Guardian Saints has long been an advocate of the National Cyber Security Centre’s Cyber Essentials (CE) programme. It is clear that good cyber security practices within an organisation will help protect personal information, an invaluable tool in your data protection armoury. Certification enables providers to demonstrate that their Cyber Security meets the national minimum standard of compliance and instils confidence in their customers and suppliers alike. The CE programme was updated in January. The new revision, called Evendine, introduces more stringent authentication controls and brings cloud implementations into the scope of CE.
Providers with whom we work inform us that a growing number of local authorities ask for Cyber Essentials certification numbers in their tender process. Although CE is not an absolute requirement, it will certainly make clear that certification holders view cyber security and data protection of great importance and may signpost a clearer path through the tender process. So:
- How can you prepare for certification?
- If you already have CE Certification, how can you be prepared for the changes that CE Evendine will bring?
- How do you know your devices and operating systems are supported and up to date?
- Do you permit staff to use their own devices/mobiles (BYOD)?
- Are legacy systems and software on a segregated network?
- Are your cloud implementations IaaS, PaaS or SaaS? (Eh?)
As a CE Certification Body, Guardian Saints has guided many providers of all sizes through the application process to completion. Based on this experience, we have conducted an internal analysis of the common errors and ‘pitfalls’ applicants fall into when applying for CE certification; you may be surprised at what we have found; these include:
- Misunderstood questions
- Incomplete answers
- Out of date or unsupported equipment (laptops, mobile phones, tablets even routers)
- Attempts to abrogate responsibility to third party suppliers such as IT companies
- Operating systems (Windows, MacOS etc.) that are not updated
- A lack of understanding of internal processes
If all this seems a bit technical, it is important that the people who manage your technology understand the requirements and that providers’ senior leadership take an accountable role in the oversight of cyber security management.
Of course, we wouldn’t ask these questions if we had not already formulated the answers! Guardian Saints, via NAFP, are hosting two seminars (27 April and 12 May 2022) that will explore the things you need to know in preparation for the latest CE requirements (Evendine). During the seminar we will step through these issues indicating those questions that are most often misunderstood and how clarity can be achieved. In addition, we will explain what is ‘in scope’ for the application and how to check that the devices your organisation utilises are compatible with the scheme. We will also explain the difference between a good answer and a not so good (bad) answer. Using the Slido interactive tool, we will take individual questions to help you with your CE application questions.
Cyber Essentials is not something to be feared, it must be understood and recognised as a significant advantage to your organisation.
Guardian Saints is a not for profit community interest company founded in 2014 by two parents and a foster carer all with successful careers in cyber security, data protection and compliance within the corporate sector.