With threats constantly evolving, most organisations require professional help to mitigate cyber risk and to implement the right levels of cyber security.
However, many organisations are challenged to identify trusted suppliers that have access to competent, qualified experts. CREST is a not-for-profit industry body whose role is to create and maintain high standards within the technical information security industry, and to drive a consistency of quality across its member organisations. Any organisation that is procuring Cyber Essentials services can therefore rest assured that CREST Cyber Essentials certifying bodies have:
• Demonstrated appropriate levels of quality assurance processes, security controls and security assessment methodologies, and met additional qualification criteria.
• Signed a Code of Conduct.
• Proven access to technically competent and qualified staff.
• Committed to abiding to the requirements of Certification Bodies for Cyber Essentials.
In addition to the Cyber Essentials certification services, CREST Cyber Essentials certifying bodies provide a range of services to help organisations better manage their cyber-security risks. These services include:
• Penetration testing
• Security audit and compliance
• Security policy
• Security architecture
• Cyber-security incident response.
The first stage in the certification process is to decide which level to certify against – Cyber Essentials or Cyber Essentials Plus. Although there are only two certifications to consider now, an organisation should be aware that future levels are planned with an aim to further entrench the scheme into an organisation’s over-arching approach to information risk management, such as ISO 27001, and in accordance with the 10 Steps to Cyber-Security.
Once an organisation has been assessed against the Cyber Essentials security criteria and passes, they will receive the relevant Cyber Essentials award (badge) which demonstrates to existing and prospective customers, and other stakeholders, that they have achieved a fundamental level of cyber-security.
The certification levels are described here, along with the processes an organisation needs to take.
The organisation defines the scope which is made up of the systems it believes are at risk from Internet-based threats using commodity capabilities. This includes network boundaries, location and management controls.
The organisation checks it is compliant with the requirements by responding to the Cyber Essentials questionnaire that covers the steps for basic technical protection from cyber attacks. Confirming it is compliant, the Chief Executive Officer (CEO) signs the questionnaire attesting its accuracy. This is then sent to a recognised body for review and, if appropriate, certification.
The organisation also undergoes an external vulnerability scan from the certifying body. This directly tests that the individual controls have been implemented correctly, or recreates various attack scenarios to determine whether a compromise with commodity capabilities can be achieved.
Certification at this level should be seen as a snapshot of the organisation or system at the time of assessment. It does not provide assurances that the controls will continue to be implemented correctly.
Having completed Cyber Essentials, which is a prerequisite to Cyber Essentials Plus, an organisation is now ready to undergo a more thorough assessment from a certifying body. This time the assessment is based on an internal vulnerability scan of the system(s) in scope. Once again, this directly tests that the individual controls have been implemented correctly, or recreates various attack scenarios to determine whether a compromise with commodity capabilities can be achieved.
Certification at this level should again be seen as a snapshot of the organisation or system at the time of assessment. It does not provide assurances that the controls will continue to be implemented correctly.