One of the newest questions added to the Cyber Essentials self-assessment questionnaire reads “Have you read the ‘Cyber Essentials Requirements for IT Infrastructure’ document?” but what is this document, what does it say, why should you read it and where can you find it?
What is the Cyber Essentials Requirements for Infrastructure document?
The Cyber Essentials scheme is a simple yet effective, Government-backed framework that will help protect your organisation against a range of the most common internet-based cyber attacks. The scheme offers two levels of certification for organisations, Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials scheme is developed by the National Cyber Security Centre (NCSC) who, in April 2020, appointed the IASME Consortium to be their Cyber Essentials Partner.
In creating the scheme, the NCSC has laid out its minimum requirements for applicant organisations and these are described in the Cyber Essentials Requirements for IT Infrastructure document.
What does the ‘Cyber Essentials Requirements for IT Infrastructure’ document say?
The document describes what applicant organisations must adhere to in order to be certified. Specifically, the document states that organisations must:
- Establish the boundary of scope for their organisation and determine what is in scope within this boundary.
- Review each of the five technical controls of the Cyber Essentials scheme and the controls they embody as requirements.
- Take steps as necessary to ensure that their organisation meets every requirement throughout the scope they have determined.
The document goes on to describe:
- How to determine the scope for your Cyber Essentials application, which should usually be the whole organisation
- Requirements of the five technical controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management (patching)
Why should I read the ‘Cyber Essentials Requirements for IT Infrastructure document’?
The document gives a concise and clear description of the requirements to be met under each of the five technical controls. Any organisation wishing to become certified against Cyber Essentials (Plus) is required to have read the document and to comply with the requirements set out within it.
We would strongly recommend that any organisation wishing to become Cyber Essentials certified should start by reviewing the Cyber Essentials Requirements for IT Infrastructure document and forming an action plan to ensure their organisation meets all requirements. Our free Cyber Essentials assessment can also be helpful in creating a list of actions your organisation may need to do to comply with the requirements and become Cyber Essentials certified.
You can find the document on the NCSC’s website. If you’re ready to become certified, why not take a look at the Cyber Essentials packages we offer. Or, if you have any questions, feel free to contact us.