There are two levels:
- Basic level where the CEO or MD of a company self certifies that the following elements have been introduced and tested
- Boundary firewalls and internet gateways,
- Secure configuration,
- Access controls,
- Malware protection and
- Patch control.
- The declaration and completed questionnaire is reviewed by the assessing body.
- Cyber Essentials Plus where the six elements are introduced and then externally audited and a certificate is issued.
I have heard that these two assessments are more akin to a vehicle MOT and provide the bare essentials for computer safety.
Many organisations have achieved certification to the widely known ISO 27001:2013 Information Security Management Standard and ISO 27002 Code of Practice which cover all of the Cyber Essentials requirements but goes much further and addresses :
- Information security policies
- Organisation of information Security
- Human resource security.
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
We have yet to hear whether Government will accept ISO 27001 as evidence of IT security or will need one or both as tender entry qualifications.
Watch this space!!