According to the UK Government, around 80% of cyber-attacks could be prevented if businesses put simple cyber security controls in place. However, not all organisations are getting these basics right. Only 58% have assessed themselves against the governments "10 Steps" cyber security guidance and only 30% of boards receive regular cyber security intelligence*.

The Cyber Essentials scheme is a key deliverable of the UK’s National Cyber Security Programme. Realising that the controls in the 10 Steps to Cyber Security were not being implemented effectively, and that no existing, individual standard met its specific requirement, the government developed the Cyber Essentials scheme. This scheme focuses on 5 key areas:

• Secure Configuration
  Implementing security measures when building and installing computers and network devices to reduce unnecessary vulnerabilities
• Boundary Firewalls and Internet Gateways
  Providing a basic level of protection where an organisation connects to the Internet.
• Access Control and Administrative Privilege Management
  Protecting user accounts and helping prevent misuse of privileged accounts.
• Patch Management
  Keeping the software used on computers and network devices up to date and resisting low-level cyber attacks
• Malware Protection
  Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware), including options for malware removal, which will protect your computer, your privacy and your important documents from attack.

*Department for Business and Innovation Skills Cyber Governance Health Check Jan 2015.

The Cyber Essentials scheme requires the completion of a self-assessment questionnaire which you will be guided through in an intuitive online process to ensure your application is compliant. The application will then be formally assessed. On successful assessment, you will receive a Cyber Essentials certificate.

Cyber Essentials Plus requires the above assessment along with a technical audit performed by a regulated auditor. Again, you will be guided through a step-by-step checklist leading up to the audit which can be carried out remotely or on-site, to make the process as quick and straight-forward as possible.

Crown Commercial Services

The Cyber Essentials scheme is mandatory for organisations handling personal information and providing certain ICT products and services to central government contracts. It is listed as a requirement to gain entry to many central government frameworks and has been mandated by the Crown Commercial Service since 2014.

MOD contracts and DEF STAN 05-138

Depending on the Risk level of a contract, the MOD can mandate certification to the Cyber Essentials scheme for the supplier.

MOD contracts are assigned one of five risk levels, which is determined on a per contract basis. These risk levels are: Not applicable, Very Low, Low, Moderate and High.

Only contracts with no MOD Identifiable Information can be classed as "Not applicable". Contracts that involve handling "Secret" or "Top Secret" information are expected to be classed as Moderate or High.

Not applicable – No certification requirements, but Cyber Essentials recommended as good practice

Very Low – Maintain Cyber Essentials certification

Low –Maintain Cyber Essentials Plus and 16 additional controls

Moderate – Cyber Essentials Plus, with thesame requirements as Low, but with 16 additional controls

High – Cyber Essentials Plus, with the same requirements as Moderate and Low, but with 12 additional controls

Full details of all of the controls can be found in DEF Stan 05-138 here.