Cyber Essentials isn’t one-size-fits-all: learning how to achieve certification in an efficient, effective manner

As educational institutions continue their journeys to innovate and expand in the digital space, it’s natural that the importance of keeping on top of their cyber security posture similarly grows alongside. Tasked with maintaining the security and safety of their staff and students, as well as the personal and professional data thereof, universities have a continuing responsibility to keep up with the latest cyber security developments, and ensure they are able to respond appropriately where necessary.

As part of evidencing this commitment, institutions are also increasingly tasked with achieving certain related certifications or accreditations in order to qualify for funding from – or partnerships with – outside organisations. Of these certifications, Cyber Essentials is by far the most prevalent; its government backing and focus on solid cyber security foundations has led to it becoming a prerequisite for partnerships with government organisations, and many research grants.

Faced with the pressing need to achieve Cyber Essentials in order to continue participating in these schemes, institutions most commonly place the onus of achieving certification on their own internal IT or Security team – resources that all too often don’t have the bandwidth or prior experience needed to tackle the problem while simultaneously maintaining critical everyday operations. Matters are further complicated by the large, sprawling IT estates that many institutions are dealing with – and have limited visibility into – which can form a major roadblock in planning what efficient and effective Cyber Essentials compliance may look like.

Unlike some other security standards, Cyber Essentials asks the organisations themselves to define for themselves exactly what is considered ‘in scope’ for the certification. As a result, such complex estates can also cause issues when attempting to cleanly delineate the certification’s scope. In some ways, the institution has a lot of leeway in deciding exactly how much to bite off before attempting to achieve the certification – and one approach could be to scope down to the smallest subset of their estate possible, to make passing certification as achievable as possible. However, as the scope Cyber Essentials applies to is displayed in the certification itself, the practical value of that certification will be similarly limited.

As a result, there is a delicate balance to be struck in attempting to include as much of an institution’s estate as possible – in order to increase the certification’s value – while avoiding taking on so much that achieving the certification is no longer feasible. With estates that can encompass complex architecture and thousands of devices, building a clear picture of what this looks like can be a daunting task. However, it’s vital that institutions are able to identify and understand the implications of their chosen scope, and what they stand to lose and gain by their choice.

There’s also the matter of interpreting the requirements of the Cyber Essentials question set themselves. How the institution interprets these questions will have major implications on the efforts required to answer them satisfactorily, and unless the institution has access to staff or an outside partner with existing knowledge of the process, they may inadvertently increase their workload by attempting to satisfy requirements that could potentially be achieved more efficiently with another approach. Combined with this is the fact that stakeholders and teams within the institution are rarely set up for meeting such requirements, and will have myriad other duties and responsibilities that need their attention at the same time as the institution is attempting to get to grips with certification.

As a digital consultancy, ITGL has helped many organisations in the Education sector and beyond to not just prepare for Cyber Essentials, but to do so in the most efficient and practical manner possible. Our teams have helped institutions identify and delineate the most valuable areas to include within their scope, and separate them from areas that would take prohibitive amounts of time and resources to incorporate. Our experts can deliver reliable interpretations of Cyber Essentials questions that are tailored to the specific context of the institution in question, backed by the definitive guidance of our own in-house qualified Cyber Essentials assessor.

What’s more, bringing in an outside partner for this purpose can help an institution to identify opportunities within their estate to bolster cyber security – even beyond the confines of Cyber Essentials certification. These ‘quick wins’ can deliver meaningful security benefits to the institution with immediate effect, while preparing the ground for full Cyber Essentials certification. Then, should the institution be looking to go one step further and achieve Cyber Essentials Plus, partners like ITGL can provide full dry-runs of the auditing process to give the institution confidence that their responses are accurate, effective, and will achieve a positive result.

To find out more about our work around Cyber Essentials and other security certifications, you can reach out to one of our security experts at security@itgl.com, and we’ll organise a meeting to discuss your unique circumstance and requirements.