A step by step guide to preparing for and passing Cyber Essentials
Cyber Essentials is a UK government scheme designed to protect companies, whatever their size, against cyber attacks. The certification is straight forward and one of the first steps that your company can take to protect your data and demonstrate to prospective clients that you take cyber security seriously.
Note that if you are a software company seeking a UK Government contract, certification is a mandatory requirement to bid.
Atlant1996!
The Cyber Essentials certification scheme was launched in 2014. In January 2022 the NCSC and IASME implemented an updated set of requirements for Cyber Essentials in response to the ever changing cyber security challenges organisations face.
Cyber Essentials defines a set of five controls (measures that reduce risk) that your company must have in place in order to be certified. Once you have those, you can apply to an independent certification body that will verify that you have implemented the necessary controls.
How long will it take to achieve Cyber Essentials?
Cyber Essentials certification requires companies to submit a self-assessment questionnaire and provide evidence to support the answers provided. It is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most companies take 2-4 weeks to complete the assessment.
Need to achieve Cyber Essentials Quickly?
Follow this step-by-step guide and use Adoptech's automated tools.
1. Create Information Security Policies
Company policies are not just of interest to your staff and Cyber Essential Auditors, external stakeholders, such as, clients, prospective clients and investors will all be interested in viewing your company policies since they provide a clear guide on the governance and culture of your company.
The following policies are required to achieve Cyber Essentials and demonstrate the controls your company has in place to mitigate cyber security threats:
- Information Security Policy conveys the high-level principles, processes and controls that your company maintains to secure your assets and data.
- Data Protection Policy outlines the approach your company will take to protect the personal data of customers, staff and other third-parties. The policy also outlines your company's compliance with Data Protection Regulation, such as, GDPR. The policy educates staff on their responsibility to protect data and outlines the procedures that must be followed when collecting, storing and processing data.
- Website Privacy and Cookie Policy - you almost certainly have a website in place therefore, you should inform website visitors of the type of data you may collect, how you might use it and the processes in place to protect that data.
-
Password Management Policy conveys to your staff, the need to utilise well thought out passwords and the risks associated with poor password management and selection.
-
Access Controls Policy details who may access information, what actions can be taken, and under what circumstances. This is one of the fundamental policies we recommend companies have in place from an early stage of growth.
Use the Adoptech platform and you will be guided on best practices that should be included in your policy. For example, it should include reference to only authorised staff being given access to sensitive information, and that access is provided on the Principle of Least Privilege (POLP). In addition, the policy should state that wherever available the use of multi-factor/ (2FA) authentication is enforced.
-
Application and Network Security Policy raises awareness and outlines the processes implemented to reduce the likelihood of cyber attacks. This policy includes sections on, malware, network security, vulnerability management, end-user devices and patch management.
Your security policies do not have to be long, what's important is that they convey the message in a clear and simple manner. Your staff need to quickly understand the controls in place, processes that must be followed and their personal responsibility to help protect the company's data.
Further guidance on creating great company policies: Creating company policies
2. Clarify Responsibilities and Assign Ownership
Successfully securing your company's data requires all your staff to have a clear understanding of what they are responsible and accountable for.
For SME software companies, it may seem unnecessary to appoint a member of the team as the Data Protection Officer (DPO), however, it provides clarity to internal and external parties ensuring that everyone knows who to contact for data protection related concerns. The DPO is also likely to be the individual responsible for completing and submitting your Cyber Essentials questionnaire. If you appoint a DPO this should be clarified in your Data Protection Policy.
The person responsible for ensuring each company policy remains fit for purpose and that it is shared with appropriate staff should be clarified within each policy.
If you are using our compliance framework and/or policy generator, roles and responsibilities are easily managed with Adoptech.
3. Setup an Information Asset Register
In order to protect your company's data, software and devices you should maintain an information asset register that details all the places where data is stored or processed.
Information assets recorded in the register should be reviewed on a regular basis to ensure appropriate controls remain in place. Responsibility for updating and maintaining the register should be clarified within your company policies e.g. your Information Security Policy.
Maintaining the register helps to ensure you don't lose focus or control over the devices that can access your network and expose vulnerabilities in your security, for example, when was the last time you checked you have the latest versions or patches in place across your software? A review of the register will trigger those updates.
4. Install a Firewall
In short, a firewall provides a barrier between your private network and other external networks, such as, the Internet. The firewall helps protect the services/applications running on your network against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
Don't assume that because you are running a modern SaaS web app, that is hosted on AWS, GCP or Azure that firewall protection is built in. In most cases, web application firewalls are an added extra that you need to purchase and configure. The good news is that it is typically very quick and easy to add this additional layer of protection. If you are a hosting a cloud-based web app you are likely to need one of these:
Whatever your network setup, ensure you have an appropriate firewall(s) in place and that they remain up to date and configured to protect your network and block malicious attacks.
5. Install Anti-virus Software on all your devices
Anti-virus software is designed to scan, detect and remove viruses from devices, such as, laptops and mobile phones. It can help protect against a wide variety of threats, including malicious software, such as keyloggers, browser hijackers, Trojan horses, worms, rootkits, spyware, adware, botnets and ransomware.
Clients often ask "Do I really need Anti-Virus software?" or state "I'm using a Mac, I don't need anti-virus software".
6. Optional - Conduct Information Security Audits
It is important to regularly review the effectiveness of the information security controls you have in place by conducting internal security audits.
The aim of the security audit should be to identify opportunities to improve processes as well as reviewing your security posture to ensure the risks currently posed are within acceptable tolerance levels.
The Internal Security Audit Process
-
Document the process that will be followed, detailing the objectives and scope of the process. This should not be more than a short overview of the process.
-
Complete a risk assessment. Review the Information Asset Register (detailed in step 3) and identify the current risks that could impact each asset. Consider whether the external risks have changed e.g. log4j vulnerability.
-
Conduct the internal audit. Evaluate the controls, policies and processes in place. This assessment should include members of the senior management team. Where risks are accepted (signed-off) it should be noted who accepted the risk. Where risks need to be addressed or changes need to be made to address gaps identified these should be added to the action log.
-
Create an action plan. Tasks added to the Action log (firms typically use existing systems e.g. Jira) must include a remediation plan, timeline and clear owner.
-
Communicate the results of the audit. Where appropriate share the results of the audit with team mates to ensure there is an awareness of the efforts being made to enhance your company's information security posture.
7. Book the Assessment
By implementing the steps outlined above your company will be well-prepared to pass Cyber Essentials.
The next step is to Open a chat with a member of the team and we will liaise with our audit partner (CyberSmart) to book the audit.
You will then be asked to complete and submit a questionnaire which the certification body will verify. They may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification.
Success!
Once the certification body confirms you have passed, you will be awarded your Cyber Essentials certificate. You may use the logo on your website and marketing materials. Your certificate remains valid for one year, after which you will need to re-certify.
Conclusion
Achieving a Cyber Essentials certification for a software company is typically very straight forward, it is a great way to start adopting best practices, it can significantly reduce your risk exposure and open up sales opportunities.
Using the Adoptech platform, SME software companies achieve greater sales in less time by implementing automated, scalable, governance and information security processes.
If you have any questions, open a chat with the team.