So the cat is finally out of the bag! It's been rumoured for ages that one of either IASME or CREST would be the single accreditation body partner to run the Cyber Essentials scheme.
The rumour was correct.
It has just been announced that IASME have been awarded a 5 year contract to be the single and only accreditation body for Cyber Essentials
I know what you're thinking.
"What does this mean for my organisation?!?"
Whilst you might be unsure and uncertain of the future at this moment, I can promise you, by the end of this article you will have the answers and clarity you're after.
So, take a seat and relax whilst I explain everything you need to know about this major win for IASME and how it impacts your organisation.
Firstly, I will referring to many key words throughout this article so it's worth defining the key words that commonly cause confusion.
Let's go through some of the fundamentals - starting with Cyber Essentials itself.
The Cyber Essentials Scheme Explained
What is the Cyber Essentials scheme?
Cyber Essentials is the only government led, cyber security standard, which your organisation can be assessed and certified against. (To learn more about what exactly Cyber Essentials is, click here)
Cyber Essentials has two certifications, Cyber Essentials and Cyber Essentials Plus, it is important to know the difference and how the certifications fit in with your organisation.
It identifies the security controls that your organisation must have in place within your IT systems in order to have confidence that you are addressing cyber security effectively and reduce the risk from cyber threats.
Cyber Essentials has five technical controls which allow for an 80% reduction in cyber threats. Of course there are many benefits to Cyber Essentials which you can read all about here)
There are approximately 30,000 organisations with Cyber Essentials in 2019 and this number is rapidly increasing as more organisations realise the threat posed by cyber criminals.
What is a Certifying Body?
Certifying bodies have the power to assess and certify organisations for Cyber Essentials.
For instance, when an organisation decides they want to be Cyber Essentials certified, they would need to contact a certifying body to gain certification. The certifying body will guide the organisation through the process of becoming Cyber Essentials certified.
Each Certifying Body provides Cyber Essentials certification through one of the five accreditation bodies.
What is an Accreditation Body?
An accreditation body recruit and manage numerous Certification Bodies, ensuring the standards which we have set down for the Cyber Essentials scheme are met. Accreditation Bodies can also directly certify organisations.
The five accreditation bodies are APMG, QG, IASME, CREST and IRM.
As IASME and CREST are the two biggest accreditation bodies and whilst the focus of this article is on them, there are still some organisations who are Cyber Essentials certified with APMG, QG and IRM.
Each Accreditation Body:
- Produces a questionnaire for their Certification Bodies to use when certifying
- Has a process for auditing its Certification Bodies in place
- Verifies that all of their Certification Bodies meet the National Cyber Security Centre's demanding level of technical competence
- Is audited at least every 12 months by the National Cyber Security Centre.
IASME is a not-for-profit organisation and I.A.S.M.E stands for "Information Assurance for Small and Medium Enterprises Consortium.
IASME focus on Small and Medium Enterprises (SMEs) and if you're an SME, IASME provides the best value for money to meet the government's cyber security standards.
IASME assess and certify organisations against two standards:
- The IASME Governance Standard
- The Cyber Essentials Scheme
The IASME Governance standard is the SME equivalent of the international certification 'ISO27001' and it is also Government approved.
The assessment includes the Cyber Essentials scheme as well as the necessary GDPR requirements to prove your organisation is complying with GDPR.
The IASME Governance Standard (Sometimes also referred to as IASME Gold) and Cyber Essentials process requires Certifying Bodies to sometimes be on-site when assessing the cyber security measures of an organisation.
Just like IASME, CREST are a not-for-profit organisation and C.R.E.S.T stands for "Council of Registered Ethical Security Testers". CREST specialised with accrediting large organisations and the technical information security industry.
CREST provide internationally recognised and meticulously assessed accreditations including the Cyber Essentials. CREST was an ideal choice for organisations who offer penetration testing, cyber incident and threat intelligence services.
The differences between IASME and CREST
It's clear to see that IASME's practices are specifically targeted towards SMEs which makes it far more cost effective for Small and Medium Enterprises to be Cyber Essentials certified with an IASME certifying body.
This is contrasted with CREST as they mainly focus on working with larger organisations in the technical information security industry.
IASME and CREST are different in many ways but a major difference in their respective methodologies is the on-site/off-site requirement for Cyber Essentials. IASME requires representatives of the Certifying Body to sometimes be present through the Cyber Essentials Plus process whereas CREST does not have this requirement.
Why did the NCSC only want one Accreditation Body for Cyber Essentials?
As aforementioned, CREST and IASME operate differently. Whilst they abide by the same Cyber Essentials standard, they deliver Cyber Essentials in their respective ways.
The NCSC did not like this, they didn't want Accreditation Bodies to offer different methodologies for the same standard. The government wanted to have a more streamlined customer experience and introduce more consistency.
Hence why they decided to have just one Accreditation Body for the scheme as a whole. Now that IASME have won, it will be the IASME methodology that will be used to implement Cyber Essentials to all British organisations.
Why was IASME chosen as the winner?
IASME have done more assessments than other Accreditation Body in the UK to date, this level of experience is an important factor. Moreover, IASME focus on the vast majority of UK businesses as most businesses are SMEs, CREST do not focus on these as much and therefore, this is why IASME won over CREST.
By understanding IASME and CREST, we can now further understand why the National Cyber Security Centre (NCSC) wanted to go from having five accreditation bodies to just a single accreditation body running the Cyber Essentials scheme.
What does IASME winning mean for your organisation?
Whether you've achieved certification, certify other organisations or are seeking certification, this impacts the industry and thus, your organisation:
For Certifying Bodies:
- Instead of aligning with your current accreditation's body's ways, processes and practices, you will have to align with the IASME practices, which are bound to be updated.
- If you're certified with a non-IASME Accreditation Body, you will have to become go through the process of becoming an IASME Certifying body in 1st April 2020. Up until that point, you can still issue certifications.
For organisations who are Cyber Essentials certified:
- If you're currently certified with a non-IASME Certifying Body, your Cyber Essentials will be valid until it expires. Once it expires, you will need to become certified with an IASME Certifying Body.
- If you are currently certified with an IASME Certifying Body, you will see changes to the way Cyber Essentials is implemented when you need to renew Cyber Essentials. You will not need to leave your current Certifying Body.
If you're seeking Cyber Essentials certification:
- If you certify now with a Certifying Body who does not use IASME, you will most likely find yourself changing to a Certifying Body who does is IASME qualified after 1st April 2020. The biggest issue with this is losing time but it is not the end of the world if you do find yourself in this situation.
It's an important and exciting time for the Cyber Essentials scheme and with all this new information, it's best to keep up with the fine details of Cyber Essentials.
This is why we've created The Ultimate Guide to Cyber Essentials which will answer every single question you've ever had around Cyber Essentials. Whether or not you are brand new to Cyber Essentials, there is still so much to learn about in the ever evolving world of Cyber Essentials.