. In my experience, the fear
factor regarding ISO 27001 adoption, especially when it comes to the risk assessment aspect and the
selection of suitable information security controls, is not justified when the right expert help is
available. However, the basic technical control set defined in the Cyber Essentials Scheme does fill
an important 'gap in the market'; enabling organisations, particularly SMEs, to understand and
properly address the most important technical aspects of cyber security protection. It also fits nicely
into IASMEs wider governance approach to information assurance for smaller organisations. About
which, more later.
Even then of course, small organisations under 50 employees (including single employee
businesses), and even some medium-sized organisations, may need to obtain further guidance and
support to ensure the technical controls presented in these requirements can be implemented
adequately.
2.7 What types of cyber threat does Cyber Essentials hope to combat?
Cyber Essentials focuses on basic cyber hygiene. The theory is: your organisation will be better
protected from the most common cyber threats if you have a set of controls which, when properly
implemented, comply with the scheme's requirements. These controls will provide organisations
with protection from the most prevalent threats coming from the Internet. In particular, those
resulting from malware and hacking strategies which require low levels of attacker skill, and which
are widely available online.
The Scheme has two progressive levels: Cyber Essentials is an independently validated selfassessment submission, whilst Cyber Essentials Plus additionally requires a comprehensive,
independent technical assessment to validate that the selected security controls have been
implemented effectively.
Cyber Essentials is FREE to download and any organisation can use the guidance to implement the
five essential security controls, but some may want or need to gain independent assurance that they
have fully deployed the controls. Organisations that have been successfully independently assessed
or tested through the schemes assurance framework will attain a Cyber Essentials certification
badge. This will help you demonstrate to customers, partners or clients that your company takes
cyber security seriously - boosting reputations and providing a competitive selling point.
Therefore, to sum up this introduction to the Cyber Essentials Scheme:
Cyber Essentials is relatively inexpensive compared to implementing ISO 27001:2013 and does have
significant attractive features for SMEs. The most obvious being that not all of your competitors in a
particular market sector will be certified Cyber Essentials compliant and displaying the distinctive
badge. Those who do are saying that they are good at protecting client data at least at a basic level make that a selling point.
Page 7
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations
in the UK can implement and potentially build upon. Government believes that implementing these
measures can significantly reduce an organisation's vulnerability. However, it does not offer a silver
bullet to remove all cyber security risk; for example, it is not designed to address the more
advanced, targeted attacks and hence organisations facing these threats will need to implement
additional measures as part of their security strategy. What Cyber Essentials does do is define a
focused set of controls that will provide cost-effective, basic cyber security for organisations of all
sizes. As such, it has value.
Page 8
The UK Data Protection Act says that: "Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal data and against accidental loss or
destruction of, or damage to, personal data."
UK Law has yet to define exactly what the "appropriate" measures are, but one suspects that future
EU Regulations will do this in a similar way to India's ITA with reference to Standards.
At the moment, the Data Protection Act, made law way back in 1998 (since which time, a great deal
has changed in terms of technology and culture), means you must have appropriate security to
prevent the personal data you hold being accidentally or deliberately compromised.
In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the
harm that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies
and procedures and reliable, well-trained staff;
and be ready to respond to any breach of security swiftly and effectively.
At this point, the observant among you will have spotted that the Cyber Essentials control themes
fall far short of these DPA requirements as defined by the Information Commissioner. Therefore, we
must recognise from the outset that whatever value Cyber Essentials Requirements bring to the
party, the existing requirements of UK Law mean that organisations must address other information
security requirements to comply with the Law.
So what will Cyber Essentials provide you with in terms of a control set?
And is it worth relying on in place of a more comprehensive cyber security or information security
standard like the NIST Framework or ISO 27001?
4 Cyber Essentials Controls: what they are, and what they're not!
Cyber Essentials might not stop a determined cyber-attack emanating from a rogue state, but it can
help to prevent your organisation being a soft target when it comes to automated hacking tools and
opportunists.
The Cyber Essentials Scheme is designed to assist every
UK organisation in defending against "the most common
forms of cyber-attack emanating from the internet using
widely accessible tools which require little skill from the
attackers". Firstly, specific types of attack are identified
and secondly the most basic technical controls an
organisation needs to have in place are described.
OK. What are the basic technical measures that the
Scheme promotes?
The control themes set out in the Cyber Essential Requirements document are relevant to
organisations of all sizes. The "exposed technology" is familiar to us all: i.e. computers that are
Page 9
capable of connecting to the internet, including desktop PCs, laptops, tablets and smartphones, and
internet connected servers including email, web and application servers.
The Government (almost certainly through evidence presented by the police and the secret work of
GCHQ and other national defence agencies?) has developed a detailed knowledge of the basic but
successful cyber-attacks against UK businesses and citizens of which, the large majority would have
been mitigated by full implementation of the controls under the following, selected categories.
