Government responds to consultation results.
Five years on from its initial inception, the government-run security scheme Cyber Essentials is changing. By April 2020, a new model is expected to be in place, with more changes set to follow.
The biggest difference with the new version of the scheme is that there will only be one Accreditation Body. Currently, there are five Accreditation Bodies, each of which operates in a slightly different way, using its own network of Certification Bodies (such as TMB). Based on consultation with organisations and individuals in a wide range of industries, it became apparent that having multiple Accreditation Bodies was too complicated.
The National Cyber Security Centre (NCSC) is currently in a commercial tendering process to find its new partner for the Cyber Essentials scheme. The result of that process is expected to be announced over the summer. Once a new Accreditation Body has been chosen, it will work with the NCSC to standardise Cyber Essentials, to ensure consistency across all the Certification Bodies. These bodies will also need to meet new minimum standards of competence.
Cyber Essentials is changing to keep up with technology as well. The way businesses use technology has changed since the scheme was first launched. Cloud computing, for example, is a much different beast today compared to what it was five years ago.
The reinvented Cyber Essentials will take a different approach to certification too, with certificates being issued with 12-month expiry dates. This is in contract to the current system, which encourages annual renewal but isn’t backed by certificate expiry.
Beyond these plans, Cyber Essentials is changing in a few other ways. The NCSC hopes to bring in advisory services to help organisations better understand cyber security, and it wants to find more accurate ways of measuring the success of the scheme. Automation is also on the cards, as is a review of the current assessment levels beyond Cyber Essentials and Cyber Essentials Plus.
Although it might seem like these changes are coming fairly soon, you shouldn’t put off getting a Cyber Essentials certificate now if you don’t have one already. Doing so would only leave your business vulnerable to cyber attacks.