Cyber Essentials – has to be owned at the top – why is this important?

The Cyber Essentials Scheme self assessment questionnaire is signed by a board level member before submission to a certification body for approval.  Why is this so important?

Cyber Essentials is the government backed scheme designed to be a base line for cyber security that companies should adopt to protect themselves from 80% of the most common internet threats. The completed self assessment questionnaire attests that the organisation meets the requirements of the Cyber Essentials Scheme, importantly this must be approved by a Board member or equivalent, before it is verified by the certification body.

Why executive level approval is so important for Cyber Essentials

Leaving the completion of the Cyber Essentials questionnaire to the IT department or IT provider without knowing how the controls are implemented, effectively delegates responsibility – with something as important as the cyber security of an organisation, this has to be owned at the top.

When a breach happens it is not the IT department or IT provider that has to inform customers, suppliers, employees or the Information Commissioners Office, it is the board. If they have not asked the right questions, and, by the way, asking  “have you got cyber security covered?” to your IT company or IT manager is not the right question, then they are putting their customers, suppliers, employees and the future of their companies at risk.  This is so important, and the threats so real, that it has to be a priority at board level.

Dido Harding did not appear to make cyber security a priority before the Talk Talk breach, but talking to a Parliament committee subsequently she said she was responsible for security at the time of the hack and that this was a board level issue.

Why Cyber Essentials is the perfect opportunity to start asking the right questions

Completion of the Cyber Essentials self assessment questionnaire provides the perfect opportunity for senior board members to start taking ownership for cyber security, to understand and challenge each control and ask for evidence that the following controls are being taken care of:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

If this seems daunting then get some independent expert advice to help you understand what questions you should be asking, this is so important, which is why it has to be owned at the top.

Read more about Cyber Essentials

[pdf-embedder url=”//” title=”Cyber Essentials scheme-summary”]


 Securious is a cyber security compliance company based in Devon serving businesses and organisations across the South West and beyond. We offer rapid Cyber Essentials certification, ISO 27001 Compliance and PCI DSS Compliance as well as PEN testing (penetration testing) and cyber security consultancy.