Reform of Cyber Essentials Scheme

Tuesday 2nd July 2019

The National Cyber Security Centre (NCSC) is set to reform the Cyber Essentials Scheme in the UK. You can read further details here: https://www.ncsc.gov.uk/blog-post/bare-essential. The reform includes plans to:

  • move away from the current five accreditation bodies to one delivery partner at the end of March 2020;
  • introduce new minimum criteria for certification bodies and assessors; and
  • introduce a 12-month expiry date for all certificates awarded under the scheme.

The NCSC are also deliberating whether to introduce advisory services alongside the scheme, and whether there is a need for additional levels of cyber assessment, both below and above the current options of Cyber Essentials (the self-certification scheme) and Cyber Essentials Plus (verified by independent experts).

Ryan Gracey, head of digital and technology at Gordons says: “Organisations should take note that the Cyber Essentials Scheme isn’t aligned with any legal standard for cybersecurity under UK law, such as the GDPR or the Network and Information Systems Regulations. So achieving certification under the scheme alone does not mean you will be regulatory compliant. However, the UK ICO does recommend Cyber Essentials as a good starting point for the cybersecurity of an organisation’s IT infrastructure holding personal data.”