Get the Lowdown on the Big Changes to the Cyber Essentials Scheme
Whether you have a Cyber Essentials (or Cyber Essentials PLUS) certification or are thinking of applying for one, we explain the sweeping changes you should know.
What is the Cyber Essentials Scheme?
Cyber Essentials (CE) is a UK Government information assurance framework under the umbrella of the National Cyber Security Centre (NCSC). Organisations can earn two levels of certification (badges):
1. Cyber Essentials – you can self-assess the security of your IT, which is independently verified.
2. Cyber Essentials PLUS – your systems are tested by an approved third-party (a certification body, like Perspective Risk).
The benefits are plentiful, but in brief, a Cyber Essentials badge:
- Will help protect your organisation from cyber-attack.
- Shows your customers and prospective customers that you’re applying specific technical controls to safeguard their information and that you’re doing so in ways that meet recognised standards.
- Is mandatory if you want to do business with government organisations (and has been since October 2014).
Why is Cyber Essentials Changing?
With five Cyber Essentials accreditation bodies in the mix: CREST, APMG International, IRM, QG Management Standards and the IASME Consortium, there was confusion among organisations [working towards CE] and the certification bodies.
The commonly held view was that the accreditation bodies weren’t working to a consistent standard. If you were working with a certification body affiliated to CREST, for example, then you might have a different experience than if you were working with one affiliated to IRM.
Here’s what the NCSC had to say about it:
“Although Certification Bodies currently go through a process to ensure that they have the appropriate cyber security skills, knowledge and experience, this varies with the Accreditation Body they are affiliated to.”
What Are the Biggest Changes?
There are two significant changes. Firstly, instead of five accreditation bodies, the NCSC will be working with one partner – IASME. Note the use of the word ‘partner’ rather than an accreditation body. The relationship between the NCSC and IASME will be different; tighter and rooted. Let’s hear from the NCSC again:
“Working with a single partner allows us to define and implement a minimum standard of competence for everyone involved in implementing the scheme.
“IASME are working proactively with us to, amongst other things, measure the impact of the scheme, provide input to the standards so they keep pace with the evolving landscape and add additional services which will be of benefit to the end consumers.”
Secondly, all certificates issued under the new scheme will have a 12-month expiry date. Although organisations were encouraged to recertify annually under the old system, there was no automatic expiry date on certificates. Now, all badges issued before 30th June 2020 will expire on 30th June 2021.
And from 1st April 2020, new certificates will be issued with a 12-month expiry date.
”We have a great history of delivering Cyber Essentials under CREST, and are prepared to deliver under IASME,” said Madeleine Overton-Thickett, our Head of Cyber. “We’ve conducted over 1,500 assessments and are proud of the role we play in strengthening our clients’ cybersecurity.”
Crucial Dates and Other Cyber Essentials FAQs
The Cyber Essentials Scheme, as you know it, will continue to run until 31st March 2020. On 1st April 2020, we’ll bid farewell and thank you to the famous five (the original Cyber Essentials accreditation bodies) and hello to IASME.
IASME assumes full responsibility for Cyber Essentials delivery from 1st April 2020.
I’m considering applying for Cyber Essentials – how will my new application be handled?
IASME will oversee all new applications. If you’re looking for a certification body to help you achieve CE or CE PLUS, then you should check they’re certified by IASME. Happily, we already are and have the certificate to prove it.
I’m currently going through certification – what happens now?
If you haven’t completed your certification process by 1st April 2020, you have until 30th June 2020 to complete your application through your existing arrangement. After this date, certificates will be handled through IASME.
I’m in the process of recertifying – how do these changes affect me?
If you’re in the process of recertifying with one of the five existing accreditation bodies, then you should continue. If you’re planning to apply for recertification, then you can do so under the current arrangements until the end of March 2020.
If your recertification isn’t complete by 30 June, contact IASME for advice on next steps, or give us a call.
In summary, Cyber Essentials will be as valuable for your organisation as it’s always been, and arguably more so as these changes bed in.
If you’d like to learn more, browse the NCSC FAQs, read the IASME Consortium Announcement or contact us with your questions. You’ll find a team who are more than happy to give free advice and generous with their knowledge.
And if you’d like our help getting Cyber Essentials certified (or recertified), pop your details into the form on our Cyber Essentials and Cyber Essentials PLUS enquiry page and we’ll be in touch.