Indelible Data offers a range of packages for Cyber Essentials certification.
There is a common misconception that Cyber Essentials is an easy to pass ‘box ticking’ exercise that does not hold its value in relation to threats. In reality, the certification can be challenging for those that are unprepared or have minimal IT support, writes Cyber Security Technologist Aidan Collins.
Put simply, if Cyber Essentials was so easy to pass – why do so many companies fail on the first submission?
Is it easy to pass Cyber Essentials?
Compared to other certifications, such as ISO27001, Cyber Essentials is not risk-based as it relies on a prescribed set of controls that an organisation must have in place.
First-time applicants have rarely implemented all the controls that Cyber Essentials requires. Instead, they attempt to describe compensating controls that are not sufficient.
The main area of technical failure in Cyber Essentials Basic submissions involves unsupported Firewalls, mobile devices and operating systems.
Many organisations operate on an ad-hoc basis for their non-technical controls and are therefore not compliant with the scheme:
- Documented policies are required for processes such as creation of user accounts, firewall password complexity, and privilege allocation;
- Cyber Essentials requires a formally documented policy in relation to whatever is being managed.
- Firewall policies and procedural controls are commonly overlooked despite being essential to the security of an organisation.
- Password changes must be formally documented along with a documented justification for any services allowed through the firewall.
The following list shows common technical areas of failure we find during Cyber Essentials Plus assessments:
- Lack of account separation:
- Development teams having local administrative access for day-to-day operations that include browsing the web and reading emails.
- Cloud users that can elevate to Administrator using the same account (via Privilege Access Management) – even if only for a defined period of time.
- Patching:
- Larger companies, in particular, may operate a 30-day patching regime that means they miss the 14-day window allowed by Cyber Essentials to update software with known critical or high vulnerabilities.
- A lack of software asset management often means that applications go unused, and unpatched, for long periods of time and are picked up by our vulnerability scanners.
Before beginning a Cyber Essentials Submission, it is useful to do some reading around the scheme and its requirements to prevent a back-and-forth over your assessment.
You can purchase Cyber Essentials and review our packages here.
The “Cyber Essentials Requirements for IT infrastructure” document is especially useful for first time applicants to get a feel for scheme and can be found here.