The development of the Cyber Essentials assessment standard was necessary after a call for standards did not offer anything “to make a practical difference and reduce the UK attack surface”.
Speaking at the IT Governance conference in London, Richard Bach, assistant director of cyber security at the Department of Business, Innovation and Skills, said that the concept came from the Cyber Security Strategy to “encourage industry-led standards and guidance” and after viewing 25 submitted standards, he said that “nothing scratched the itch”.
He said: “Agreat number backed ISO 2700x, and IASME was recognised as best for small companies and ISF for large companies, but nothing met the need.
“Cyber Essential recognises that you may not understand everything, but if you can understand that these are the ten things to take care of, it is a good start. These are a set of practical and testable measures, for testable security. The landscape of advice and guidance is complex and confusing, so we needed to show leadership in the space and things you need to do, for some it may be a complete journey, but it is about protection from internet-born commodity threats, not the insider threat. This is not about stopping zero-days.”
Bach said that the idea was to develop it with a language which was designed to be understood by all, and its future will lay with the private sector. “The Government is the scheme owner, but it is not what it does best, and want to see commercial ownership in the private sector of this, and we are working towards that over the next year,” he said.
“Goverment doesn’t like mandation on cyber security, as it puts us up against EU standards and we believe there are other ways of doing it, and it should be voluntary and why we are doing that. If anyone has the capacity or skills to do it, then we will run courses in due course on what future looks like.”
He also confirmed that Vodafone achieved Cyber Essentials Plus accreditation this week, but the future of the standard will see work with the Trusted Software Initative as part of the Cyber Security Strategy on industry and academia.
Back said: “The principles do apply to all, and we want everyone to get on message as this is important. This is about the basics and we use the phrase basic cyber hygiene.”
Alan Calder, founder and CEO of IT Governance, said that Cyber Essentials is about what is going on in cyber space, while the Cyber Security Strategy was about achieving minimum levels of cyber security and hygiene. “For it to happen, every organisation has to play its part and the weakest link is the company who does little or nothing,” he said.
