Government mandates Cyber Essentials for public-sector supply chain

Compliance with the Cyber Essentials Scheme will be mandatory for IT suppliers to government from 1 October 2014

The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essential Scheme (CES) from 1 October 2014.

This applies to all suppliers bidding for government contracts that involve handling sensitive and personal information.

CES was developed by government in consultation with industry and launched in June 2014. It aims to raise the cyber security bar in UK business.

 The scheme was developed with the Information Assurance for Small and Medium Enterprises (IASME) consortium, the Information Security Forum and the British Standards Institution (BSI).

The developers say CES offers a sound foundation of basic cyber hygiene measures which, when properly implemented, can significantly reduce a company’s vulnerability.

The scheme’s set of five critical controls applies to all types of organisations of all sizes, giving protection from the most prevalent forms of threat from the internet.

“It is vital that we take steps to reduce the levels of cyber security risk in our supply chain,” said Cabinet Office minister Francis Maude.

“Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack.”

Benefits to IT suppliers

Maude said CES enables businesses to demonstrate they take the issue seriously and have met government requirements to respond to the threat.

He said gaining this kind of accreditation will demonstrate to non-government customers that a business has a clear stance on cyber security.

“Cyber Essentials is a single, government- and industry-endorsed cyber-security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so,” he said.

Government says CES is gathering pace, with insurance firms such as AIG offering incentives to businesses to become certified. Larger organisations, such as Hewlett-Packard (HP), have begun to demand it from their own supply chains.

“Cyber Essentials helps keep businesses safe online, which is why HP has been an active supporter of the scheme from its initial concept,” said Stuart Bladen, regional vice-president and general manager, UK public sector, HP enterprise services.

“Our extended supply chain of differing business types, including a large SME community, can get affordable cyber security assurance to protect their own and HP intellectual property and information, and that of customers.

“For this reason HP UK Public Sector has written to its entire supply chain explaining the merits of the certification and notifying our intention to require them to adopt this scheme.”

Other early adopters of the CES include BAE Systems, Barclays, Vodafone and the Confederation of British Industry (CBI), as well as small businesses like Databarracks, Nexor, Tier 3 and Skyscape.


  1. Secure configuration
  2. Access control
  3. Malware protection
  4. Patch management
  5. Firewalls and internet gateways

Commercial incentive

To ensure the scheme is flexible and affordable, there are two levels of assurance available – Cyber Essentials and Cyber Essentials Plus.

Organisations assessed as successful in meeting the scheme’s requirements are awarded a certificate and are entitled to display the appropriate Cyber Essentials or Cyber Essentials Plus badge on their marketing material.

Helping to meet the demand for businesses wanting to get Cyber Essentials is a new accreditation body, QG, which joins Crest and the IASME Consortium in appointing firms who can certify company applications.

The government said mandating Cyber Essentials will provide further protection for the information the government handles and will encourage wider adoption of the scheme.

“Driving CES principles through the supply chain is a good way of proving commercial incentives to help raise the bar on cyber security,” said Adrian Davis, managing director for Europe at (ISC)².

“Every time a supplier bids for a contract they will be checked to see if they comply with the principles set out in the CES,” he told a roundtable hosted in London by managed IT services firm Networks First.

This approach will help discourage suppliers from being irresponsible about cyber security, said Geraint Price, information security group lecturer at Royal Holloway University.

“If a supplier decides to do things badly or cheaply, that affects the whole supply chain, but there have been no incentives to do the right thing in the past,” he said.  

Read more on Hackers and cybercrime prevention