When working with my clients, one of the first things I try to ascertain is whether they are confident they’re covered against common threats. And secondly, whether they’re covered against common threats specific to their business type. For instance, if you’re the IT leader of a utilities company, you’ll need to consider the threat of potential attacks from activists looking to thwart your operations. Whereas, if you work within a bank, you’ll obviously need to focus on criminals looking to get hold of your customers’ bank details.
However, the behaviour I see most often in clients is comparative to that of a housing tenant who spends huge amounts of time and effort frantically tidying up ahead of a landlord inspection every quarter! A lot of stress could be avoided if there was a change in their approach, and if they kept things organised all year round…
In June 2019, the NCSC announced a review of the Cyber Essentials Plus to simplify accreditation, followed by the appointment of IASME as the sole accreditation body for new certifications from 31st March 2020. In this blog, I will cover 2 key things. Firstly, the changes we are now aware of with Cyber Essentials Plus and secondly, my view on how to assess the impact of these changes when thinking on your own organisation’s readiness to guard against cyber threat.
In the first instance, the good news is that the certification criteria is not changing. The NCSC reviewed the five technical controls and agreed these are still relevant
1. Boundary Firewalls & Internet Gateway
2. Secure Configuration
3. Access Control
4. Malware Protection
5. Patch Management
What is changing however is the assessment methodology and to help you, I’ve detailed below the 4 key changes and the upside vs the downside based on our Cyber Essential Plus customer experience.
1. Assessment Methodology Change 1 – Device Models, if different (such as Lenovo T490, and Lenovo T480) need their own gold build images, and each needs testing.
2. Assessment Methodology Change 2 – Any non business essential software must be removed from devices. Examples are ‘bloatware’ such as Candy Crush saga or Xbox console companion application for Windows 10. If present and not required, this will be an immediate certification fail.
3. Assessment Methodology Change 3 – If the first testing process registers a fail, the organisation has two days to remediate otherwise the certification process must be restarted.
4. Assessment Methodology Change 4 – all certificates will be only valid for 12 months. For any certificates issued before 1st April 2020 will expire 12 months from issue and be removed from the Cyber Essentials Site unless recertified under the new standard.
Customers looking to certify against Cyber Essentials Plus, can look forward to working with our expert consultants to prepare them for certification with our Cyber Essentials Plus Service. This includes our intuitive gap analysis tool and leading industry certification partners to conduct the test, and issue your certificate.
Whilst Cyber Essentials Plus is a good start in validating the security of your supply chain, it is not complete on its own. For customers who want to ensure the best security posture within their supply chain, Softcat can work with your organisation to define supplier security criteria, evidence collection and relevant auditing to demonstrate proper due diligence against this complex security risk. Our Governance, Risk, and Compliance Service, provides Softcat consultants who will understand your supply chain, what security certifications are needed, information and contract requirements you require and architect a policy, process or framework that is right for your needs.
Overall, good upgrades in standards and best practice which will increase the prevalence of Cyber Essentials Plus in the market.
Previously, with methodology diluted across five accreditation bodies plus much larger number of certification bodies, there was a higher risk of confusion and difference of opinion in how to certify, what was and wasn’t acceptable and where certain lines can be drawn.
These changes will strengthen the impact of Cyber Essentials Plus certification as a sign of supply chain security confidence.
We would love to hear any comments you have about this article!