U.K. Cyber Essentials Simple Assessment Tool

Back to Blog
14Jul2020

U.K. Cyber Essentials Simple Assessment Tool

I recently came across the U.K.’s Cyber Essentials, as published by the National Cyber Security Centre (NCSC). Not two days after I learned about this simple control framework while on a conference call spanning several time zones with friends from around the world, that I received this email from a fan in my inbox:

Alex, I really enjoyed your recent assessment tool for the CIS Controls, and your publication on the Australian Essential Eight! Have you ever looked at the Cyber Essentials from the U.K.? We reference it here across the pond for consulting with small business customers… [abbreviated for length] …but would you consider adapting your CIS assessment tool for use with the Cyber Essentials? –James

When the universe puts something at my feet twice in one week, that’s enough for me to act on it. So this weekend I threw this thing together, following the documentation available at NCSC’s website, where they describe the technical requirements (i.e. sub-controls) for each of the five Essentials:

  1. Use a firewall to secure your internet connection
  2. Choose the most secure settings for your devices and software
  3. Control who has access to your data and services
  4. Protect yourself from viruses and other malware
  5. Keep your devices and software up to date

Now the very interesting thing about this framework is that, at the present time, it does not consider cloud-hosted SaaS applications as “in scope.”

This would seem to exclude Microsoft 365, however, I would suggest that any person following this assessment in the U.K. or elsewhere would be a fool not to apply at least some aspects to Microsoft 365 where relevant, for example the requirement to protect accounts with 2FA where possible, or to document who has access to your systems. As well, remember that you can leverage services such as Microsoft Endpoint Manager (Intune) to apply secure configurations to devices and applications–which would help you to meet some of the other items here.

So yes, this framework appears to be ready for an update–for example the fact that firewalls hold such a prominent position on this list, in this day and age, seems quaint, and there is much that could be said about securing your SaaS products, especially with regards to identity! Nevertheless and criticisms aside, there is some common overlap between all of these frameworks. Yes–the CIS is definitely the more “complete” framework, but really important stuff like patching, the principle of least privilege, whitelisting and multi-factor always make the list.

I am not sure what James meant by ‘adapt my CIS assessment tool‘–so I just created a new workbook in the same style as the first! I also included a column for Mapping to CIS Controls as a reference.

Click here to download your free copy of the U.K. Cyber Essentials tool

Update: I just learned from another reader, about another miniature framework that is used by the U.K. government that is a bit broader and contains some really good stuff in 10 major controls, which are broken into groups by NIST CSF function (Identify, Protect, Detect, Respond and Recover). It is called the Minimum Cyber Security Standard. I like this a lot more than the Cyber Essentials, which as I mentioned feel a bit dated. I may even work on updating this spreadsheet so that it contains tabs for both. Thanks, Vinny!

Question, Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

18Feb

How-to migrate Email from Small Business Server 2008/2011 or Exchange Server 2007/2010 to Office 365 with Zero Downtime

Update: Please refer to this newer article. Some of the details here are very dated--like there is no hybrid key anymore--and the activation only works on 2016, not 2019, plus we have minimal hybrid now, etc., etc. A "minimal hybrid" approach is preferred if you're... read more
22Dec

Reader question: Do you recommend Defender in place of third-party antivirus or security tools?

It feels like it has been a while since I addressed a reader question on the blog. This is one I get frequently, all the more so in recent months since Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) became available as a standalone subscription... read more
01Jul

The Azure AD Best Practices Checklist

Update: Downloadable/printable copies of the Microsoft 365 Best practices checklists and guides are now available. Thanks for your support! Disclaimer: This checklist is NOT a comprehensive overview of every consideration when implementing Azure AD. For instance, the list was built with a typical SMB/SME in mind.... read more
14Jul

Remove SBS 2008 or SBS 2011 Source Server from the domain

Sorry Old Yeller--I know you were a faithful companion for many years--but it's time to put you down, buddy. I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating... read more
04Mar

Migration paths to Microsoft 365: Devices before data??

I have literally written the book on this topic, but one question I did not directly address is the order in which you might migrate the various workloads from traditional infrastructure to Microsoft 365. First, just know that you can tackle your migration in whatever order... read more
Unboxing MDB, part 3: ASR rules
12Feb

Unboxing Defender for Business, Part 3: Attack Surface Reduction rules

If you haven't been following this series, let me catch you up. First, understand that Microsoft recently made a huge announcement: their enterprise-class endpoint security solution, known as Microsoft Defender for Endpoint, has been re-packaged and released for the SMB (and included in the popular... read more
18Apr

How to migrate company file shares and mapped drives to Office 365 using the SharePoint Migration Tool

I debated on writing about this tool for a long time. Because here's the thing: most file servers in production today are just huge garbage piles, built out of years of half-completed thoughts and haphazard document collaboration. Therefore, before we get into it, I first... read more
Fast and Free Incident Response Tools in Microsoft 365
09Jul

Fast and Free Incident Response Tools in Microsoft 365

As part of the SquareOne Summer Security Series, our group recently explored the topic of Incident Response in Microsoft 365. This was a very well-received course, and I felt a blog post was in order to cover off on some of the important content from... read more
08Mar

Reading the fine print for Data Loss Prevention (DLP) in Office 365

After implementing DLP policies in your organization, you might consider testing it out. Let's say you implemented Microsoft's DLP policy for identifying U.S. Social Security Numbers, which are a nine-digit string of numbers, often formatted XXX-XX-XXXX (sometimes with dashes, sometimes without).  You decide to draft... read more
07Mar

Azure Rights Management with EMS vs. RMS with Office 365

The purpose of Azure Rights Management Services is to allow users to encrypt certain files and messages for sharing safely only with those colleagues and business associates whom they choose. You can obtain Azure RMS licensing separately or with an EMS subscription, but if you have... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me