CREST works with UK Government to roll-out Cyber Essentials
CREST certifies the first companies to deliver Cyber Essentials assessment
5 June 2014: The UK Government has today announced the launch of its Cyber Essentials Scheme, following successful pilot assessments, managed and reviewed by CREST, the not-for-profit organisation that represents and certifies the technical information security industry. Details of the first security companies accredited by CREST to deliver Cyber Essentials assessment services are available at: www.cyberessentials.org/companies
Universities and Science Minister David Willetts said: “The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cybercriminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent. “We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats.”
The Cyber Essentials Scheme is part of UK Government’s National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate risks from internet-borne threats. Systems that fall within its scope include internet connected end-user devices such as desktop PCs, laptops, tablets and smartphones, and internet connected systems including email, web and application servers. By successfully going through a Cyber Essentials assessment, organisations not only lower their risk of serious data and financial loss, but by displaying the Cyber Essentials badge they demonstrate to customers that they have taken steps to be fundamentally cyber safe.
CREST has worked alongside CESG, the Information Security arm of GCHQ, to develop the assessment framework for Scheme. As part of this engagement, CREST defined the policy, procedures and requirements for companies that will provide certification services under the Cyber Essentials Scheme. CREST has also produced the syllabus areas and examination structures that underpin the Scheme. In addition, through its members, CREST planned, conducted and reviewed the early Cyber Essentials pilot assessments.
“Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security,” explains Ian Glover president of CREST. “By assembling and working with a forum of industry and technical experts, CREST has built an assessment framework optimised for the Cyber Essentials Scheme that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks.”
For more information visit: www.crest-approved.org/industry-government/cyber-essentials/
About CREST – www.crest-approved.org
CREST is a not-for-profit organisation that represents the technical information security industry. As part of this, CREST provides internationally recognised certifications for organisations and individuals providing penetration testing, cyber incident response and security architecture services.
CREST member companies must undergo a rigorous assessment and certification process that looks at methodologies, legal and regulatory standards, staff vetting and data handling. CREST qualified individuals have passed rigorous professional level examinations that demonstrate their knowledge, skill and competence. The company assessment and individual qualifications are underpinned by meaningful and enforceable code of conduct. All examinations and processes have been reviewed and approved by CESG, the Information Security arm of GCHQ
By setting these demanding standards, CREST gives organisations buying penetration testing or cyber security incident response services the confidence that the work will be delivered by trusted companies and qualified individuals with up-to-date knowledge, skills and competencies to the mitigate threats from the latest vulnerabilities and attack techniques.
The CREST Cyber Security Incident Response Scheme (CSIR) is endorsed by GCHQ and CPNI. The scheme focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the public sector and academia.
The CREST Security Architecture examination is formally recognised under the UK CESG Certified Professional Scheme.
