What is Cyber Essentials?

Cyber Essentials is a government-backed cyber security certification scheme. Achieving certification verifies that an organisation has acceptable cyber protection in place across both policy and practice.

There are two levels of certification:

• The base level of Cyber Essentials certification is a verified self-assessment designed to identify basic issues and address the most common risks. 
• The second level of certification, Cyber Essentials Plus, has the same technical requirements as the base level, but there is an additional hands-on technical verification by an independent assessor to confirm compliance. 

What does Cyber Essentials require?

Cyber Essentials sets out required controls under five technical themes:

• Firewalls and network security
• Secure configuration
• Security update management
• User access control
• Malware protection

Those headings may appear simple; if so, the appearance is deceptive. Between them, they cover a full range of network, system and user management, and the requirements under each are both detailed and demanding. For more information, you can download the full self-assessment and requirements.

Can I obtain Cyber Essentials certification?

The nature of an academic network, and the size and complexity of the Department’s activity, would make Cyber Essentials certification for the whole Department an impossible challenge. However, it is now common for grants and collaborations to require that Cyber Essentials certification. In the last year, ICS have been able to successfully reconcile those two facts. By limiting the scope of assessment to only the systems, users, software and services necessary for a project, and by finding solutions to the challenges involved, we have achieved certification in the past, and we can aim to do so for more projects in the future.

What do I need to do?

If you need to obtain certification for a specific project or grant, the most important thing you must do is to start early. Planning the scope of the assessment, procuring and configuring required equipment and software, configuring the network, completing the self-assessment, booking the independent assessor, going through the assessment and awaiting the result… Together, these things take time. If you are looking to obtain Cyber Essentials certification for your project, we recommend allowing 6 months. 

The UIS have also provided some general advice around preparing for Cyber Essentials.

Please note that there is a cost to obtaining certification. Depending on the scope, the base Cyber Essentials certification might cost £320-600. Cyber Essentials Plus will cost significantly more.

Contact us 

If you are looking to obtain Cyber Essentials certification, please contact helpdesk@eng.cam.ac.uk.