technologyreseller.co.uk 13 that we were over the threshold of what other people call ‘good’. “Over time, those standards might creep down but having a third-party standard you must hit, that’s being checked every six hours, is a great management tool. If we’re drifting down towards the compliance standard, it gives us impetus to pay more attention to certain areas and push things back up. That internal management element can be useful. “The other positive for a company as young as ours is that it has given us more operational maturity and forced us to formalise some processes that were informal and add routine and cadence to things that were a bit more informal. It’s been really good for us in multiple ways and accelerated our maturity as an organisation.” To find out more about Assurix, please visit assurix.com this cohort is 75 hours and the highest has been 114 hours. If you’re one or two people, you may not have a lot of the processes and governance in place already, so it’s going to take you more time. It’s not meant to be easy, because we’re a high standard.” Haley estimates Little Big Tech spent around 100 hours on the assessment process and henceforth is expecting to spend up to a day and a half every quarter on maintaining its status. He adds that the exercise has its own benefits irrespective of any commercial advantages that might be gained. “One of the nice things for us when we started the process was that when we connected all the systems that do the live verification, we were immediately green on everything. It was really pleasing for the team to know that the standards we’ve been holding ourselves to are the standards that were being suggested, and not one does more than £25 million revenue. However, Patel believes the impending Cyber Security and Resilience Bill could make larger MSPs more of a target as they will be required to comply with the Cyber Assessment Framework (CAF), which is what underpins Assurix’s security framework. Demanding process At the time of going to press two MSPs have already been verified, 54 are in active assessment, with Assurix currently doing 10 to 15 a month, and 30 are on a paid waitlist to start the assessment, a process that Patel says is deliberately demanding, with a full assessment of every single control. “We’ve been tracking internally how many hours MSPs think it will take and it really depends on the level they’re at when they start going through the process. The lowest that we’ve seen in MSPs Cyber Essentials addresses compliance-reality gap Cyber Essentials is entering a new era of accountability says Wavenet CISO Paul Colwell With more than 41,000 live Cyber Essentials and 13,000 Cyber Essentials Plus certifications held by organisations across the UK, the government-backed scheme has become a benchmark for cyber security best practice. With the latest update to the standard (known as the Danzell update), scheme administrators IASME and the National Cyber Security Centre (NCSC) are aiming to strengthen the credibility of Cyber Essentials by introducing tighter controls, more rigorous validation and increased scrutiny around how organisations implement and evidence core security measures. In particular, organisations must demonstrate that controls such as multi-factor authentication (MFA), patch management and access controls are consistently applied across their environment, rather than partially implemented or simply documented in policy. Verifiable resilience Paul Colwell, Chief Information Security Officer at Wavenet, an IASME-accredited Certification Body that supports more than 500 organisations through the Cyber Essentials process, believes these changes reflect a broader shift within the cyber security industry away from self-declared compliance and towards verifiable resilience. He said: “Cyber Essentials has always been designed to help organisations get the fundamentals right. What’s changing is the level of assurance behind it. The focus is moving away from what organisations say they’re doing towards what they can prove. That’s a positive development for the industry because it strengthens confidence in the certification and helps ensure it remains a meaningful benchmark for cyber resilience.” Stricter requirements The update also introduces stricter requirements for organisations pursuing Cyber Essentials Plus certification. Independent technical audits will place greater emphasis on patch management and remediation, with vulnerabilities identified anywhere within an organisation’s environment potentially impacting certification outcomes. Doing the basics – consistently Colwell adds that the changes highlight a broader challenge facing many organisations, notably the gap between perceived and actual cyber readiness revealed by incomplete or inconsistent MFA coverage, uneven patch management across systems, poorly defined or inadequately secured network boundaries and reliance on policy documentation without corresponding technical enforcement. He said: “Cyber Essentials has always been about protecting organisations against the most common forms of internet-based cyberattack. A large portion of cyber incidents we see still come back to the basics – patching, identity, access control and configuration management. The updated standard reinforces the importance of doing those things consistently, and that’s good news for organisations that take security seriously.” www.wavenet.co.uk Paul Colwell
RkJQdWJsaXNoZXIy NDUxNDM=