Cyber Essentials: What Is It?

Cyber Essentials: What Is It

Cyber Essentials is a standard created by the National Cyber Security Centre (NCSC) which acts as a minimum baseline for cyber security of UK organisations.

Companies are required to be at this standard to take on UK Government contracts.  Some other commercial contracts, insurers, regulators and grants also require organisations to be at the Cyber Essentials standard.

Companies that achieve Cyber Essentials certification need to renew this annually by completing the questionnaire truthfully and having a third party assess it to confirm compliance in all questions. 

Cyber Essentials Plus is the advanced version of the same standard but requires a hands-on audit of the applying organisation's systems to be completed by an external assessor to check and confirm compliance with the standard.

The certification includes cyber liability insurance for UK organisation's with an annual turnover of less than £20m which covers organisations up to £25,000. There are options to increase the indemnity limit for an annual premium if required.  More information can be found on IASME's website: Cyber Liability Insurance - Cyber Essentials

Cyber Essentials Updated To Willow: What You Need To Know 

The Cyber Essentials scheme has had its question set updated.

As of the 28th of April, the self-assessment questionnaire has transitioned from the "Montpellier" version to the "Willow" version. All assessments are now judged against the Willow standard for compliance.

This represents the evolving Cybersecurity landscape. As the bad actors continue to evolve, organisations must also continue improving their security to maintain a strong defence against incoming attacks.

Willow: What's New?

The question set now includes much clearer definitions and requirements for many of the requirements, guiding organisations through the necessary controls and procedures needed for implementing the Willow standard throughout their IT environment. There have been many additional questions included in the new standard.

A number of changes have been made to the questions and requirements with the new Willow standard. Noteworthy changes are listed below:

• It is now required for organisation's to keep an up-to-date inventory with all devices and software that are in scope. This includes, company-issued and personal devices (that access company resources), cloud devices, networking equipment, and installed applications. Microsoft Defender for Endpoint is an example of a suitable product that can provide a device/software inventory that can easily be reviewed when needed. (Device inventory - Microsoft Defender for Endpoint | Microsoft Learn)

• Personal device requirements have been ramped up. Under the new Willow standard, there must be clear Bring Your Own Device (BYOD) policies, enforced controls such as device encryption, unlocking mechanisms, screen locks, etc.., and staff must understand their responsibilities. (The ultimate guide to BYOPC and BYOD: What they are and how they impact the modern workplace | Microsoft)

• Firmware has been added to the software umbrella, meaning organisations must now monitor for out-of-date firmware and remediate as soon as vulnerabilities are found.

• Passwordless authentication is now an MFA option for certain situations such as accessing firewall config, externally hosted services, and internal infrastructure. (Passwordless authentication | Microsoft Security)

• High and critical patches are now referred to as "Vulnerability Fixes" which include additional remediation techniques like scripts, registry edits, and vendor- advised fixes. Cyber Essentials now mandates that all vulnerabilities with a CVSS base score of 7.0 or above require to be addressed. (What Is the Common Vulnerability Scoring System (CVSS)? | IBM)

Cyber Essentials: Is It For You?

Cyber Essentials should be a baseline for all organisations to follow to ensure they are operating securely and have procedures in place to minimise their attack surface.

Attackers are always adapting and evolving their abilities, the Cyber Essentials accreditation gives proof to potential customers and partners that your company is also adapting and evolving with the everchanging cybersecurity landscape. 

If your organisation is looking to confirm their security stance and improve potential weak areas, Cyber Essentials is the perfect standard for you to judge your company against. By confirming your compliance with the Willow standard, you'll rest easier at night knowing that your organisation has the latest controls and procedures in place to reduce the risk and impact of a successful attack.

We offer assistance for businesses looking to achieve Cyber Essentials, if your company is looking to be compliant with the latest Willow standard, please get in touch via our Contact page.