Launched by the UK Government in 2014, the Cyber Essentials scheme is focused on providing organisations with clarity on what essential security controls they need to have in place to reduce the risk posed by threats on the Internet. The scheme addresses five key controls that, when implemented correctly according to the government, could prevent around 80% of cyber-attacks.
Caretower Consultancy Services for Cyber Essential Certification
Our Cyber Essential Certification service helps your organisation attain the Cyber Essentials certification at the Standard or Plus level. We do this by providing network and security audit, vulnerability scans, risk and gap analysis, GPO rules and other reviews based on the assessment expectations and requirements of the independent assessor.
The Five Key Controls to be Assessed for Certification
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Our Cyber Essential Certification service is offered at a Standard or Plus level.
Cyber Essentials Standard
Typically, our support and consultancy is conducted over a one day period in order to get your organisation ready for the independent assessment. Once ready, we appoint a completely independent body to carry out the assessment.
- Our consultant will conduct a vulnerability scan/audit to understand the IT infrastructure and assess your organisation’s readiness against the five basic security controls. This will provide the data for a gap analysis to show any deviations from the Cyber Essentials Standard expectations and how this may impact upon the certification process and your application.
- The consultancy is arranged when the mitigation/solutions package is deployed. The main purpose of the day is to ensure that the gap analysis has been suitably remediated and also to answer the Cyber Essentials questionnaire. The application is then submitted by caretower's consultant liaising with the independent assessor who verifies the information provided and awards certification, if the level of compliance has been reached.
Cyber Essentials Plus*
A much higher level of assurance whereby our consultancy provides extensive in-depth support, auditing and readiness gap and risk analysis against the five key controls. Like our standard level service, we appoint an independent certification body to provide their own qualified assessor to carry out the assessment. The assessor examines the same five controls as Cyber Essentials. The assessment will also include testing that the five security controls work in practice by simulating basic hacking and phishing attacks.
- Based on a full project plan assessment, your consultant will conduct a 2 day workshop to review compliance of the existing Cyber Essentials (CE) certification and to assess your readiness against the five basic security controls at each location if multiple company sites are involved.
- The project will progress with site visits to complete technical audits of the systems that are in-scope by sampling 50% of the applicable hardware & software based upon the five security controls.
- Additional consultancy will involve low level penetration tests based upon the assessor's plan of "simulating basic hacking and phishing attacks". Our Penetration Testing Department will undertake the low level simulations in readiness of the independent tests.
*Cyber Essentials PLUS involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes a representative set of user devices, all internet gateways and all servers with services accessible to authorised/unauthenticated internet users. The independent assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required. The independent assessor will need to visit the organisations office and a representative sample of subsidiary offices in order to carry out the tests. The quantity of other offices visited depends on the complexity of your organisation - in a multinational organisation the independent assessor may need to visit a number of countries. Some tests may be carried out remotely provided that the agreed on-site visits have been carried out.
To find out more about how our Cyber Essentials Certification service can support your business, contact us here.