So the cat is finally out of the bag!
It's been rumoured for ages that one of either IASME or CREST would be the single partner to run the Cyber Essentials scheme.
The rumour was correct.
It has just been announced that IASME have been awarded a 5-year contract to be the single and only partner for Cyber Essentials
I know what you're thinking.
"What does this mean for my organisation?!?"
Whilst you might be unsure and uncertain of the future at this moment, I can promise you, by the end of this article you will have the answers and clarity you're after.
So, take a seat and relax whilst I explain everything you need to know about this major win for IASME and how it impacts your organisation.
Firstly, I will be referring to many key words throughout this article so it's worth defining the key words that commonly cause confusion.
Let's go through some of the fundamentals - starting with Cyber Essentials itself.
What is the Cyber Essentials scheme?
Cyber Essentials is the only government-led, cyber security standard, which your organisation can be assessed and certified against. (To learn more about what exactly Cyber Essentials is, click here)
Cyber Essentials has two certifications, Cyber Essentials and Cyber Essentials Plus, it is important to know the difference and how the certifications fit in with your organisation.
It identifies the security controls that your organisation must have in place within your IT systems in order to have confidence that you are addressing cyber security effectively and reduce the risk from cyber threats.
Cyber Essentials has five technical controls which allow for an 80% reduction in cyber threats. Of course, there are many benefits to Cyber Essentials which you can read all about here)
There are approximately 30,000 organisations with Cyber Essentials in 2019 and this number is rapidly increasing as more organisations realise the threat posed by cyber criminals.
(New badges as of 2021)
What is a Certification Body?
Certification Bodies have the power to assess and certify organisations for Cyber Essentials.
For instance, when an organisation decides they want to be Cyber Essentials certified, they would need to contact a Certification Body to gain certification. The certifying body will guide the organisation through the process of becoming Cyber Essentials certified.
Each Certification Body will now provide Cyber Essentials certification through IASME as official Cyber Essentials scheme partners.
I.A.S.M.E stands for "Information Assurance for Small and Medium Enterprises Consortium. The organisation focuses on Small and Medium Enterprises (SMEs), assessing and certifying them against two main standards:
- The IASME Governance Standard
- The Cyber Essentials Scheme
The IASME Governance standard is the SME equivalent of the international certification 'ISO27001' and it is also Government approved.
The assessment includes the Cyber Essentials scheme as well as the necessary GDPR requirements to prove your organisation is complying with GDPR.
The IASME Governance Standard (Sometimes also referred to as IASME Gold) and Cyber Essentials process requires Certifying Bodies to sometimes be on-site when assessing the cyber security measures of an organisation.
Just like IASME, CREST are a not-for-profit organisation and C.R.E.S.T stands for "Council of Registered Ethical Security Testers". CREST specialised in accrediting large organisations and the technical information security industry.
CREST provide internationally recognised and meticulously assessed accreditations including the Cyber Essentials. CREST was an ideal choice for organisations that offer penetration testing, cyber incident and threat intelligence services.
The differences between IASME and CREST
It's clear to see that IASME's practices are specifically targeted towards SMEs which makes it far more cost-effective for Small and Medium Enterprises to be Cyber Essentials certified with an IASME certifying body.
This is contrasted with CREST as they mainly focus on working with larger organisations in the technical information security industry.
IASME and CREST are different in many ways but a major difference in their respective methodologies is the on-site/off-site requirement for Cyber Essentials.
IASME requires representatives of the Certification Body to sometimes be present through the Cyber Essentials Plus process whereas CREST does not have this requirement.
Why did the NCSC only want one Partner Body for the Cyber Essentials Scheme?
As aforementioned, CREST and IASME operate differently. Whilst they abide by the same Cyber Essentials standard, they deliver Cyber Essentials in their respective ways.
The NCSC did not like this, they did not want to offer different methodologies for the same standard. The government wanted to have a more streamlined customer experience and introduce more consistency.
Hence why they decided to have just one partner for the scheme as a whole. Now that IASME have won, it will be the IASME methodology that will be used to implement Cyber Essentials to all British organisations.
Why was IASME chosen as the winner?
IASME had done more assessments than any other contender in the UK to date, this level of experience is an important factor. Moreover, IASME focus on the vast majority of UK businesses as most businesses are SMEs, CREST do not focus on these as much which is why IASME won over CREST.
By understanding IASME and CREST, we can now further understand why the National Cyber Security Centre (NCSC) wanted to go from having five methodologies to just a single methodology and a single partner running the Cyber Essentials scheme.
What does IASME winning mean for your organisation?
Whether you've achieved certification, certify other organisations or are seeking certification, this impacts the industry and thus, your organisation:
For Certification Bodies:
- Instead of aligning with your current Accreditation's Body's ways, processes and practices, you will have to align with the IASME practices, which are bound to be updated.
- If you're certified with a non-IASME Accreditation Body, you will have to go through the process of becoming an IASME Certifying body on 1st April 2020. Up until that point, you can still issue certifications.
For organisations who are Cyber Essentials certified:
- If you're currently certified with a non-IASME Certifying Body, your Cyber Essentials will be valid until it expires. Once it expires, you will need to become certified with an IASME Certification Body.
- If you are currently certified with an IASME Certification Body, you will see changes to the way Cyber Essentials is implemented when you come to renew Cyber Essentials. You will not need to leave your current Certification Body.
If you're seeking Cyber Essentials certification:
- If you certify now with a Certification Body that does not use IASME, you will most likely find yourself changing to a Certification Body who does is IASME qualified after 1st April 2020. The biggest issue with this is losing time but it is not the end of the world if you do find yourself in this situation.
It's an important and exciting time for the Cyber Essentials scheme and with all this new information, it's best to keep up with the fine details of Cyber Essentials.
This is why we've created The Ultimate Guide to Cyber Essentials which will answer every single question you've ever had around Cyber Essentials. Whether or not you are brand new to Cyber Essentials, there is still so much to learn about in the ever-evolving world of Cyber Essentials.