Page 10
Patching is dealt with by Control 5: Patch Management - albeit in a general way that doesn't provide
you with much of a checklist to work from. The problems with new network technology like wireless
networks and remote access devices that can be used to circumvent network perimeter security
devices like firewalls and IDS, are not specifically addressed here either; and as every IT manager
worth their salt knows to their cost, the days of feeling at ease behind boundary firewalls are gone.
Control 1 is important though in ensuring that what protection firewalls can provide is properly
configured. For example, that strong passwords (>8 characters, numbers and systems) are used and
changed every 60 days, that traffic is monitored and controlled, and that those services which are
'...more vulnerable to attack than others' are blocked at your office firewall assuming there's no
business case for permitting access.
Page 11
Configure the wireless network to use WPA2-AES encryption for data confidentiality.
Change the default login username, if permitted (refer to the users guide), and password.
(The default passwords are published in manufacturers publications and are readily
accessible.)
Conduct MAC address filtering (a form of whitelisting, or identifying wirelessly connected
computers you trust).
Change the default wireless SSID.
I would also have stressed that many wired networks base their security on physical access control,
trusting all the users on the local network, but if wireless access points are connected to the
network, anybody within range of the AP (which typically extends farther than the intended area)
can attach to the network. Your security stance will be compromised if it is easy to attack your
network using unencrypted wireless access points.
'Control' in management means setting standards, measuring actual performance and taking
corrective action. Control is a continuous process.
Page 12
I would have added to the Cyber Essentials Requirements that you should remove unnecessary
software and disable nonessential services, and modify unnecessary default features to eliminate
opportunities for attack, on a continuous basis. Your system technology is constantly evolving and
new software/software upgrades can introduce security vulnerabilities - see below. Only through
system hardening measures can you hope to maintain an optimum level of protection when
connected to the internet; and even then unmitigated vulnerabilities will be exploited by the
hackers.
From the initial installation onwards, review the features that came enabled by default on your
computer and disable or customise those you don't need or plan on using. As with nonessential
services, be sure to research these features before disabling or modifying them. Recent operating
systems are configured more securely by default and are preferred. However, all systems should be
continuously hardened. Besides the operating system, some user-installed applications provide
network services to communicate with other devices. In many cases these services are required for
the intended operation of the device, and are therefore permitted. However, some applications
install gratuitous network services that are either not required or are configured to provide network
access when only local access is required. Hence, it will not be enough to apply this requirement
once a year or every 6 months and still be confident that you have these issues under control. Cyber
security is not a steady state.
The next topic is access control. In computer security, general access control includes authorisation,
authentication, access approval, and audit.
Cyber Essentials Control 3. User access control adopts elements of this definition in the
Requirements, including a regular review of special access privileges. It stops short though of calling
the process an 'audit'.
3. User access control
Objectives User accounts, particularly those with special access privileges (e.g.
administrative accounts) should be assigned only to authorised individuals, managed
effectively and provide the minimum level of access to applications, computers and
networks
User accounts with special access privileges (e.g. administrative accounts) typically have the
greatest level of access to information, applications and computers. When privileged
accounts are compromised their level of access can be exploited resulting in large scale
corruption of information, affected business processes and unauthorised access to other
computers across an organisation.
To protect against misuse of special access privileges, the principle of least privilege should
be applied to user accounts by limiting the privileges granted and restricting access.
Basic technical cyber protection for secure configuration
User accounts should be managed through robust access control. As a minimum:
1. All user account creation should be subject to a provisioning and approval process.
2. Special access privileges should be restricted to a limited number of authorised
individuals.
Page 13
3. Details about special access privileges (e.g. the individual and purpose) should be
documented, kept in a secure location and reviewed on a regular basis (e.g.
quarterly).
4. Administrative accounts should only be used to perform legitimate administrative
activities, and should not be granted access to email or the internet.
5. Administrative accounts should be configured to require a password change on a
regular basis (e.g. at least every 60 days).
6. Each user should authenticate using a unique username and strong password before
being granted access to applications, computers and network devices.
7. User accounts and special access privileges should be removed or disabled when no
longer required (e.g. when an individual changes role or leaves the organisation) or
after a pre-defined period of inactivity (e.g. 3 months).
Commentary:
The first step towards securing a small business network - or indeed any other kind of computer
network - is to understand what vulnerabilities an attacker is likely to exploit. You put yourself in the
position of an attacker. What is your primary task once you have 'infiltrated' (i.e. got into) a
network? It is not really a brainteaser question: just ask yourself what you would do in the real world
to gain access to valuable data assets?
