Skip to content

Instantly share code, notes, and snippets.

@adotcoop
Created April 5, 2024 16:42
Show Gist options
  • Save adotcoop/c920c7c050111887ed9c59a4ec93e214 to your computer and use it in GitHub Desktop.
Save adotcoop/c920c7c050111887ed9c59a4ec93e214 to your computer and use it in GitHub Desktop.

Cyber Essentials Scheme History 2011-2023

This page brings together the key dates and documents relating to the UK Governments Cyber Essentials Scheme. Where possible links are to the National Archives versions of the historic government websites.

When reviewing historic documents care should be taken to understand how the scheme was organised and run prior to 2020.

The scheme originated in the 2011 UK Cyber Security Strategy which mentioned encouraging the development of a cyber 'kite-mark'. A consultation in 2013 was carried out and concluded that no existing cyber standard would meet their requirements - a new one would therefore need to be created.

Shortly before launch it was reported in multiple outlets that it would be a 3-tier scheme:

  • Bronze – A self assessed tier
  • Silver – An independently verified test
  • Gold – An independently verified test with an accompanying audit

However this did not materialise and Cyber Essentials started as the same two tier system we have today.

At launch in 2014 HM Government published a summary of the standard, a set of requirements and an assurance framework.

After these 3 documents were published by the Government a minor revision was noted in the Assurance Framework in January 2015 where "the option for an organisation to be both an Accreditation Body and a Certification Body" was removed. No futher updates to these files were found.

Alongside these publications, CESG (the forerunner to NCSC) published two documents, the Cyber Essentials Common Questionnaire and Cyber Essentials PLUS Common Test Specification.

Accreditation Bodies took these documents and adapted them. These bodies then appointed Certification Bodies who would carry out the assessments. This can lead to confusion as there were subtly different interpretations of the standard across Accreditation Bodies - a point noted in the 2016 DCMS report.

Between 2016 and 2020 the Requirements document moved from PDF format to a webpage. Unfortunately this page is not versioned so will be referred to by date. The Common Questionnaire does not appear to be updated during this period but the archived QG website contains updates. It is unclear whether these updates came from NCSC or were operational decisions made by QG as an Accreditation Body.

In 2020 the Accreditation Bodies were dropped and IASME became the sole Delivery Partner. The NCSC now publish two documents - Cyber Essentials: Requirements for IT infrastructure and Cyber Essentials Plus: Illustrative Test Specification. IASME now publish a Self-Assessment booklet and the Questionnaire.

Definitions

Term Definition
Accreditation Body An organisation that develops the certification tests
Certification Body An organisation that can carry out an assessment

Key dates

Date Event Links
25 November 2011 UK Government publishes Cyber Security Strategy which mentioned "encouraging the development of security ‘kitemarks’" Cyber Security Strategy Policy Paper
2012 10 Steps to Cyber Security is published 10 Steps to Cyber Security Executive Companion
March 2013 Government starts consulation on new standard Cyber security organisational standards: a call for views and evidence (BIS/13/659)
23 April 2013 Government publishes cyber security guide for small businesses Small Businesses: What you need to know about cyber security
November 2013 Government publishes response to March 2013 consultation calling for new standard Consultation outcome / Call for evidence on a preferred standard in cyber security: government response
26 November 2013 Government publishes research from PWC on UK cyber security standards Research abstract / UK cyber security standards: research report (BIS/13/1294)
12 December 2013 Francis Maude MP speech - "we are developing an industry-led kite mark-style standard for cyber security," " next year all central government departments will be expected to adopt this standard for their own procurement" Speech on second anniversary of the Cyber Security Strategy
May 2014 New standard reportedly may have "Gold, Silver and Bronze Tiers" IT Governance - Is the standard of your organisation’s IT Security Bronze, Silver or Gold? / HMG Cyber Essentials Scheme
6 June 2014 Cyber Essentials scheme launches with 2 Accreditation Bodies - CREST and IASME IT Governance - 10 Facts About the Cyber Essentials Scheme
September 2014 QG becomes third Accreditation Body Cyber Essentials has a third Accreditation Body
25th September 2014 Cabinet office release policy on "how to use the Cyber Essentials scheme" for procurement Original version / Revised version from 2016
3 October 2016 NCSC created, replacing CESG and others National Cyber Security Strategy 2016, p29
21 December 2016 DCMS publish research into the adoption of CE Cyber Essentials Scheme – process evaluation and communications testing
26 November 2017 NCSC Blog post about "the future of Cyber Essentials" The future of Cyber Essentials - A look at our roadmap for the scheme
27 November 2017 Chris Ensor blog post about the history of Cyber Essentials A brief history of Cyber Essentials
21 June 2019 NCSC Blog post announcing the future of the scheme with intention to have a single Devliery Partner Cyber Essentials Blog The Bare Essentials
7 October 2019 IASME win 5 year contract to be sole CE Delivery Partner NCSC - Announcing IASME Consortium as our new Cyber Essentials Partner / News article - What Does This Mean?
1 April 2020 IASME become sole Delivery Partner for CE Announcement / NCSC Blog Post / IASME Blog Post on NCSC website
22 June 2023 Report on December 2022 evaluation of CE by DSIT Cyber Essentials scheme process evaluation / News Article - Companies Call for Changes to UK’s Cyber Essentials Scheme

