Cyber Essentials – ISO, DEFCON 658 and other commonly asked questions
The following article looks to answer a handful of commonly asked questions about Cyber Essentials including what if your organisation already has a ISO certificate in place, bidding on MOD contracts without Cyber Essentials, and what DEFCON 658 means for sub-contractors.
What is Cyber Essentials?
Cyber Essentials is a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats.
I have an ISO certification. Why do I need Cyber Essentials?
This is a question that comes up regularly in relation to Cyber Essentials certification. Companies with ISO certification in place may not feel that they do require Cyber Essentials, but this is not necessarily the case.
Any supplier looking to win a contract with the Ministry of Defence will need to have Cyber Essentials. It doesn’t matter if they have ISO or another piece of audit compliance in place. Suppliers must have Cyber Essentials in place no matter what level of security they have in place, as it sits separately in the eyes of the MOD from other cyber security controls.
What if I don’t have Cyber Essentials but bid on a MOD contract?
On occasion, a supplier could go into bidding with the MOD without Cyber Essentials in place and still win the contract. However, a Cyber Implementation plan has to be put in place between the buyer and supplier which stipulates things such as timelines for when the supplier will be Cyber Essentials certified or the award will be revoked.
Applying for MOD contracts as a sub-contractor since DEFCON 658
Since the release of Defcon 658 in October, any buyer looking to sub-contract an opportunity must assess it based on the Cyber Risk Profile, applying low, medium or high to the risk profile. The project leader from the buyer’s side must complete the RAR (risk assessment request) to indicate what risk is associated with the project.
The supplier will see this and should confirm through completion of a questionnaire form whether they have the required cover for the risk level of the tender. From this point a Cyber Implementation plan may be required if the supplier is successfully awarded the tender.
What would you like to know?
Do you have a question about Cyber Essentials? Let us know at firstname.lastname@example.org and we’ll provide the answers in a future article.
Cyber Essentials Certification – Download the Scheme Summary
Cyber Essentials certification will protect your organisation from 80% of common cyber threats. It is also a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.