UK businesses can obtain independent certification of cyber security measures

Out-Law News | 05 Jun 2014 | 4:54 pm | 2 min. read

Businesses will be able to obtain independent certification of the cyber security measures they have put in place under a new scheme being promoted by the UK government and backed by the country's data protection watchdog. 

The Department for Business, Innovation and Skills (BIS) has launched new 'cyber essentials' guidelines (17-page / 513KB PDF) that outline "basic controls" organisations can implement to protect against hacking attacks and other cyber security breaches.

Alongside the guidelines issued is a new 'assurance framework' (14-page / 566KB PDF) which allows businesses that implement security measures in line with the guidelines to apply for a certificate to indicate their commitment to cyber security.

Businesses can apply for either a 'cyber essentials' certificate or a 'cyber essentials plus' certificate under the scheme. A 'cyber essentials' certificate is issued if a business self-assesses their own compliance with the guidelines and their assessment is independently verified. A 'plus' certificate is only available if a business allows the cyber security measures it has in place to be independently tested for compliance with the 'cyber essentials' guidance.

"The two options give organisations a choice over the level of assurance they wish to gain and the cost of doing so," BIS said in its 'cyber essentials: assurance framework' paper. "We believe this scheme offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties, while retaining a simple and low cost mechanism for doing so."

BIS warned that certification under the scheme, however, would only provide "a snapshot of the cyber security practices of the firm" at the time of assessment and that implementing the new guidelines "does not offer a silver bullet to remove all cyber security risk".

"Maintaining a robust cyber security stance requires additional measures such as a sound risk management approach, as well as on-going updates to the cyber essentials control themes, such as patching," it said.

Businesses will be able to obtain certification for the cyber security measures that they are responsible for when outsourcing IT services, including to a cloud provider.

In addition, companies will be able to obtain certification for the security of their 'bring your own device' (BYOD) policies.

"A number of the controls identified in the [guidance] will need to be implemented on user devices across the organisation," BIS said. "This has traditionally been done through centralised administration, ensuring consistency across the organisations user estate. Certification of the security controls in such an environment is straightforward as there will usually be a standard build or reference that can be assessed."

"Consistency can still be achieved within a BYOD regime, however as users are given more freedom to ‘customise’ their experience, there is a risk that certification (and implementation of controls) will become more challenging, and potentially more expensive. This risk will also be monitored closely as the assurance framework develops," it said.

The cyber essentials guidelines outline a number of base-level measures businesses should take to protect their data and systems from being compromised. The measures address cyber security aspects that range from deploying firewalls, secure configuration of devices and networks, laying down restrictions on access to systems and data, tackling the threat of malicious software and managing software and security updates appropriately.

BIS had consulted on the measures included in the new guidelines earlier this year. The cyber essentials scheme builds on previous recommendations the government made to help businesses reduce their vulnerability to cyber attacks.

"Protecting personal data depends on good cyber security, and the threats and challenges are getting ever more sophisticated," Information Commissioner Christopher Graham said. "All too often organisations fail at the basics. This scheme focuses on the core set of actions that businesses should be taking to protect themselves, their customers, and their brand. 'Cyber essentials' enables businesses to demonstrate that they are taking action to control the risks."