Cyber Essentials Plus and a Bit More

Cyber Essentials as a standard is now starting to mature, with almost 3,000 certifications now reported.

Cyber Essentials logo Cyber Essentials is largely a one-size-fits-all. You are either compliant, or you are not (with a small bit of “comply or explain” wriggle room). This is good for the purpose it was intended, and serves a baseline for all businesses.

This is now mandated for UK Government procurement, but when assessed for use in the Ministry of Defence’s supply chain it was considered the essentials were not enough.

The challenge however is different elements of the supply chain needed greater or lesser security. The solution being trailed is called the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM).

The model describes 4 risk levels, from Very Low up to High (plus a Not Applicable). For each of these a set of mandatory security controls is defined. Even at the Very Low end, Cyber Essentials is required. The higher the risk, the tighter the expected level of control.

Referring to my blog “The importance of having an Asset List”, it’s interesting to note that only at the Medium risk grade is an asset list mandatory – in the blog I argue you find the lower levels hard to do without one.

At the highest end of the CSM, there are controls such as “Proactively verify that the security controls are providing the intended level of security”; i.e., implementing security is not enough – you need to be able to demonstrate your controls are working.

The CSM approach is very much a ladder, you move up rung by rung from Cyber Essentials.

For something more bespoke and comprehensive there is the ISO 27001 based approach, in which you:

identify the business’s security objectives;
determine the risks;
then select a set of controls to mitigate those risks.

Effectively an a-la-carte approach to customise a solution, all wrapped in a security management system.

Within your business, you need to take control and determine the appropriate level of security, but please don’t be paralysed by indecision – at the very least start a Cyber Essentials programme.

The importance of having an Asset List

In July I attended and presented at the East Midlands Cyber Security Conference and Expo, at the National Space Centre in Leicester.

In their presentations, Derbyshire’s Assistant Chief Constable – Martyn Bates, Del Heppenstall – Director, KPMG, and Christian Toon – Cyber Security Specialist, PricewaterhouseCoopers LLP all mentioned in one way or the other the importance of maintaining an asset list.

In my presentation on Implementing Cyber Essentials, I also observed that while not a specific requirement of Cyber Essentials, in practice you will find it hard to manage a certified environment unless you have a good view of the complete list of assets.

If we take a look at the ISO 27001 standard for information security management systems, Section A 8.1.1 declares “Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained”.

So the evidence seems conclusive, if you care about security in your business, you really must make an asset list. Without one, how can you be sure the asset is suitably protected?

Why have I got an Intruder Alarm?

At home, I have invested in good quality locks on my doors and windows, conforming to the standard required by my insurance company. In addition to that I have also invested in an intruder alarm.

Continue reading “Why have I got an Intruder Alarm?” →

UK Public Procurement Policy Note 09/14

Now that’s a catchy headline to get your attention! What does it mean, and why blog about it on Cyber Matters?

In short, the policy note published by the Cabinet Office today (Sept 26 2014) says that from October 1^st, the Cyber Essentials Scheme is mandatory:

Continue reading “UK Public Procurement Policy Note 09/14” →

The Cyber Essentials Experience

This month the UK Government Cyber Essentials Scheme was launched.

Nexor committed to gaining Cyber Essentials certification, with Steve Kingan observing:

“I welcome the advent of the Cyber Essentials Scheme and believe it is an important development in improving the supply chain to HMG. Nexor has demonstrated that the Scheme can be straight forward to implement even for an SME. I am pleased that this new mark will become a mandated accreditation for all HMG suppliers of sensitive information technology procurements; and delighted that Nexor has been involved from the start of the Scheme.”

Continue reading “The Cyber Essentials Experience” →

IISP East Midlands: BIS Organisational Standards

On January 29, we held the second IISP meeting in the East Midlands, at the Institute of Directors in Nottingham, attended by close to 30 delegates.
The meeting was opened by Colin Powers with an introduction and explanation that some quick reshuffling of the agenda was in order as the main speakers train was running late. He also published the hash-tag #IISPEastMids, with delegates encouraged share their thoughts on the meeting live via twitter (these tweets are available as an archive).
Continue reading “IISP East Midlands: BIS Organisational Standards” →

Reaction to BIS Cyber Security Standard

Making an organisation cyber-secure is difficult. As a supplier, demonstrating to an external customer that you are cyber-secure is even more difficult. Conversely, as a customer how can you tell which organisations take it seriously?
Continue reading “Reaction to BIS Cyber Security Standard” →

Simple Information Assurance Maturity Model

A few months back I was tasked by the Nexor Board to carry out a fresh review of the cyber threat to our business and the maturity of our risk mitigations. We’ve had ISO 27001 for a many years across the business, and our audits all come up good, so I thought it should be easy. But how could I explain the results in a Board friendly manner?

Continue reading “Simple Information Assurance Maturity Model” →