Any organisation submitting tenders to local or central government in the UK will now need to prove they meet the new Minimum Cyber Security Standard, but what is it and how do you demonstrate your compliance?
What is the minimum Cyber Security Standard?
Developed by the UK Government in collaboration with the National Cyber Security Centre (NCSC), this new standard is the latest effort to combat the risks posed by poor cyber security. It imposes certain requirements on Government departments, as well as suppliers, agencies, and contractors.
But, although the Minimum Cyber Security Standard (MCSS) sets a minimum requirement on these bodies, the text also states that all parties should look to exceed the requirements wherever possible, and that the requirements will be heightened as time goes on.
What does the Minimum Cyber Security Standard require?
The MCSS is broken down into nine standards:
IDENTIFY
1) Put in place appropriate cyber security governance processes
This involves establishing clear lines of responsibility and accountability, identifying and managing significant risks to sensitive information, and ensuring that senior accountable individuals receive appropriate training. The standard specifically highlights these individuals should be senior, perhaps to ensure that accountability isn’t delegated to junior employees.
2) Identify and catalogue any sensitive information being held
Organisations are expected to know and record:
- what sensitive information they hold or process
- why they hold or process that information
- where the information is held
- which computer systems or services process it
- the impact of its loss, compromise or disclosure
3) Identify and catalogue the key operational services being provided
Organisations are expected to know and record:
- what their key operational services are
- what technologies and services their operational services rely on to remain available and secure
- what other dependencies the operational services have (power, cooling, data, people etc.)
- the impact of loss of availability of the service
4) The need for users to access sensitive information or key operational services shall be understood and continually managed
This essentially requires that anyone in your organisation is only given the minimum required access to sensitive information required to perform their job, and that such access is revoked when they leave their role.
PROTECT
5) Access to sensitive information and key operational services shall only be provided to identified, authenticated and authorised users or systems
This means that, on top of authenticating anyone who is to be granted to access to sensitive information, you will also need to authenticate and authorise any devices they’ll be using to access the data.
6) Systems which handle sensitive information or key operational services shall be protected from exploitation of known vulnerabilities
This involves tracking all hardware and software assets and their configurations, accounting for all devices and removable media, ensuring that controls can be placed upon devices with the ability for remotely wiping or revoking access from them. Emails should also be protected to high standards, with spam and malware filtering, and efforts made to prevent email spoofing.
7) Highly privileged accounts should not be vulnerable to common cyber attacks
This places a requirement on users to adopt complex passwords that are difficult to guess, and to avoid using these highly privileged accounts for web browsing and email reading.
DETECT
8) Take steps to detect common cyber attacks
This requires organisations to know what needs protecting and why, ensuring that monitoring solutions evolve with any changes in the business, and ensuring that common cyber attack techniques cannot be successful.
RESPOND
9) Have a defined, planned and tested response to cyber security incidents that impact sensitive information or key operational services
This requires a comprehensive incident response and management plan which is regularly tested and contains clearly defined actions, roles, and responsibilities. This plan should be regularly tested. It also requires organisations to record all incidents, even if there are no obligations to report them.
RECOVER
10) Have well defined and tested processes in place to ensure the continuity of key operational services in the event of failure or compromise
As part of this requirement, organisations should have a contingency plan for delivering essential services in the event of a cyber attack. Any successful attack should also inform future preventative measures so that a similar attack could not succeed again.
Demonstrating compliance in tender documents
In order to win any contracts from UK local or central government, suppliers will need to demonstrate that they comply with all 10 of these requirements, significantly adding to the burden on suppliers to provide evidence of their suitability for a contract. As such, including a document in your tender that acts as a shorthand is the best way to demonstrate your compliance.
For instance, the Government suggests that a valid Cyber Essentials certificate could act as confirmation of compliance, meaning you could include such a certificate within your tender document.
Unfortunately, it doesn’t look like a Cyber Essentials certificate will be enough. The MCSS itself states that a “Cyber Essentials [certificate] allows a supplier to demonstrate appropriate diligence with regards to standard number six but the Department should, as part of their risk assessment, determine whether this is sufficient assurance”. In essence, the certificate only demonstrates compliance with one area of the MCSS, and it’s also down to a Department’s discretion if even this is the case.
Exceeding expectations and winning business
But where a Cyber Essentials certificate doesn’t go far enough to demonstrate compliance with the MCSS, ISO 27001 certification demonstrates a strong culture of cyber security throughout your organisation; in essence, proving that your organisation doesn’t just comply with the requirements of the MCSS, but exceeds them!
An ISO 27001 certificate also gives you an advantage over the competition. While other organisations will have included Cyber Essentials certificates or taken other steps to show they have met the requirements, you will have proven that your organisation doesn’t view cyber security as a mere box-ticking exercise. By achieving ISO 27001, you are making it clear that you take security seriously, and that you are willing to commit to it in ways your competitors are not.
You can more closely compare the differences between a Cyber Essentials certificate and ISO 27001 certification, but the latter is an internationally-recognised standard that will immediately make it clear that you comply with the MCSS without having an undue effect on your tender process.
To find out more about ISO 27001 can demonstrate your data security and help you win more business, take a look at our Beginner’s Guide to ISO 27001.
