Scroll Top
Get in Touch
SECURITY BLOG

Table of Contents

Related Articles

Cyber Essentials Procurement Policy: Navigating the New Era of Cybersecurity

Introduction

In an era where cyber threats are escalating, understanding the significance of cyber security is paramount. The UK government’s Cyber Essentials Scheme is a critical initiative in this regard. This blog post explores the scheme’s evolution, its current state, and its implications for various stakeholders.

  1. Significance of Cyber Security: In the face of escalating cyber threats, understanding and prioritising cyber security is crucial.

  2. UK Government’s Cyber Essentials Scheme: Introduced in 2014, the scheme aimed to establish the UK as a leader in internet security and provide businesses with a roadmap for mitigating internet-based threats.

  3. Evolution of the Scheme: The Cyber Essentials Scheme has evolved over time, with the 2023 update expanding its scope and refining the certification process. This includes annual renewals and proportionate controls based on contract nature.

  4. Certification Levels: The scheme offers two levels – Cyber Essentials and Cyber Essentials Plus. The former focuses on foundational controls, while the latter involves a more rigorous assessment, including an additional internal scan and an on-site assessment.

  5. Limitations and Considerations: While comprehensive, the scheme does not cover specific product assurances or advanced targeted attacks. Its relevance varies based on individual circumstances and contract types.

  6. Implications for Stakeholders: The scheme significantly impacts government departments, suppliers, and contractors, necessitating timely implementation, risk assessments, clear contract documentation, and continuous vigilance.

  7. Practical Application: The scheme’s application varies based on contract types, with a focus on contracts involving sensitive data handling, IT infrastructure, cloud services, and R&D.

  8. Latest Directive (PPN 09/23): The Procurement Policy Note 09/23, published in September 2023, marks a significant shift in how organisations should tackle cyber threats. It is a mandate for Central Government Departments, Executive Agencies, Non-Departmental Public Bodies, and NHS bodies, with a deadline for implementation set around mid-December 2023.

  9. Deadline for Implementation: Organisations mentioned in PPN 09/23 must implement the new directive within three months of its publication, setting the deadline around mid-December 2023.

  10. Impact on Existing Goals: If an organisation was working towards Cyber Essentials, the recent update (PPN 09/23) means that certification must be attained sooner than expected.

The Evolution of the Cyber Essentials Scheme

The realm of cyber security is dynamic, requiring policies like the Cyber Essentials Scheme to evolve. Launched in 2014, this scheme initially focused on establishing the UK as a leader in internet security and providing businesses with a clear roadmap for mitigating common internet-based threats. The 2023 update expanded its scope and refined the certification process, emphasising annual renewals and proportionate controls based on contract nature.

Key Features of the Cyber Essentials Scheme

This scheme is designed to provide organisations with foundational technical controls to significantly reduce the risk of prevalent cyber threats. These controls include:

  • Boundary Firewalls and Internet Gateways: Minimise potential attack surfaces by exposing only necessary network services.
  • Secure Configuration: Ensure systems are configured securely and unnecessary functionalities are disabled.
  • Access Control: Implement robust user authentication processes.
  • Malware Protection: Deploy timely and updated malware protection.
  • Patch Management: Regularly update and patch software to protect against known vulnerabilities.

Certification Levels

The scheme offers two certification levels – Cyber Essentials and Cyber Essentials Plus. The basic level focuses on foundational controls, while the Plus level involves a more rigorous assessment, including an additional internal scan and an on-site assessment.

Limitations and Considerations

While comprehensive, the scheme doesn’t cover specific product assurances or advanced targeted attacks. Its relevance varies based on individual circumstances and contract types.

Implications for Different Stakeholders

The scheme’s introduction and updates have significantly impacted government departments, suppliers, and contractors. It necessitates timely implementation, risk assessments, clear contract documentation, and continuous vigilance for government entities. For suppliers and contractors, it emphasises certification requirements, annual renewals, and staying informed about updates.

Practical Examples and Scenarios

The scheme’s application varies based on contract types. It’s crucial for contracts involving sensitive data handling, IT infrastructure, cloud services, and R&D. However, not all contracts, like general procurement, mandate certification.

The Road Ahead

Big changes are afoot in the world of cybersecurity! The latest Procurement Policy Note (PPN 09/23), which was published on 19 September 2023, marks a significant shift in how organisations should tackle cyber threats. This new directive is all set to replace the previous PPN 09/14, bringing fresh perspectives and robust strategies to the forefront.

If you’re part of a Central Government Department, an Executive Agency, a Non-Departmental Public Body, or an NHS body, this update is especially relevant for you. PPN 09/23 is not just a recommendation; it’s a mandate that needs to be implemented within three months of its publication. That sets the deadline around mid-December 2023.

Conclusion

You may have previously been working towards Cyber Essentials. The recent news means your goalposts have been brought forward and you must attain certification sooner than expected.

Frequently Asked Questions

Cyber Essentials Basic

  1. We provide you access to our secure Cyber Essentials portal.
  2. You answer the questions
  3. We provide feedback if needed.
  4. Once feedback is implemented, we provide you with a certificate.

Cyber Essentials Plus

  1. You achieve Cyber Essentials Basic
  2. We scope your assets ( see scoping)
  3. We arrange a suitable time for remote assessment with selected users
  4. We send a vulnerability scanning agent and run scan remotely
  5. We conduct short remote screen share session with selected users
  6. We provide feedback which you implement
  7. Once feedback is implemented, we issue your certificate.

Cyber Essentials Basic renewals can be achieved in 1 day, provided you have implemented the controls. It can take a week or two, depending on your feedback and what you need to implement.

Cyber Essentials Plus can be assessed and certified in 1 day. Large organisations often require 2 days.

If aiming for CE+, you must achieve CE+ certification within 3 months of attaining CE basic certification else you will have to renew CE basic before then aiming for CE+.

You have 6 months from when you are provided access to the portal to answer your cyber essentials questions.

Both CE and CE+ last for 12 months from the certification date. If you wish to remain on the NCSC register, https://www.ncsc.gov.uk/cyberessentials/search, you will need to renew each year.

We offer guidance with all our services. Our ‘supported’ packages come with a CREST Registered Assessor who will work with you throughout. Those who are confident with the standard and may only require feedback on one or two occasions can opt for the unsupported service.

The plus assessment offers a more thorough review, including a vulnerability scan and a review  of the device configurations, which are beneficial to defending attack. If the contract you're aiming for requires Cyber Essentials Plus, you would also need this. Our tools and checks almost always reveal security issues that the IT team is unaware of.

Yes, we can conduct a security assessment review and provide guidance on what remediations are required to ensure you pass first time.

End user devices, servers and cloud services.

Number of each Operating System   

Sample Size 

2-5 

6-19 

20-60 

61+ 

No, we conduct almost all of our assessments remotely. We only need to go onsite for our MOD clients (Ministry of Defence) who do not allow remote connections.

We usually use Microsoft Teams, Google Meets or Zoom. We also use a remote vulnerability scanner which is simple and quick to install, taking around 1 to 2 minutes of the users time.

Each user within the scope will need to screenshare for approximately 20 minutes each.
You will need IT resources available to apply any remediations discovered during the vulnerability scan.

We can use your scanner if you use Tenable or Qualys. The assessor must see the scan configured and run and we can’t accept your pre run reports.

Yes, we offer a range of scanning options for various size organisations, small and large. 
see Vulnerability Scanning

See our Cyber Essentials Plus Process.

Picture of Daniel Phillips
Daniel Phillips
Get certified
Contact Us