Does Cyber Essentials involve any form of Risk Assessment?
A question that I posed to BIS and GCHQ at the ISO 27001 User Group in August this year. The short answer was: "We're doing that bit for you".
The slightly longer but no less controversial answer would appear to be: "Risk management is the fundamental starting point for organisations to take action to protect their information. However, given the nature of the threat, Government believes that action should begin with a core set of security controls which all organisations – large and small – should implement. Cyber Essentials defines what these controls are." [from the Cyber Essentials Scheme, Summary, June 2014, Addressing the Threat, page 3].
So, no requirement for a risk assessment. But is that good news?
Should we care that Government is stepping in to define what 'core security' should be like in your organisation (assuming that you do some business with Government and want to continue doing so in the future)?
And is the 'cyber threat' serious enough to justify a Government Scheme?
Leaving aside the Media hype, I would recommend that you read Sir Iain Lobban, then Director GCHQ, who contributed a thought-provoking article entitled "Countering the cyber threat to business" to the Spring 2013 edition of the Institute of Directors Big Picture policy journal. Sir Iain outlines for a business audience in non-technical terms the nature and scale of the threat to businesses from cyberspace, why cyber security should be at the top of boards' agendas and the role GCHQ is playing in helping counter the threats. You can read the full article in the Spring 2013 back issue of Big Picture. Just follow the link on the IoD's website:
In my view, the Cyber Essentials is long overdue. It's only likely to be a voluntary undertaking for most organisations unless they fall within the categories listed in Annex A of the Policy document (see above); hence, it is unlikely to be taken as seriously as it should be by the Boards of the UK's smaller enterprises, many of whom assume that they are too small to attract the interest of professional cyber criminals. They miss the point that they can be a gateway to confidential data held on their clients' computer systems. And also, that a great deal of today's automated hacking software randomly identifies system vulnerabilities by attempting an intrusion via the Internet and then exploiting IT security weaknesses. The fact that few people have spotted your physical office address or that your company website attracts low numbers of does not make you safe.
Rather, the opposite is generally true, because your sense of security is completely false; therefore: your cyber risk assessment processes and mitigation measures are likely to be equally unrealistic when it comes to understanding the nature of the threats posed to data on your systems.
Why do we need Cyber Essentials if ISO 27001 is an option?
In simple terms: not enough organisations are ISO 27001 certified, and, theoretically, the management system framework - however valuable - allows organisations to opt-out of controls specified in Cyber Essentials.
In practice, few if any organisations adopting ISO 27001 are likely to choose a control set that doesn't cover the fundamental technical issues; however, that's a story for another day. Cyber Essentials is here to stay.
The UK Government clearly believes that ISO27001 is simply too big and unwieldy a Standard for most organisations to invest in accredited certification. In my experience, the fear factor regarding ISO27001 adoption, especially when it comes to the risk assessment aspect and the selection of suitable information security controls, is not justified when the right expert help is available. However, the basic technical control set defined in the Cyber Essentials Scheme does fill an important 'gap in the market'; enabling organisations, particularly SMEs, to understand and properly address the most important technical aspects of cyber security protection. It also fits nicely into IASME’s wider governance approach to information assurance for smaller organisations. About which, more later.
Even then of course, small organisations under 50 employees (including single employee businesses), and even some medium-sized organisations, may need to obtain further guidance and support to ensure the technical controls presented in these requirements can be implemented adequately.
What types of cyber threat does Cyber Essentials hope to combat?
Cyber Essentials focuses on basic cyber hygiene. The theory is: your organisation will be better protected from the most common cyber threats if you have a set of controls which, when properly implemented, comply with the scheme's requirements. These controls will provide organisations with protection from the most prevalent threats coming from the Internet. In particular, those resulting from malware and hacking strategies which require low levels of attacker skill, and which are widely available online.
The Scheme has two progressive levels: “Cyber Essentials” is an independently validated self-assessment submission, whilst “Cyber Essentials Plus” additionally requires a comprehensive, independent technical assessment to validate that the selected security controls have been implemented effectively.
Cyber Essentials is FREE to download and any organisation can use the guidance to implement the five essential security controls, but some may want or need to gain independent assurance that they have fully deployed the controls. Organisations that have been successfully independently assessed or tested through the scheme’s assurance framework will attain a Cyber Essentials certification badge. This will help you demonstrate to customers, partners or clients that your company takes cyber security seriously - boosting reputations and providing a competitive selling point.
Therefore, to sum up this introduction to the Cyber Essentials Scheme:
Cyber Essentials is relatively inexpensive compared to implementing ISO 27001:2013 and does have significant attractive features for SMEs. The most obvious being that not all of your competitors in a particular market sector will be certified Cyber Essentials compliant and displaying the distinctive badge. Those who do are saying that they are good at protecting client data at least at a basic level - make that a selling point.
Cyber Essentials offers a sound foundation of basic hygiene measures that all types of organisations in the UK can implement and potentially build upon. Government believes that implementing these measures can significantly reduce an organisation's vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address the more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes. As such, it has value.
If you would like more information and guidance about Cyber Essentials requirements, including how to prepare for and answer the questions in your self-assessment questionnaire and what to expect from the results of a Cyber Essentials penetration test, I will be writing about this subject in 2015 - so let me know that you are interested by posting a comment!
Next time: Cyber Essentials: Part III: How to address the detailed Technical Requirements of the Cyber Essentials Scheme with a look at all five Controls and the steps that you will need to take to gain certification.
This guest post was written by Michael Shuff. You can email him here. Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM