13 June 2019
Strengthening and developing the Cyber Essentials scheme
Five years after its launch, the NCSC has reviewed the Cyber Essentials Scheme. Through practical experience of operating the scheme we identified some areas within the existing approach that could be improved. To bring these improvements to the scheme we will be sourcing a Cyber Essentials Partner with the aim of:
- refreshing the service
- increasing accessibility
- providing a simpler path to certification
This will ensure that Cyber Essentials keeps pace with the changing nature of the cyber security threat, and remains relevant to meet future demands.
Frequently Asked Questions
Why does Cyber Essentials need to change?
Running the Cyber Essentials certification scheme has identified a lack of consistency and an unnecessarily complicated experience for customers. We want to keep it simple.
What approach have you chosen?
We'll identify a new Cyber Essentials Partner who will work with us to enhance and develop Cyber Essentials.
What are you trying to achieve?
By working with a Partner, we'll be able to refresh the service to increase accessibility and provide a simpler path to certification.
How long will this change take?
Once the new Cyber Essentials Partner contract has been awarded, the exact transition time frame will be agreed. We expect this will take approximately 6 months.
When will these changes be implemented?
The new Cyber Essentials commercial model is expected to be in place by April 2020. The exact date will be agreed once the new Cyber Essentials Partner contract has been awarded.
What communications are the NCSC putting in place?
We'll start by using the website which will be regularly updated to keep you informed of developments. Once we have our new partner we will work with them to provide consistent, regular updates, circulated through the appropriate channels.
Why are these changes necessary now?
These changes will ensure that Cyber Essentials keeps pace with the changing nature of the cyber security threat, ensuring UK businesses are safer to do business online.
Are there any cost implications?
Government requires that Cyber Essentials remains affordable and accessible. The new commercial model will also follow this requirement.
What will happen to today's Certification Bodies?
The knowledge and experience of Certification Bodies, has been invaluable to the growth of the Cyber Essentials Scheme. Once in place, the new Cyber Essentials Partner will engage with current Accreditation Bodies regarding the next steps for existing Certification Bodies. All existing Certification Bodies will be encouraged to apply to the new Cyber Essentials Partner to continue providing Cyber Essentials as part of the revised scheme.
From 1 April 2020 existing Accreditation Bodies will not be appointing new Certification Bodies.
Note: Some of the existing Accreditation Bodies have now ceased taking on new Certification Bodies.
Should I continue with my plans to certify, or re-certify, given the Scheme is changing?
Yes. If you haven't consciously implemented Cyber Essentials, you could be vulnerable to attack now. Take a look at the Cyber Essentials website and consider getting started today!
Will I have to re-certify against a different technical standard?
At the moment, there are no plans to change the technical standard. However, we will continue to review the technical controls and ensure they keep pace with the ever-changing cyber security landscape.
How will current certificates be handled under the new commercial model?
- After April 2020, new applications will be handled under the updated Cyber Essentials Scheme.
- If you are in the process of going through certification (but haven't completed the process by April 2020), then you will have until 30 June 2020 to complete your application.
- Further details will be released in due course and circulated through the appropriate channels.
What will happen to Accreditation Bodies when the new Cyber Essential Partner is on board?
The current Accreditation Bodies will deliver Cyber Essentials until their current contracts have completed. Please contact your Accreditation Body for more information as they will be continuing to deliver their business as usual services.
Where can I find more information?
For more information, please refer to the Cyber Essentials website. We'll let you know about future developments by updating these FAQs, and through other channels. If you have any feedback or questions then please use the General enquiries page.