Cyber Essentials Plus: 2020

Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme, an official UK wide, government-backed certification that helps companies guard against the most common cyber threats.

When working with my clients, one of the first things I try to ascertain is whether they are confident they’re covered against common threats. And secondly, whether they’re covered against common threats specific to their business type. For instance, if you’re the IT leader of a utilities company, you’ll need to consider the threat of potential attacks from activists looking to thwart your operations. Whereas, if you work within a bank, you’ll obviously need to focus on criminals looking to get hold of your customers’ bank details.

However, the behaviour I see most often in clients is comparative to that of a housing tenant who spends huge amounts of time and effort frantically tidying up ahead of a landlord inspection every quarter! A lot of stress could be avoided if there was a change in their approach, and if they kept things organised all year round…

In June 2019, the NCSC announced a review of the Cyber Essentials Plus to simplify accreditation, followed by the appointment of IASME as the sole accreditation body for new certifications from 31st March 2020. In this blog, I will cover 2 key things. Firstly, the changes we are now aware of with Cyber Essentials Plus and secondly, my view on how to assess the impact of these changes when thinking on your own organisation’s readiness to guard against cyber threat.

In the first instance, the good news is that the certification criteria is not changing. The NCSC reviewed the five technical controls and agreed these are still relevant

The five controls of certification:

1. Boundary Firewalls & Internet Gateway

2. Secure Configuration

3. Access Control

4. Malware Protection

5. Patch Management

What is changing however is the assessment methodology and to help you, I’ve detailed below the 4 key changes and the upside vs the downside based on our Cyber Essential Plus customer experience.

Changes in Assessment Methodology

1. Assessment Methodology Change 1 – Device Models, if different (such as Lenovo T490, and Lenovo T480) need their own gold build images, and each needs testing.

• Upside - Academically, this is about best practice as device variance even of a single model can have intrinsic differences, down to levels of different drivers, hardware specification that can be individually vulnerable and not covered in a gold build image of a different model.
• Downside – More preparation for certification and a longer process, for customers who have a range of devices that vary even by a single model. There is some work to be saved in having very similar gold build images but in our experience, it is more common for customers to have a diverse range of devices to cover different user needs

2. Assessment Methodology Change 2 – Any non business essential software must be removed from devices. Examples are ‘bloatware’ such as Candy Crush saga or Xbox console companion application for Windows 10. If present and not required, this will be an immediate certification fail.

• Upside – This will limit the attack surface of a device and ensure only business required software and applications are operational on the device. Bloatware can sometimes be included in operating systems as standard so it’s important to ensure they’re not left dormant and potentially present a point of entry to a malicious threat act
• Downside – This is not the easiest to achieve. Candy Crush saga and Xbox console companion are included in standard windows 10 OS builds and are not the easiest to remove if at all. Technically now surplus software and an automatic fail.

3. Assessment Methodology Change 3 – If the first testing process registers a fail, the organisation has two days to remediate otherwise the certification process must be restarted.

• Upside – Little upside and points more to a tighter and more rigorous pre-certification process to avoid the inevitable duplication of cost should the process need to be restarted.
• Downside – For some fails, two days is not a lot of time if your scope is large or the fail is due to a complex issue, and can make the assessment process more challenging. An example would be where more gold images are in testing, the likelihood of an issue is increased, so time set to fix those issues is potentially insufficient.

4. Assessment Methodology Change 4 – all certificates will be only valid for 12 months. For any certificates issued before 1st April 2020 will expire 12 months from issue and be removed from the Cyber Essentials Site unless recertified under the new standard.

• Upside – More formal certification standards such as ISO27001 etc. already have annual validation audits. This allows the organisation to operate in compliance with the standard, and ensures a more accurate and timely representation of security best practice.
• Downside – Minimal for most customers. As much as 90% of certified organisations do follow the current recommended annual revalidation date on their certificates so this change will only really affect organisations that are yet to implement this as standard practice.

How Softcat Supports Cyber Essentials Plus

Customers looking to certify against Cyber Essentials Plus, can look forward to working with our expert consultants to prepare them for certification with our Cyber Essentials Plus Service. This includes our intuitive gap analysis tool and leading industry certification partners to conduct the test, and issue your certificate.

Whilst Cyber Essentials Plus is a good start in validating the security of your supply chain, it is not complete on its own. For customers who want to ensure the best security posture within their supply chain, Softcat can work with your organisation to define supplier security criteria, evidence collection and relevant auditing to demonstrate proper due diligence against this complex security risk. Our Governance, Risk, and Compliance Service, provides Softcat consultants who will understand your supply chain, what security certifications are needed, information and contract requirements you require and architect a policy, process or framework that is right for your needs.

Summary

Overall, good upgrades in standards and best practice which will increase the prevalence of Cyber Essentials Plus in the market.

Previously, with methodology diluted across five accreditation bodies plus much larger number of certification bodies, there was a higher risk of confusion and difference of opinion in how to certify, what was and wasn’t acceptable and where certain lines can be drawn.

These changes will strengthen the impact of Cyber Essentials Plus certification as a sign of supply chain security confidence.