The Accreditation Bodies

pre-2020 Cyber Essentials Accreditation Bodies via the Internet Archive

Accreditation Body Homepage List of Certification Bodies
APMG 2018 CE Homepage n/a
CREST 2018 CE Homepage 2018 Certification Bodies
IASME 2018 CE Homepage 2018 Certification Bodies
IRM Security 2019 CE Homepage see archived homepage
QG Management Standards 2018 CE Homepage 2018H2 Certification Bodies / 2018H1 / 2016

NOTE: The QG Certification Bodies links also contain links to their CE Questionnaires in MS Word format

Accreditation bodies questionnaires

One of the key differences of approach to Cyber Essentials between 2014-2020 was the number of questions in the questionnaire.

Key:

  • F - Firewalls (pre-2017 Boundary Firewalls and Internet Gateways)
  • SC - Secure Configuration
  • UAC - User Access Control
  • MP - Malware Protection
  • SUM - Security Update Management (pre-2017 Patch Management)
Accreditation Body Version/Date F SC UAC MP SUM Total Notes
APMG 20/11/2017 40
Crest 29/08/2017 v3.0 9 18 9 9 8 53 Questions are numbered 1-52 but 8 and 8a are considered as two distinct questions
Crest 07/09/2017 v3.1 9 18 9 9 8 53 See notes for version 3.0
IASME 05/2018 v10.5 12 10 11 6 6 45 Amwell IS branded version
IASME 02/2019 v11 12 10 11 6 6 45 First version to number questions as A2.1, A2.2 etc instead of numbers 1-45
IASME 03/2020 v11b 12 10 11 6 6 45
IASME 08/2020 v11c 12 10 11 6 6 45
QG 2014 7 8 7 7 5 34 Unknown version but URL is dated 2014. Provides guidance on the answers
QG 20/02/2016 Issue 5 7 8 7 7 5 34
QG 06/02/2018 v1.050 7 9 7 9 3 35 3 Questions from SC are broken out into a specific password section

Certification bodies

This section includes some important information such as how certification bodies could apply to the accreditation bodies, what requirements were imposed on them, and fees. Links to archived lists of certification bodies are also included.

Accreditation Body Date URL
APMG unknown Become a Cyber Essentials Certification Body / Internet Archive
CREST 2016 CREST certifying bodies by region

The main versions

NOTE: IASME became sole Delivery Partner in 2020, replacing the Accreditation Bodies

Year Codename Version Date Notes
1 n/a 2014 June 2014 Released as 3 documents: Summary, Requirements and Assurance Framework
2.2 Beacon 2021 26th April 2021 First codename version
3.0 Evendine 2022 April 2022 n/a
3.1 Montpellier 2023 24th April 2023 n/a

Documents for each version

Version 1 - 2014

These are the original Cyber Essentials scheme documents. According to Cyber Essentials – A Pocket Guide by Alan Calder, IT Governance Publishing, 2014 there were originally three documents that comprised the scheme:

Date Document (clickable link)
June 2014 Cyber Essentials Scheme: Summary / alt link 1 / alt link 2
June 2014 Cyber Essentials Scheme: Requirements for basic technical protection from cyber attacks
June 2014 Cyber Essentials Scheme: Assurance Framework

The test specifications for Cyber Essentials and Cyber Essentials Plus were also published in 2014

Date Document (clickable link)
23 September 2014 Cyber Essentials Common Questionnaire v1.1 / alt link 1 / alt link 2
20 October 2014 Cyber Essentials PLUS Common Test Specification V1.2 / alt link 1 / alt link 2

The following is the only update that was found published based on the original document set.

Date Document (clickable link) Notes
January 2015 Cyber Essentials Scheme: Assurance Framework / alt link "only change [...] is the removal of the option for an organisation to be both an Accreditation Body and a Certification Body"

2017 updates

In 2017 the Requirements for basic technical protection from cyber attacks PDF document was withdrawn and replaced by a webpage. The What's New provides a decent overview of the changes but fails to mention the removal of alternative controls. The original version of the document stated at the top of page 4:

"Where a particular control cannot be implemented for a sound business reason (e.g. is not practical or possible) alternative controls should be identified and implemented."

Although alternative controls have been dropped from the Requirements, they are still present in at least the QG implementation of the scheme where there is a statement:

"Take steps as necessary to ensure that your organisation meets every requirement, throughout the scope you have determined. If you can’t, highlight any compensating controls you have put in place to mitigate the risk."

