標準簡介
Cyber Essentials 是由英國國家網路安全中心(NCSC)開發的、英國政府支持的網路安全認證計畫。該計畫於 2014 年 6 月推出,為組織提供了清晰、實用的框架來防範最常見的網路威脅。該計畫聚焦於五項技術控制措施,正確實施後可預防約 80% 的網路攻擊。
該計畫提供兩個認證級別:Cyber Essentials(經驗證的自我評估問卷)和 Cyber Essentials Plus(由認可認證機構執行的實際技術驗證)。認證有效期為 12 個月,由 IASME 作為 NCSC 的官方交付合作夥伴管理,英國全境擁有超過 400 家認可認證機構。自 2014 年 10 月起,Cyber Essentials 已成為涉及處理個人資訊或提供 ICT 產品和服務的英國政府合約的強制要求。
Five Technical Controls
Addresses approximately 80% of common cyber attacks through five key controls: firewalls, secure configuration, user access control, malware protection, and security update management.
Two Certification Levels
Offers basic Cyber Essentials (self-assessment questionnaire) and Cyber Essentials Plus (hands-on technical verification by an accredited assessor).
Government Mandate
Mandatory for UK government contracts that involve handling personal information or providing certain ICT products and services.
list_alt Five Technical Controls
- Firewalls — boundary protection and configuration
- Secure configuration — default settings and hardening
- User access control — least privilege and MFA
- Malware protection — anti-malware and application whitelisting
- Security update management — patching within 14 days
- Cloud services configuration and security
- Password policy and multi-factor authentication
Who Needs to Comply?
All UK organizations seeking a baseline level of cyber security, and any organization bidding for UK government contracts involving sensitive data or ICT services. Suitable for organizations of all sizes.
Key Requirements
Boundary Firewalls and Internet Gateways
Configure firewalls on all devices connected to the internet. Only necessary network services should be accessible, and default passwords on network equipment must be changed.
Secure Configuration
Remove or disable unnecessary software, services, and user accounts. Change default passwords and ensure devices are configured to reduce vulnerabilities.
User Access Control
Control who has access to data and services. Implement least-privilege principles, require unique user accounts, and enforce multi-factor authentication where available.
Malware Protection
Deploy anti-malware software across all endpoints, configure automatic updates, and implement application whitelisting or sandboxing to prevent execution of malicious software.
Security Update Management
Apply critical and high-risk security patches within 14 days of release. Remove unsupported software and ensure all devices run supported operating systems.
Penalties & Enforcement
No direct legal penalties for non-certification. However, organizations without Cyber Essentials certification are ineligible for UK government contracts involving personal data. Loss of certification may also increase cyber insurance premiums and reduce customer trust.