Cyber Essentials – changes are on the way
I had a great day out last week at the Cyber Security: Securing SMEs symposium as part of the Malvern Festival of Innovation. It was meeting of minds for those of us who dedicate their work to helping SMEs become cyber secure. The cyber security industry is huge and fragmented depending on the size and type of business it serves, and it was great to spend a day just talking about SMEs, who are by far the largest employers in the UK.
There was a fascinating talk on Data Breaches and how to manage them by David Clarke FBCS, Chief Technology Officer at The Trust Bridge. Of course this is what we are all trying to prevent, however we must all face up to that fact that data breaches will happen, and we must be prepared to cope with them. Unfortunately, the businesses that are most likely to suffer a breach are those that are not prepared, but I digress …
Dr Emma Philpott from IASME spoke about small company certification and the recent news that IASME has won a government tender to become the only Accreditation Body for Cyber Essentials. This is great news, not only because I trained with IASME, but also that it will simplify the Cyber Essentials process. In my experience securing CE certifications for small business, the mechanics of the wider process is of no concern, they just want to demonstrate to their clients and customers they have robust controls in place to protect business and personal data and get the peace of mind to know that they are secure against the common threats lurking in cyberspace.
So what will be changing and how will it affect SMEs who want Cyber Essentials? Currently there are five Accreditation Bodies (AB) in the CE scheme, and each Certification Body (CB), the organisations who certify and award certificates, is aligned to one or more Accreditation Body. Although there is a common standard to which all the AB’s adhere, there are small differences in the question sets and also whether vulnerability scans are required as part of the certification process and this has caused some confusion. From April 2020, IASME will be the only Accreditation Body and there will be one standard to which all the existing (few hundred) CBs will need to comply.
So in summary:
Nothing will change until April 2020
Between now and then we will learn more about the new IASME standard
Its unlikely the standard will change significantly
Your existing certification will remain valid until its annual expiry date
Cyber Security is constantly changing and its good to see Cyber Essentials keeping pace! As soon as we get news of any further changes, I will publish them here.