We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

A new Government certification to provide cyber security assurance

18 June 2014

The launch of the Government’s new certification and guidance scheme will enable businesses to demonstrate compliance with cyber security practices.

In light of recent headlines about organisations such as eBay exposing customers’ information to cyber threats, businesses are putting cyber security measures to the front of their agendas, so as to be able to demonstrate their cyber security stance
and compliance.

The Cyber Essentials Scheme (CES) has been developed by the Department for Business Innovation and Skills (BIS) in response to its 10 Steps to Cyber Security Initiative.

Industry bodies, including the Information Security Forum and the British Standards Institution, have provided input into how the CES should be implemented.

The CES is intended to fulfil two functions:

  1. it provides a clear statement of the basic controls that all organisations should implement to mitigate the risk from common internet based threats, and 
  2. it offers a low cost mechanism for all organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

Previously there had been no such recognised cyber security certification assurance for all businesses to adopt. The CES is open now and is applicable and available to all organisations, of all sizes and in all sectors. BAE Systems, Barclays and Hewlett-Packard are among the first companies to apply for the CES certification.

The CES provides guidance on 5 key controls:


Cyber Essentials:

• awarded on the basis of a verified self assessment via a questionnaire approved by a senior executive eg a CEO

• the questionnaire is verified by an independent Certification Body to assess whether an appropriate standard has been achieved and whether certification can be awarded, and

• basic level of assurance and achieved at low cost.

Cyber Essentials Plus:

• A higher level of assurance through the external testing of the organisation’s cyber security approach

• More expensive

The two options give businesses the choice over the level of assurance they wish to get, taking into account cost considerations.

Costs will be set by the individual Certification Bodies (working in competition with each other), allowing market forces to set rates, depending on the size of the organisation and the level of rigour required.

On successful completion of the assessment process, a certificate will be awarded with the appropriate badge. 

However, CES can only be effective as a “snap shot” in time as at the day of assessment and therefore businesses will need to keep their technology and security up to date to keep the certification.

At a minimum, to retain the certification badge organisations must recertify at least once a year.

The Government believes that implementation of the CES can significantly reduce an organisations vulnerability but it is not designed to address more advanced, targeted attacks, whereby additional
security measures may need to be implemented to deal with such risks.

Nevertheless, the new certification should increase the confidence of consumers that businesses have defences in place to protect against common cyber threats, together with giving businesses a competitive advantage over others and boosting their reputation.

For example, from 1 October 2014, the Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified.

This article was written by Vanessa Barnett.

For more information contact Vanessa on +44 (0)20 7203 5228 or vanessa.barnett@crsblaw.com