Cyber Essentials Series: What it is and why it's important

What is the National Cyber Security Centre?

The National Cyber Security Centre (NCSC) supports the most critical organizations in the UK, the wider public sector, industry, SMEs, and the general public by providing guidance that aids organizations in shoring up their security plans based on a series of best practices to protect business data and user privacy as part of a comprehensive threat defense strategy.

In 2022, the NCSC rebranded and relaunched its Device Guidance and Mobile Device Guidance, providing a variety of resources for IT and Security teams for organizations ranging from SMBs to large enterprises to help them achieve cyber resilience. Included as part of these resources, for example, are scripts to automate the standardization of device configuration settings. Alongside these settings exists a plethora of practice guidance for developing a strong security baseline within your organization.

What is Cyber Essentials?

Cyber Essentials is the name of the certification designed by the NCSC that distills best practices in:

1. Data confidentiality
2. Network security
3. Secure authentication and access
4. Patch management
5. Malware prevention

By following the prescriptions provided by the NCSC and performing the online self-assessment, organizations of all sizes are advised on the five technical controls necessary to thwart the most common threats impacting modern computer systems and mobile device users today.

What is Cyber Essentials Plus?

The NCSC classifies the Cyber Essentials program above as "Level 1." Following that, Cyber Essentials Plus is considered "Level 2", but despite both levels being nearly identical, the Cyber Essentials Plus certification requires an assessment of your organization's security controls by a third party. More specifically, in order to obtain the Cyber Essentials Plus certification, organizations must meet all of the criteria listed for Cyber Essentials and an additional technical audit of in-scope systems by the certification body, which includes:

• On-site internal vulnerability scan
  • Check patch management statuses
  • System configuration compliance
• Testing of in-scope systems
  • Check Internet gateways
  • Servers with public-facing services
  • Sampling of user devices
• Off-site external vulnerability scan
  • Check patch management statuses
  • System configuration compliance of public-facing infrastructure

Is Cyber Essentials certification only for UK-based organizations?

While the NCSC and the Cyber Essentials Level 1 and 2 certificates are backed by the UK government, all organizations around the globe are urged to participate in the certification process. For example, Amazon's AWS platform earned the Cyber Essentials Plus certification as a sign of its strong commitment to enterprise security and to "mitigate the risk from common Internet-based threats."

How can my organization obtain Cyber Essentials certification?

The best place to start is by reviewing the guidelines set forth on the NCSC's website to ensure your organization meets the requirements needed to certify. Additionally, as part of making sure organizations meet the requirements necessary, the NCSC has partnered with the IASME Consortium, which helps organizations of all sizes with their certification path. They have developed a Cyber Essentials readiness tool to help organizations through the process, and should they wish to certify at Level 2, IASME helps bring together organizations with third parties authorized to perform the technical audit on behalf of the certification body.

Can Jamf help organizations meet Cyber Essentials' certification requirements?

Jamf Pro customers already know that our device management solutions help them standardize and deploy configuration profiles across their device fleet while keeping devices up-to-date with patches. Additionally, Jamf Connect ensures users are securely authenticated, with protected access to business resources granted only to authorized users and devices. Lastly, Jamf Protect incorporates active monitoring of endpoints to detect and prevent malicious code and activity from affecting device compliance levels.

In short, with Jamf on your side, organizations looking to certify with Cyber Essentials or Cyber Essentials Plus can easily implement the controls required by the NCSC. Check back for the next blog in the series when we dive deep into Cyber Essentials Plus (CE+), focusing on the assessment process and providing detailed examples of how Jamf supports organizations to meet the stricter requirements.