标准简介
Cyber Essentials 是英国政府支持、由英国国家网络安全中心(NCSC)制定的网络安全认证计划,旨在帮助组织防范最常见的网络威胁。该计划分为两个级别:Cyber Essentials(自我评估问卷,由认证机构验证)和 Cyber Essentials Plus(包含动手技术验证,由授权审核员进行外部测试)。自 2014 年推出以来,Cyber Essentials 已成为英国政府合同的强制要求——所有涉及处理敏感和个人信息的政府合同都要求供应商持有 Cyber Essentials 认证。
Cyber Essentials 聚焦于五项基本安全控制:防火墙(在互联网和内部网络之间建立安全边界)、安全配置(确保设备使用安全设置进行配置)、用户访问控制(控制谁有权访问数据和服务)、恶意软件防护(防范病毒和其他恶意软件)和安全更新管理(保持设备和软件更新)。IASME 联盟是 NCSC 指定的 Cyber Essentials 计划合作伙伴,负责管理认证机构网络。认证有效期为 12 个月,需每年续期。虽然该计划起源于英国,但任何地区的组织都可以申请认证。Cyber Essentials Plus 还包括对外部攻击面的漏洞扫描和内部配置审查,提供更高水平的安全保证。
Five Technical Controls
Addresses approximately 80% of common cyber attacks through five key controls: firewalls, secure configuration, user access control, malware protection, and security update management.
Two Certification Levels
Offers basic Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by an accredited assessor).
Government Mandate
Mandatory for UK government contracts that involve handling personal information or providing certain ICT products and services.
list_alt Five Technical Controls
- Firewalls — boundary protection and configuration
- Secure configuration — default settings and hardening
- User access control — least privilege and MFA
- Malware protection — anti-malware and application whitelisting
- Security update management — patching within 14 days
- Cloud services configuration and security
- Password policy and multi-factor authentication
Who Needs to Comply?
All UK organizations seeking a baseline level of cyber security, and any organization bidding for UK government contracts involving sensitive data or ICT services. Suitable for organizations of all sizes.
Key Requirements
Boundary Firewalls and Internet Gateways
Configure firewalls on all devices connected to the internet. Only necessary network services should be accessible, and default passwords on network equipment must be changed.
Secure Configuration
Remove or disable unnecessary software, services, and user accounts. Change default passwords and ensure devices are configured to reduce vulnerabilities.
User Access Control
Control who has access to data and services. Implement least-privilege principles, require unique user accounts, and enforce multi-factor authentication where available.
Malware Protection
Deploy anti-malware software across all endpoints, configure automatic updates, and implement application whitelisting or sandboxing to prevent execution of malicious software.
Security Update Management
Apply critical and high-risk security patches within 14 days of release. Remove unsupported software and ensure all devices run supported operating systems.
Penalties & Enforcement
No direct legal penalties for non-certification. However, organizations without Cyber Essentials certification are ineligible for UK government contracts involving personal data. Loss of certification may also increase cyber insurance premiums and reduce customer trust.