Cyber Essentials

CREST supports UK Government Cyber Essentials scheme

A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online.  CREST has been engaged by CESG, the Information Security arm of GCHQ, to develop an assessment framework to support the Government “Cyber Essentials” scheme, which forms a key deliverable of this strategy.

The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against internet-borne threats.

By deploying these controls, organisations can defend against the most common form of basic cyber attacks emanating from the Internet.

Selected by industry experts, the technical controls within the scheme reflect those covered in well-established standards, such as the ISO/IEC 27000 series, the Information Security Forum’s Standard of Good Practice for Information Security and the Standard for Information Assurance for Small and Medium Sized Enterprises.

What does the Cyber Essentials scheme address?
The Cyber Essentials scheme provides guidance to help all sizes of organisations measure their defences against common forms of cyber attacks.  The systems that fall under the scope of the Cyber Essentials scheme include internet connected end-user devices (desktop PCs, laptops, tablets and smartphones) and Internet connected systems (e.g. email, web and application servers).

Further information on the controls required for basic technical cyber protection can be found on the government website at https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

Where does CREST fit in?
CREST worked closely with CESG to develop the technical Cyber Essentials assessment framework for the Cyber Essentials scheme, based on the initial specification created by the ISF.

CREST, through its membership, planned, conducted and reviewed the early Cyber Essentials pilot assessments and assembled a forum of industry and technical experts to build an assessment framework that is optimised for the Cyber Essentials scheme.

In order for the Cyber Essentials scheme to be successful and be adopted by industry, certification services must be procured from a trusted organisation utilising knowledgeable, skilled and competent individuals.  There are appropriate codes of conduct in place that are tied to a complaints and arbitration process.

The preliminary work undertaken by CREST and its team of experts defined the policy, procedures and requirements of companies that can provide certification services under the Cyber Essentials scheme.  CREST also produced syllabus areas and examination structures for both the organisation and individuals providing services under the Cyber Essentials scheme.  Through detailed discussion with service providers, private sector organisations and government, CREST produced:

  • Certification Company requirements and standards
  • Syllabus and assessment processes for individuals responsible for undertaking the certification activities
  • A certification criteria
  • Assessment tools specification and reporting standards
  • Procedures for management of the scheme, complaint handling and arbitration


How to become a Cyber Essentials Certifying Body under CREST

To become a certifying body for Cyber Essentials under CREST, a company needs to be a member of CREST and the first step in that process is for a mutual NDA to be signed which will allow the membership application form to be released.  Our membership process, including subscription details, can be found here.  Please email [email protected] to start this process.

Further information on the cyber essentials scheme is also available on our cyber essentials website at www.cyberessentials.org.


Next steps

BIS has published the Cyber Essentials requirements document, which all organisations are free to implement and a draft assurance framework has been published.

Whilst organisations are free to implement the requirements within their organisation, some may want or need to gain independent assurance that they have fully implemented the controls.

The assurance framework enables organisations to be independently assessed by trusted organisations that have access to suitably skilled knowledgeable and competent individuals.  Both company and individuals will have signed up to enforceable and meaningful codes of conduct.  The framework will also provide confidence that the controls defined in the scheme have been implemented correctly.

Further details of the Cyber Essentials scheme, along with a series of FAQ’s, are available at https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.