How To Get Cyber Essentials Certified?
Cyber Essentials is a government-backed, industry-supported scheme to help organisations protect themselves against common cyber attacks. Poor cyber security can damage your reputation and cost you business whereas strong cyber security can boost your reputation and win you more business at home and overseas.
Cyber Essentials certification has been mandatory for suppliers* to the MOD since 1 January 2016.
Based on the Cyber Security Breaches Survey 2017**, only one in ten businesses have a cyber security incident management plan in place despite just under half (46%) of all UK business identifying at least one cyber security breach or attack in the last 12 months. The report also highlighted that around 13% of UK business are attacked daily and this is more prevalent where the core business functionality is not online focused.
It is also estimated that security breaches will continue to increase in the next year. The survey found 59% of respondents expected to see more security incidents. Businesses need to ensure their defences keep pace with the threat.
Download our free Scheme Summary to find out more.
*Applicable to all new MOD contracts which involve the transfer or creation of MOD identifiable information
**UK Gov, The Information Security Breaches Survey – Department of Business, Innovation & Skills
How To Get Cyber Essentials Certified?
The Defence Cyber Protection Partnership (DCPP) is a joint MOD/industry initiative initiated in 2012 and established in 2013.
Since 2016, the DCPP has stated that all suppliers bidding for new MOD requirements which include the transfer of ‘MOD identifiable information’ should achieve Cyber Essentials certification by the contract start date.
The DCPP recognises Cyber Essentials as the basis for good cyber security practice and has incorporated it as the foundation of the Cyber Security Model.
The lowest DCPP risk level (‘Very Low’) requires only that the supplier achieves Cyber Essentials, with all other levels requiring Cyber Essentials Plus in addition to the DCPP-specific controls. It is recommended that all suppliers achieve compliance with Cyber Essentials in preparation for the implementation of the Cyber Security Model for Defence.
Cyber Requirements For Ministry Of Defence Suppliers And Sub-Contractors
The MOD is committed to ensuring Defence and its supply chain are appropriately protected from cyber threats. The Defence Cyber Protection Partnership (DCPP) includes Cyber Essentials within its Cyber Security Model (CSM) as a proportionate means for suppliers to demonstrate baseline security controls. The CSM applies to all MOD contracts and suppliers will be required to demonstrate that they have achieved the appropriate level of certification.
The Cyber Security Model makes it clear to defence suppliers that to win defence tenders they must meet the cyber security requirements based on the risk profile of the contracts being published through DCI.
The Cyber Essentials scheme represents a small yet essential part of defending against cyber threats.
Requirements for ‘Very Low’ risk contracts
The following requirements apply to all suppliers bidding for defence MOD contracts which have been categorised by Risk Assessment as Very Low risk:
- Suppliers must hold valid Cyber Essentials certification;
- by the contract start date;
- and, this must be renewed annually;
- The scope of the certification should cover the supplier’s relevant operations and network boundary which will be used to deliver the MOD contract.
Requirements for ‘Low’, ‘Moderate’ and ‘High’ risk contracts
The following requirements apply to all suppliers bidding for MOD contracts which have been categorised by Risk Assessment as Low, Moderate or High risk: Suppliers must hold valid
- Cyber Essentials PLUS certification;
- by the contract start date;
- and, this must be renewed annually;
- The scope of the certification should cover the supplier’s relevant operations and network boundary which will be used to deliver the MOD contract.
Cyber Requirements For Ministry Of Defence Suppliers And Sub-Contractors
The UK defence market is worth over £20 billion per annum and Cyber Essentials can support your business in its efforts to become a supplier to the defence sector.
Any supplier bidding for a contract that involves the transfer of MOD identifiable information needs to be Cyber Essentials certified.
In a speech at the Institute of Directors in March 2017, Minister for Digital and Culture Matt Hancock said: “I mentioned the Government already requires many of its suppliers to hold a Cyber Essentials certificate. We’ll be strengthening this requirement to ensure even more of our contractors take up the scheme.”
Whats The Difference Between Cyber Essentials & Cyber Essentials Plus?
The complete Cyber Essentials scheme is made up of two progressive stages – Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials
Cyber Essentials is the first stage and is a foundation level certification that provides a clear statement of the basic controls your organisation should have in place to mitigate the risk from common cyber threats.
Cyber Essentials Plus
Cyber Essentials Plus is the second stage, and is a more rigorous test of your organisation’s cyber security systems where our cyber security experts carry out on-site vulnerability tests to ensure that your organisation is protected against basic hacking and phishing attacks.
Differences Between The Two
The difference between the two is the on-site vulnerability tests that are carried out for Cyber Essentials Plus certification. All organisations seeking certification must complete the first stage (Cyber Essentials), but some organisations, depending on their structure and the severity of the risks they face, will need to complete Cyber Essentials Plus.
Cyber Essentials Plus is commonly seen as the demonstration of an organisation’s IT maturity. We would recommend Cyber Essentials Plus if your organisation has over 250 members of staff, each with one or more connected devices.