Your job the moment you are in the system is to initiate escalation of privileges, which is how an
attacker attempts to gain more access from the established foothold that they have created. After
an escalation of privileges has occurred, there is little left in the system's defences to stop an
intruder from whatever intent that attacker has. Attackers employ many different mechanisms to
achieve an escalation of privileges (too many for this post!), but primarily they involve compromising
existing accounts, especially those with administrator equivalent privileges.
In most cases the bad guys need hours to compromise (>75% of the cases) where the good guys
rarely get their job done in less than months (incredibly, only about 25% of the breaches are
detected in days or less). [Source: The 2014 Verizon DBIR Report: Time-to-Compromise vs. Time-toDiscovery]
After an attacker has compromised a network to the point where a critical account with high
privileges is compromised, the entire network can never be considered as completely trustworthy
again unless it is flattened and completely recreated. Therefore, the level of security for all manner
of accounts is a very important aspect of any network security initiative.
In the words of Microsoft Developer Network: "The matter of managing the security for all account
types in a network is very important to managing risk for a midsize business network. Internal and
external threats must be taken into account, and the solution to these threats must balance the
need for security with the functionality a midsize business demands from their network resources."
As a small business grows, the number of all types of accounts increases, and so too do the number
of exploitable vulnerabilities. However, this is often forgotten in the priorities set by management in
the commercial pressure to expand.
Personally, I consider the control themes in this Requirement to be one of the most useful aspects of
Cyber Essentials. Administrative accounts should only be used to perform legitimate administrative
activities, and should not be granted access to email or the internet. SMEs and quite a few large
Page 14
organisations need to understand the cyber risks associated with administrative, service,
application-related, and default accounts.
At this point it is worth remembering that the National Security Agency (NSA) is the font of
information security wisdom for the US defence and intelligence communities. Yet, despite this
obvious reason for cyber security, NSA's network security was apparently so weak that a single
administrator was able to hijack the credentials of a number of NSA employees with high-level
security clearances and use them to download data from the agency's internal networks - so the
problem really exists.
The administrator referred to here was, allegedly, Edward Snowden!
[Source: Sysadmin security fail: NSA finds Snowden hijacked officials logins, Ars Technica, Sean
Gallagher - Aug 29 2013, 10:40pm GMTDT].
Perhaps it isn't just the smaller enterprises that need Cyber Essentials?
Page 15
2.
3.
4.
5.
Malware protection software (including program code and malware signature files)
should be kept up-to-date (e.g. at least daily, either by configuring it to update
automatically or through the use of centrally managed deployment).
Malware protection software should be configured to scan files automatically upon
access (including when downloading and opening files, accessing files on
removable storage media or a network folder) and scan web pages when being
accessed (via a web browser).
Malware protection software should be configured to perform regular scans of all
files (e.g. daily).
Malware protection software should prevent connections to malicious websites on
the internet (e.g. by using website blacklisting).
The scope of malware protection in this document covers desktop PCs, laptops and servers
that have access to or are accessible from the internet. Other computers used in the
organisation, while out of scope are likely to need protection against malware as will some
forms of tablets and smartphones.
Website blacklisting is a technique used to help prevent web browsers connecting to
unauthorised websites. The blacklist effectively contains a list of malicious or suspicious
websites that is checked each time the web browser attempts a connection.
Commentary:
Cyber Essentials assumes that 'robust malware protection' will help to protect your system. That
protection comes from 'malware protection software' (the Objectives section avoids the outdated
term 'antivirus').
The aim of course is to protect against human nature and the inevitable introduction of commonly
found types of malicious software to a system. There's no mention here of highly sophisticated,
targeted, zero-day and persistent advanced malware threats that Advanced Malware Protection
(AMP) for Networks is designed to provide - at a price few could afford.
Malware is commonly spread by people clicking on an email attachment or a link that launches the
malware. Therefore, the best general advice to any organisation is: tell your staff about the risks
before you get infected!
Dont open attachments or click on links unless youre certain theyre safe, even if they come from a
person you know. Some malware sends itself through an infected computer. While the email may
appear to come from someone you know, it really came from a compromised computer.
Relying purely on your malware protection software is not a good idea. You should take steps to
raise staff awareness of the external threats, and what steps they can take as individuals to avoid
malware infection.
Personally, I would like to have seen a reference to training employees in cyber security awareness
and incident reporting rather than total reliance on software tools: both are important in reducing
the risk of data breach.
Page 16
Likewise, there should be a 'health warning' about advanced persistent threats to dispel the notion
that Cyber Essentials controls are effective against 100% of the malware attacks perpetrated by
determined hackers.
However, what Control 4 attempts to do is probably a realistic goal for 'essential security' given the
limited aims of Cyber Essentials certification.
