July 1, 2019

The NCSC recently carried out a consultation exercise on the scheme to ensure that it evolves to meet present and future cyber security challenges. As a result, the NCSC is planning on making various changes to the scheme.

These changes are planned for the near term:

• a new partnership model: a single cyber security delivery partner to take over the running of the scheme will be appointed. Therefore, instead of five Accreditation Bodies, all operating in slightly different ways and all having their own Certification Bodies, there will be just one. The need for Certification Bodies will continue and there will be a transition period after the appointment of the new delivery partner, which will take over operation of the scheme at the end of March 2020;
• introducing a minimum criteria for Certification Bodies and Assessors: at the moment, all Certification Bodies go through a process to ensure that they have the appropriate cyber security skills, knowledge and competence. The NCSC will work with the new Cyber Essentials partner to define and implement a consistent minimum standard of expertise for everyone involved in implementing the scheme; and
• registered certification marks: currently, although organisations are encouraged to re-certify annually, there is no automatic expiry date on certificates. From next year, certificates will be issued with a 12-month expiry date.

Once the new delivery partner is in place, the NCSC will collaborate with them to introduce other changes. These include:

• the introduction of advisory services: exploring how to improve the basic IT security of organisations. This includes understanding and complying with the Cyber Essentials Technical Standard;
• measuring benefit: introducing ways to measure what difference implementing Cyber Essentials is having;
• feedback on controls: developing more effective feedback mechanisms to ensure that the scheme keeps pace with the technology customers are using and new or emerging cyber threats.
• levels of confidence: the current levels of the scheme are Cyber Essentials and Cyber Essentials Plus. The NCSC says that it will be working with the new partner to establish whether there is a need for additional levels, both below and above the current options;
• scope of certification: making it easier and more intuitive to understand what a certificate covers in order to give greater certainty to those relying on the use of Cyber Essentials as a way to assess the security of their supply chain; and
• automation: exploring innovative automated technical solutions to deliver certification services.

As for what is not changing, the NCSC says that it has reviewed the five technical controls and believes that none is redundant. It will, however, continue to monitor these and look at where alternative controls could have the same effect. However, there are no plans to change the technical standard ahead of transition to the new partner.

Finally, the NCSC reminds organisations that they should continue with plans to certify or re-certify even though the scheme is changing. The NCSC says that those that have not consciously implemented Cyber Essentials could be vulnerable to attack right now. To read the NCSC blog post in full, click here.