This webinar covers:
-The Cyber Essentials scheme
-New Scottish cyber resilience strategy
-The certificaation process
-Key benefits of the scheme
A recording of the webinar can be found here: https://www.youtube.com/watch?v=GG5wSLA2PPI&t=80s
The CMO Survey - Highlights and Insights Report - Spring 2024
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotland and the rest of the UK
1. Presented by:
• Alastair Stewart, Qualified Security Assessor
• IT Governance
• 28 February, 3:00pm – 3:45pm
Cyber Essentials plays a key role
in the Cyber Resilience Strategy for Scotland
and the rest of the UK
2. • Overview of presenter expertise;
• Alastair Stewart
• PCI Qualified Security Assessor
• Associate of (ISC)2 for CISSP
• Been at ITG for 4.5 Years
• MSc Information Management and Security
• BSc Computer Security and Forensics
Introduction
Copyright IT Governance Ltd - v 0.1
4. • The Cyber Essentials scheme
• New Scottish cyber resilience strategy
• The certification process
• Key benefits of the scheme
• Why use IT Governance
Today’s Discussion
Copyright IT Governance Ltd - v 0.1
5. What is Cyber Essentials?
Copyright IT Governance Ltd - v 0.1
• A world-leading, cost-effective assurance mechanism
for companies of all sizes to help demonstrate to
customers and other stakeholders that the most
important basic cyber security controls have been
implemented.
• Addresses five key control areas that, when
implemented correctly, can prevent around 80% of
common cyber attacks.
• Two levels of certification to choose from; Cyber
Essentials and Cyber Essentials Plus.
6. The five key control areas
Copyright IT Governance Ltd - v 0.1
Secure
configuration
Boundary
firewalls and
Internet
gateways
Access control Patch
management
Malware
protection
7. The cyber security and resilience strategies
Copyright IT Governance Ltd - v 0.1
• Developed as part of the UK Government’s national cyber
security strategy since June 2014.
✓Now forms a key part of the Scottish cyber resilience strategy.
• Certificate required to work with the UK Government directly.
• Cyber Essentials Plus is required to work with the MoD unless
your Defence Cyber Protection Partnership (DCPP) requirement
is very low.
❖ Annual renewal is recommended but a must when working with
government and the MoD.
8. Scottish cyber resilience strategy – Public sector action plan
Copyright IT Governance Ltd - v 0.1
• The Public Sector Action Plan has been developed in partnership
by the Scottish government and the National Cyber Resilience
Leaders’ Board (NCRLB).
• Sets out the key actions that public bodies and key partners will
take up to the end of 2018 to enhance cyber resilience in
Scotland’s public sector.
• 11 key actions but two of these directly relate to Cyber Essentials
and have important deadlines. Action 4 and 11.
9. Scottish cyber resilience strategy – Key action 4
Copyright IT Governance Ltd - v 0.1
“The Scottish government will support Scottish public bodies
to ensure they have appropriate independent assurance that
critical technical controls are in place to protect against the
most common cyber threats by the end of October 2018.”
Funding will be made available to support all public bodies to
undergo a Cyber Essentials “pre-assessment” by the end of
March 2018, with a view to: a) promoting a common
approach wherever possible, and b) ensuring well-founded
senior-level decisions are made on the most appropriate way
of achieving assurance that critical controls are in place.”
10. Scottish cyber resilience strategy – Key action 4
Copyright IT Governance Ltd - v 0.1
Important deadlines
End of March 2018: Undergo Cyber Essentials “pre-assessment”
funded (to defined limits) by Scottish government
End of April 2018: Take board/senior management-level decision on
whether to pursue Cyber Essentials or Cyber Essentials Plus
certification
End of October 2018: Achieve Cyber Essentials or Cyber Essentials
Plus certification.
11. Scottish cyber resilience strategy – Key action 11
Copyright IT Governance Ltd - v 0.1
“The Scottish government will put in place an effective
monitoring and evaluation framework to help assess
progress against this action plan and, once developed, the
Scottish public-sector cyber resilience framework.”
12. Scottish cyber resilience strategy – Key action 11
Copyright IT Governance Ltd - v 0.1
Important deadlines
End of June 2018: Provide one-off written assurance at board/senior
management level confirming that you have (i) undergone a Cyber
Essentials pre-assessment, (ii) taken a decision on whether to seek
Cyber Essentials or Cyber Essentials Plus, and (iii) the expected
timelines for achieving this.
End of October 2018: Provide one-off written confirmation that Cyber
Essentials or Cyber Essentials Plus certification (or, exceptionally,
alternative independent assurance) has been achieved.
13. IT Governance – Cyber Essentials solutions
Copyright IT Governance Ltd - v 0.1
Included in the Cyber
Essentials packages
Also included in the Cyber
Essentials Plus packages
Includes report that satisfies the pre-assessment requirements outlined in Key action 4.
14. IT Governance: certification process
Copyright IT Governance Ltd - v 0.1
Self-assessment
questionnaire (SAQ)
Self-assessment
questionnaire (SAQ)
External vulnerability scan External vulnerability scan
Internal vulnerability scan
and on-site assessment
Define the scope to be assessed by IT
Governance
• Whole organisation or segmented managed unit.
• 52 questions across the five controls.
• You need to pass each section.
• Full TCP port and top UDP service scan for the stated IP
range.
• Includes a basic web application scan.
• Scan and test of the security and anti-malware configuration
of each device type/build.
• Checks patch levels and resistance to malicious emails and
web-downloadable binaries.
15. Benefits of Cyber Essentials
Copyright IT Governance Ltd - v 0.1
Protected against 80% of
common cyber attacks
Demonstrate security
and secure supply chain
Drive business
efficiency
Increase chances of
securing business
Work with the UK/Scottish
Government and MoD with CE+
Potentially reduce cyber
insurance premiums
16. Why choose IT Governance?
Copyright IT Governance Ltd - v 0.1
Conduct the entire certification
process online, without any expert
cyber security knowledge, with our
Cyber Essentials portal.
As we are a CREST-accredited
certification body, you will benefit
from the added level of independent
verification of your cyber security
status provided by an external
vulnerability scan.
We provide all the tools and
resources needed to achieve
CREST-accredited certification at
both levels of the Cyber Essentials
scheme.
We deliver all the technical tests and
assessments, conducted by our
experienced, CREST-accredited
testers. We do not outsource any of
the services required to achieve
certification.
We have six packaged solutions
available to support companies with
varying levels of experience through
the Cyber Essentials or Cyber
Essentials Plus certification process.
Having led ISO 27001
implementations since the inception
of the standard, our strong global
cyber security presence gives us the
knowledge and insight to help you
take the next steps beyond Cyber
Essentials.
17. • Free Download: Scottish Public-Sector
Action Plan 2017-18: Summary and
compliance guidance
https://www.itgovernance.co.uk/resources/green-
papers/scottish-public-sector-action-plan
• Review our Cyber Essentials packages:
https://www.itgovernance.co.uk/solutions-for-ces-
certification
Next steps
Copyright IT Governance Ltd - v 0.1
Call us
+44 (0)333 800 7000
Email us
servicecentre@itgovernance.co.uk
Visit our website
www.itgovernance.co.uk
Like us on Facebook
/ITGovernanceLtd
Follow us on Twitter
/itgovernance
Join us on LinkedIn
/company/it-governance