Becoming a Certifying Body
A Certifying Body is a company that has been accredited by an Accreditation Body, such as CREST, to assess and certify organisations under the Cyber Essentials scheme. A company can only become a Certifying Body under CREST if it becomes a member and meets our stringent requirements which include access to one or more individuals that hold the required Cyber Essentials assessors' qualifications. To join CREST, companies need to have:
- Demonstrated appropriate levels of quality assurance processes, security controls, security assessment methodologies and met additional qualification criteria;
- Signed an enforceable CREST Code of Conduct;
- Proven access to technically competent and appropriately qualified staff;
- Committed to adhering to the requirements of Certification Bodies for the Cyber Essentials Standard.
CREST member companies that offer Cyber Essentials services have gone through a supplementary company assessment that ensure they meet the contractual obligations of this Scheme. Additionally, CREST requires that the scanning solutions in use for vulnerability scanning to meet certain minimum requirements and this is validated by each company performing a Cyber Essentials style test against a CREST Assault Course that is internet visible, followed by the production of a Cyber Essentials report using normal procedures, reporting formats and so forth.
Organisations that are considering becoming a Certifying Body under CREST should contact us to start the process which begins with the signing of a mutual NDA to allow the membership application form to be released. The application form outlines the Cyber Essentials testing criteria that must be met. Upon successful accreditation to CREST as a Certifying Body, an organisation will be given access to information covering:
- The tests to be undertaken
- The content of test reports
- Guidance on the functionality for some common tools
- The criteria for granting certification
- The content of certificates
All of the CREST documents used to run practical Cyber Essentials assessments are based on the NCSC specification.
Changes to the Scheme Operating Model
The NCSC is planning changes to the Cyber Essentials commercial operating arrangements as part of its process to transform its commercial assurance schemes.
Since Cyber Essentials was introduced in 2014 with the support of CREST, the NCSC has been studying the pros and cons of the scheme from an end-consumer perspective. It also conducted a series of consultation workshops earlier this year. The NCSC believes that one of the key messages from this exercise is that the current operating model is too complicated for a large part of the target audience. As a result, the NCSC has initiated plans to simplify its commercial arrangements.
There are currently five Accreditation Bodies (ABs) that operate the Cyber Essentials scheme on behalf of the NCSC including CREST and the result of this project may result in a reduction in the number of ABs.
The NCSC will be working closely with CREST and other ABs to agree arrangements for the transition and the planned timescale is as follows:
- Expression of Interest issued by the end of September 2018
- ITT issued by the end of January 2019
- New commercial arrangements in place by July 2019
- Existing AB contracts end December 2019
Guidance notes for the transition period will be issued by NCSC by the end of 2018.
CREST will be responding to the Expression of interest with the view to submitting a response to the ITT when it is issued. In the meantime, we will continue to support our CBs keep them informed with any updated information. The Cyber Essentials Scheme will continue without any disruption.