And so, finally, we arrive at the fifth and final Cyber Essentials Control:
5. Patch management
Objectives Software running on computers and network devices should be kept up-to-date
and have the latest security patches installed.
Any computer and network device that runs software can contain weaknesses or flaws,
typically referred to as technical vulnerabilities. Vulnerabilities are common in many types of
popular software, are frequently being discovered (e.g. daily), and once known can quickly
be deliberately misused (exploited) by malicious individuals or groups to attack an
organisations computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities as soon as
possible, in the form of software updates known as patches, and release them to their
customers (sometimes using a formal release schedule such as weekly). To help avoid
becoming a victim of cyber attacks that exploit software vulnerabilities, an organisation
needs to manage patches and the update of software effectively.
Basic technical cyber protection for patch management
Software should be kept up-to-date. As a minimum:
1. Software running on computers and network devices that are connected to or
capable of connecting to the internet should be licensed and supported (by the
software vendor or supplier of the software) to ensure security patches for known
vulnerabilities are made available.
2. Updates to software (including operating system software and firmware) running
on computers and network devices that are connected to or capable of connecting
to the internet should be installed in a timely manner (e.g. within 30 days of
release or automatically when they become available from vendors).
3. Out-of-date software (i.e. software that is no longer supported) should be
removed from computer and network devices that are connected to or capable of
connecting to the internet.
4. All security patches for software running on computers and network devices that
are connected to or capable of connecting to the internet should be installed in a
timely manner (e.g. within 14 days of release or automatically when they become
available from vendors).
Commentary:
Reasonable steps in a sensible approach. I particularly like the reference to removal of out-of-date
software. If you don't need it, get rid of it - fast! There's no point in leaving redundant, unpatched
application software on a system to help the hacker in their job. De-cluttering improves security.
Page 17
Defining time limits for applying software updates - i.e. within 30 days of release or automatically
when they become available from the vendor, - and, for security patches, 14 days or automatically,
for software running on computers or network devices, is, I think, a useful security benchmark.
Less helpful, there are no specific remarks about patching and updating Firewalls, IDS and NIDS
(Network Intrusion Detection Systems) that often get a low priority in relation to applying OS
patches but are in constant need of attention and monitoring. The alternatives to doing this yourself
or building a dedicated in-house team are: (a) outsourcing to a systems security or networking
company experienced at dealing with installations and on-going configurations of devices on a daily
basis; or (b) using cloud services from public cloud providers like Google Inc. and Amazon Inc. to host
services and applications, thereby side-stepping with the need for a complex, time-consuming and
expensively-owned network architecture.
But how then do you provide assurance that external service providers, especially for cloud services,
comply with Cyber Essentials requirements?
5.1 Who will test cloud services for compliance with Cyber Essentials?
Penetration testers and ethical hackers are increasingly used to evaluate the security of cloud-based
applications, services, and infrastructures. In my view, the popularity of penetration testing (pen
testing) will increase as public cloud services change the world of physical server-based IT into a
virtual one. The type of cloud will dictate though whether pen testing is possible. For the most part,
Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) clouds will permit pen testing.
Page 18
However, Software as a Service (SaaS) providers are not likely to allow customers to pen test their
applications and infrastructure, - even if they are applying for cyber Essentials - with the exception of
third parties performing the cloud providers own pen tests for compliance or security.
Infrastructure as a Service (IaaS) providers (such as Amazon, Rackspace, or ElasticHosts) can offer
your organisation use of their "bare metal" infrastructure to develop and deploy applications on any
platform or OS (almost). They do not usually provide automatic OS updates, however.
Even for the Cloud users, Patch Tuesdays could remain part of the landscape!
6 Conclusions
These are the key messages that you should take away:
Cyber Essentials is not a kite mark or a standard, but the badge could still be of significant
commercial value for companies doing business in the UK
It is called Essentials for a reason: do not expect the control set to be exhaustive compared
to e.g. ISO / IEC 27001:2013. Think of it as following the 80/20 rule
The scheme looks most suited to SMEs. The cost is not exorbitant and the time commitment
is do-able. Larger organisations might look to ISO 27001 instead
Badging is for your company and its internal IT systems. The scheme is not very applicable to
any form of IT or software-as-a-service (SaaS)
Cloud service providers should look elsewhere (for example, the UK Governments Cloud
Service Security Principles)
The decision not to include risk assessment in Cyber Essentials is a risk in itself
The advice is free and worth reading. Especially if you augment it with other free resources
such as the Security Configuration Benchmarks
When evaluating your network for vulnerabilities, dont overlook the internet router /
wireless access point as a primary point of attack
Page 19
Company Information
Registered Office :
Cognidox Limited
St Johns Innovation Centre
Cowley Road
Cambridge CB4 0WS
UK
salesinfo@cognidox.com
Telephone
Page 20