Cyber Essentials is a government-backed scheme that helps businesses of all sizes protect themselves from common cyber threats. The scheme sets out five technical controls companies must implement to achieve certification. These controls protect against the most common cyber attacks, such as malware, phishing, and denial-of-service attacks.
Cyber Essentials Certification
The basic steps towards Cyber Essentials Certification are:
- Step 1: Decide what parts of your business are in scope for Cyber Essentials. This could be everything or just certain departments or systems.
- Step 2: Read through the five technical controls and understand what each one means.
- Step 3: Take the necessary steps to implement all five controls. This may involve changing your IT infrastructure, policies, and procedures.
- Step 4: Once confident you meet all the requirements, apply for Cyber Essentials certification.
Cyber Essentials Requirements for IT Infrastructure
The Cyber Essentials requirements for IT infrastructure are organised under five technical audit and control areas. As a Cyber Essentials scheme applicant, you must ensure that your organisation meets all the five Cyber Essentials requirements for IT infrastructures. You might also be required to supply evidence before your certification body can award certification at the level for which you’re applying.
To learn about the IT infrastructure requirements, we have included a description of each Cyber Essentials requirement and its aim from the Cyber Essentials certification perspective in the following section.
Aim: Establish effective boundary firewalls and internet gateways to protect your network from cyber threats.
Description: Firewalls are an essential line of defence in network security. They are used to prevent unauthorised access to or from a private network.
Requirements: The firewall must have a non-default, strong administrative password, include two-factor authentication or an IP whitelist, contain default settings to block unauthenticated, document and approve to accept incoming network connections for required services, and have settings to disable and adjust settings as needed.
2. Secure Configuration
Aim: To ensure that systems and cloud services are configured most securely for the organisation’s needs.
Description: Secure configuration involves hardening your systems and applications by changing the default settings to reduce vulnerabilities.
Requirements: You must be able to change passwords, remove or deactivate unnecessary user accounts, remove unused or unnecessary software and applications, turn off auto-run features that don’t need authorisation, and authenticate users before they access sensitive data.
3. User Access Control
Aim: To manage the creation of user accounts and administer the associated controls. Users should only be provided with access to the services deemed necessary by the business.
Description: User access control involves managing who has access to your resources and ensuring they can only access the data they need.
Requirements: User access control must require an approval process for user account creation, require user authentication before additional access is granted, utilise two-factor authentication where possible, disable unnecessary user accounts, restrict the use of administrative accounts, and revoke additional access when no longer required.
4. Malware Protection
Aim: To ensure that virus and malware protection is installed and is up to date.
Description: Malware protection involves using software to prevent, detect, and quarantine/remove malicious software from your systems.
Requirements: You must ensure that malware protection is active on all devices in scope. All anti-malware software has to be updated in line with vendor recommendations, preventing malware from running, preventing the execution of malicious code, and preventing connections to malicious websites over the internet.
5. Security Update Management
Aim: To keep your devices, software, and apps up to date to protect your systems from the latest threats.
Description: Security update management involves regularly updating and patching your systems to fix known vulnerabilities.
Requirements: Security update management helps to keep existing software up to date and reduces the business risk of security flaws or gaps in protection. You must retain all licensed and supported software, remove unsupported software from devices, enable automatic updates if possible, and update to the latest versions within 14 days of release where automatic updates are unavailable.
Example: A company might set their servers to automatically install security updates as soon as they are released to ensure they are always running the latest, most secure version of their software.
Implementing the Cyber Essentials controls can help businesses improve their security posture, and taking this implementation to Cyber Essentials Plus levels will significantly reduce their risk of cyber attack. The scheme is also a valuable marketing tool, showing customers that the business is serious about cyber security.
Official NCSC Guidance on Cyber essentials requirements for IT infrastructure
Cyber Essentials requirements for its infrastructure latest version from the National Cyber Security Centre is v3.1. It is important to ensure a good understanding of the scope and certification process:
As an organisation and for IT/security teams, ensuring the in line with the document mentioned above is to your benefit. This will act as a cost saver but adds to accountability with internal teams to ensure everyone’s aware of the certification process and prerequisites. Should you need support for this and handling the readiness of the certification, get in touch with the Cyphere team.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.