About Cyber Essentials
The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk. The five key components are:
-
Firewalls and Boundary Devices
-
Secure Configurations
-
Access Control
-
Malware Protection
-
Patch Management
The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is also available as a Cyber Essentials Plus certification. The Cyber Essentials Plus requires that an accredited certification body conduct an on-site or remote audit to verify compliance.
Zero-trust and the Cyber Essentials
The Cyber Essentials discusses zero-trust, and aligns with some of the principles of zero-trust, but is not a zero-trust framework. Zero-trust is based on the principles of never trust, always verify.
Some overlapping elements of the Cyber Essentials are:
-
Access Control
-
Secure Configuration
-
Malware Protection
-
Patch Management
Cyber Essentials does not enforce zero-trust because:
-
There is no mandate for continuous verification/authentication beyond the initial login.
-
Cyber Essentials does not require network segmentation, or granular access control beyond a basic firewall.
-
Cyber Essentials has no explicit identity and device verification requirements, which zero-trust emphasises with device trust and behavior analytics.
-
Cyber Essentials provides a solid starting point for zero-trust, but does not fully implement zero-trust. Organisations that are considering zero-trust principles should also add necessary additional layers like authentication, micro-segmentation, and real-time continuous monitoring into their cyber security strategy.