The Government-backed Cyber Essentials (CE) Scheme is useful for organisations of all sizes to demonstrate their commitment to cyber security and also to arm themselves with the basic technical controls and knowledge to defend themselves and their business against harmful cyber attacks. Organisations that are committed to passing Cyber Essentials and maintaining this every year are also helping to build trust between customers and other stakeholders to the business. As the threat of cyber attacks increases, more and more businesses are working to achieve CE certification and bolster their cyber security defences.
As part of the process of Cyber Essentials certification, organisations will come into contact with a variety of different people and external organisations involved in the process. This can include Cyber Essentials assessors/auditors, qualified Certification Bodies, Assured Service Providers and Cyber Advisors. In this article we will explore what each of these different parties do in their roles and what sets them apart from one another.
Certification Bodies
A Cyber Essential certification body is a licensed, approved and registered organisation that is capable of certifying organisations against the Government’s Cyber Essentials scheme. IASME, an NCSC Strategic Delivery Partner, is responsible for operating the Cyber Essentials and Cyber Advisor schemes, licensed certification bodies and advisors are listed on their website. With certification bodies located throughout the UK, organisations can easily find one that is right for them, whether that is dependent on location or sectoral specialities.
CE Assessors
CE assessors are roles within a certification body and are recognised by IASME. In order to become an accredited assessor, an individual must have 3 years’ experience working within the IT or cyber security sector and will also need to pass the Assessor Skills exam. The role of the assessor is to mark the assessment of organisations going through the certification process. The assessor will be qualified to assess against Cyber Essentials and Cyber Essentials Plus. These are the individuals who determine if an organisation passes the requirements to achieve CE (Plus) certification.
They are sometimes referred to as Cyber Essentials auditors too, because of the role they play in the Cyber Essentials Plus process. Compared to the self-assessment standard where the assessor/auditor checks through a questionnaire, here they will need to also run a set of technical tests to verify that the Cyber Essentials requirements are met. This practice demonstrates why they are also referred to as Cyber Essentials auditors.
Depending on your preference, you can either directly contact the certification body you would like to work with or enter your details into the Cyber Essentials Pool which is randomised.
Cyber Advisors
The Cyber Advisor Scheme is a relatively new scheme set up by the NCSC. The intention behind this scheme is to connect organisations and businesses with practical support and cyber security guidance from qualified security experts. In particular, the scheme was set up for small and mid-sized businesses as they are the most likely not to have the resources or skill set in-house to implement the technical controls needed for a successful Cyber Essential submission. The Cyber Advisor will assist throughout implementation, helping them bolster their security defences and achieve the Cyber Essentials certification.
All cyber advisors have passed an independent assessment ensuring that they have the knowledge and understanding of the Cyber Essentials principles, are highly skilled to provide support and can work closely with small and medium sized businesses.
Assured Service Providers
IT and security companies that have staff members certified as a Cyber Advisor and would like to offer it as a service, must become an Assured Service Provider. There are a set of requirements that must be met by the organisation including both security and high quality customer service requirements, for example, the Assured Service Provider needs to have obtained Cyber Essentials themselves and MUST have a Cyber Advisor at the organisation.
To Conclude:
Each position associated with Cyber Essentials has their own role and responsibilities to play in the support and certification process of organisations hoping to achieve Cyber Essentials certification. Understanding how each of these can support a business provides additional assistance and information and guarantees a greater understanding of CE and CE Plus. Overall working to increase the numbers of businesses in the UK that are awarded certification.