Date Document (clickable link)
06 February 2017 Requirements for IT Infrastructure
06 February 2017 Threats in scope (Cyber Essentials scheme)

NOTE: The Requirements for IT Infrastructure appear to be static from this point until IASME are appointed sole Delivery Partner. The 2020 version of the page has an identical What's New section.

Accreditation Body Date Document (clickable link)
APMG 24 September 2018 A guide to the Cyber Essentials Self-Assessment Questionnaire / Internet Archive
APMG 20 November 2017 Cyber Essentials Illustrative Questionnaire / Internet Archive
APMG no date Your Guide to the Cyber Essentials Questionnaire / Internet Archive
IASME March 2017 Self-Assessment Preparation Booklet 10.5
QG 25th July 2017 Reqirements for IT Infrastructure BIS 14/696/1.2
QG July 2017 7Elements Cyber Essentials Questionnaire v1.050
QG 2017 IndelibleData Cyber Essentials Questionnaire v1.050

Version 2.2 Beacon

Document Date Version (clickable link)
Self-Assessment Preparation Booklet April 2021 Beacon

Version 3.0 Evendine

Notable update: On licensed software the statement clarifying what licensed and supported means. The key statement is "The vendor must provide the future date when they will stop providing updates." link to blog post

Document Date Version (clickable link)
Self-Assessment Preparation Booklet April 2022 11d
Self-Assessment Preparation Booklet July 2022 13a

Version 3.1 Montpellier

Document Date Version (clickable link)
Self-Assessment Preparation Booklet January 2023 14

NCSC documents

Document Date Version (clickable link)
Cyber Essentials: Requirements for IT Infrastructure August 2020 Version 2.1
Cyber Essentials: Requirements for IT Infrastructure April 2021 Version 2.2
Cyber Essentials: Requirements for IT Infrastructure November 2021 Version 3
Cyber Essentials: Requirements for IT Infrastructure April 2023 Version 3.1
Document Date Version (clickable link)
Cyber Essentials Plus: Illustrative Test Specification April 2020 Version 2.0
Cyber Essentials Plus: Illustrative Test Specification January 2022 Version 3.0
Cyber Essentials Plus: Illustrative Test Specification April 2023 Version 3.1

Where the scheme has been made mandatory

The intention from version 1 was that the scheme would become mandatory for Government suppliers. From the Questions section in the June 2014 Summary document:

  1. Will this be mandated by government?

Government will require all suppliers bidding for certain contracts which are assessed as higher risk to be Cyber Essentials certified. This is likely to include ICT and personal and sensitive information handling contracts.

2014 Crown Commercial (Policy note updated 26 May 2016)

https://www.gov.uk/government/publications/procurement-policy-note-0914-cyber-essentials-scheme-certification

"Cyber Essentials is for all organisations of all sizes, and in all sectors. We are making the scheme mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services."

Further information

The above collection of links and dates were collected as part of a Master's Thesis for the award of MSc Cyber Security from University of Strathclyde in 2023. The thesis can be downloaded in PDF format from the University of Strathclyde PurePortal.

In the thesis 17 recommendations are made - the high level recommendations are listed below.

Cyber Essentials recommendations

  1. Revert back to insisting on screen grabs for evidence, with guidance on what is acceptable evidence
  2. Revert back to allowing compensating controls to mitigate risk when requirements can’t be met
  3. Implement a second Delivery Partner to focus on large organisations or organisations who need greater assurance. Let IASME continue to work with SMEs
  4. If Active Directory is used then the entire AD Domain should be included when defining a sub-set
  5. If a VLAN is used to define a sub-set ensure inter-VLAN routing is disabled or, if not, that a firewall is in place
  6. A full review of the question set should be undertaken to see if parts can be simplified or consolidated – in particular the password management for firewalls questions could be moved into the Secure Configuration category
  7. Where documentation is presumed to exist, as in A5.8 “do you have a documented password policy,” ask to see it instead of just accepting yes as an answer
  8. If the organisation or sub-set has more than 500 devices then a management tool should be used to configure the security controls
  9. If the organisation or sub-set has more than 500 devices then screenshots and an explanation of how the management tool configures the controls should be provided to the assessor
  10. If a management tool is used within a sub-set then all devices connected to that instance of the management tool should be considered part of the same sub-set

CE+ recommendations

  1. Software firewalls on laptops should be checked to ensure they are on and correctly configured
  2. Use stop-and-go sampling to reduce the sample size when the management tool backs up initial findings

Communication recommendations

  1. NCSC should ensure that the Delivery Partner publish the actual test specification
  2. NCSC should follow the lead of the PCI Council and ISO 27001 in running two versions of the scheme concurrently – the newer version being best practice until the retirement of the old version
  3. Create Internal Assessors using the existing IASME coursework and exams

Asset management recommendations

  1. Define Asset Management as an explicit control
  2. Add questions asking for the source of the asset information and when it was gathered
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment