Following its launch earlier this year, the UK Government has announced that compliance with the Cyber Essentials standard will be mandatory for suppliers bidding for a number of Central Government contracts.
What is Cyber Essentials?
Cyber Essentials is a UK Government backed information security standard, developed in consultation with the industry. Cyber Essentials is intended to to significantly reduce an organisation’s vulnerability to cyber attacks.
Cyber Essentials comprises five critical controls. The UK Government developed the standard because in its view neither ISO27001 nor other considered standards were sufficiently prescriptive to defeat common internet based threats.
Cyber Essentials comprises two levels of compliance: Cyber Essentials – under which an organisation self-certifies against the requirements, and Cyber Essentials Plus – where compliance is certified by an independent accreditation body.
Whilst early adopters of Cyber Essentials compliance include organisations like BAE Systems, HP and Vodafone, Cyber Essentials is designed to be equally applicable to SMEs.
In particular, some SMEs have claimed that Cyber Essentials compliance has helped to reduce the rigmarole that SMEs have to go through when bidding for public sector contracts.
The scheme is backed by the Association of British Insurers, with certain insurers offering incentives for businesses to become certified.
With effect from 1 October 2014, all suppliers wishing to bid for certain Central Government contracts must be compliant with the Cyber Essentials controls.
The relevant contracts are those:
- where personal information of citizens, such as home addresses, bank details, or payment information is handled by a supplier.
- Where personal information of Government employees, Ministers and Special Advisors such as payroll, travel booking or expenses information is handled by a supplier
- Where ICT systems and services are supplied which are designed to store, or process, data at the OFFICIAL level of the Government Protective Marking scheme
A number of exemptions to this general rule apply, for example where an existing information security standard or assessment already applies (for example, for services provided through G-Cloud).
Are other contracting authorties adopting Cyber Essentials?
Whilst the Government has announced that Cyber Essentials is mandatory for certain Central Government contracts, compliance with Cyber Essentials could also be used by contracting authorities on a case by case basis, for example:
- data is held or accessed outside of the UK/EC
- Where data is subject to the US-EU Safe Harbor process
- Where data is regularly held in a separate Disaster Recovery location
- Escrow and Disaster Recovery suppliers with access to customer data
I expect to see compliance with Cyber Essentials becoming an increasingly common requirement for contracts across the public sector.
Notably, Cyber Essentials is not just relevant to ICT suppliers – it will also be applicable to any other suppliers that handle data – for example, providers of payroll services and professional services businesses such as lawyers, accountants, HR advisors and consultants.
What should I be doing?
It is up to the contracting authority to determine whether compliance need only be at the self-certification level or independently accredited (Cyber Essentials Plus).
As compliance is a precondition to bidding for contracts where Cyber Essentials applies, if your business is involved in providing services to the public sector and is likely to be handling data, then it makes sense to take steps now to assess whether your organisation complies with the Cyber Essentials requirements and if not to identify what needs to be done to rectify any non-compliance. Thereafter, you may wish to consider applying for Cyber Essentials Plus certification.
Waiting until you receive an ITT requiring compliance will likely be too late.
On October 15, 2014