Publication - Advice and guidance

Cyber security: guidance for public sector suppliers

Published: 15 Jan 2020
Directorate:
Safer Communities Directorate
Part of:
Law and order, Public sector
ISBN:
9781839601392

Guidance setting out best practice from the National Cyber Security Centre, the UK technical authority on cyber security.

28 page PDF

777.2 kB

28 page PDF

777.2 kB

Contents
Cyber security: guidance for public sector suppliers
Annex A – Certification And Accreditation – Costs

28 page PDF

777.2 kB

Annex A – Certification And Accreditation – Costs

1. Key Point 4 of this guidance note encourages the appropriate, proportionate use of certification and accreditation in order to evidence compliance with minimum cyber security requirements. This annex provides further information on the expected costs and benefits of adopting this approach.

Certification and Accreditation – Costs

2. The following certification/accreditation schemes may be appropriate to demonstrate compliance with minimum cyber security requirements, depending on the specific risk profile of a contract. The table below provides some information on the broad costs associated with achieving certification under those schemes. It should be noted that, where a supplier does not currently meet the requirements for certification/accreditation, additional costs may need to be incurred in order to improve their cyber security arrangements to the point where certification/accreditation can be achieved.

Certification/accreditation scheme Costs Further information
Cyber Essentials (self assessment) – Cyber Essentials is a simple but effective UK Government-backed scheme that helps organisations, whatever their size, to protect against a range of the most common cyber attacks.

At the entry level, Cyber Essentials offers a “self-assessment” option, which involves answering questions about your critical cyber security arrangements and submitting these to a certification body, which will verify that the answers provided meet the requirements of the scheme.

Note that where small or medium firms do not have their own on-premise IT networks, they may be unable to achieve Cyber Essentials. In these circumstances, those organisations’ own supplier cyber security arrangements are an important area of focus.
The costs of Cyber Essentials self-assessment are around £300, although some accreditation bodies (notably CREST) require more rigorous tests as part of entry level certification, which increase costs to around £1,000.

If an organisation is not meeting the basic requirements of Cyber Essentials, they may need to spend additional money to improve their cyber security. However, an organisation that does not meet the basic requirements of the scheme may be at increased risk of cyber attack.
Further information can be found at the Cyber Essentials website, here.
Cyber Essentials Plus – Cyber Essentials Plus still has the same protections as Cyber Essentials. However, this time the verification of an organisation’s cyber security is carried out independently by a Certification Body. The costs of Cyber Essentials Plus certification will depend on the size and complexity of the organisation’s network. For SMEs, some certifying bodies quote between £1,000 to £3,000.

Again, if an organisation is not meeting the basic requirements of Cyber Essentials, they may need to spend additional money to improve their cyber security.
Further information can be found at the Cyber Essentials website, here.
IASME (Information Assurance for SMEs) Governance Standard (Audited): Audited IASME Governance (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by an organisation. IASME state that it offers a similar level of assurance to the ISO 27001 standard but is designed to be simpler and often cheaper for small and medium-sized organisations to implement. The standard includes all of the five Cyber Essentials technical topics and adds additional topics that mostly relate to people and processes, for example:

- Risk assessment and management

- Training and managing people

- Change management

- Monitoring

- Backup

- Incident response and business continuity

The Audited IASME Governance certificate builds on a self-assessment similar to the basic Cyber Essentials one.
The costs of Audited IASME Governance certification will depend on the size and complexity of the organisation.

For SMEs, some certifying bodies quote between £1,500 to £4,000. This is in addition to £400 to gain the initial IASME Governance verified self assessed certification. (All prices exclude VAT).

If an organisation is not meeting the basic requirements of the IASME Governance standard, they may need to spend additional money to improve their cyber security and governance.
Further information can be found at the IASME website, here.
ISO 27001: This is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes. It includes details for documentation, management responsibility, internal audits, continual improvement and corrective and preventive action. The ISO standard requires co-operation by all parts of an organisation and is independently audited and accredited. The cost of an ISO 27001 accreditation is considerably more than for Cyber Essentials and Cyber Essentials Plus. The price will vary based on complexity and size of organisation. Whereas Cyber Essentials and Cyber Essentials Plus can be implemented in a relatively short time frame it is likely that an ISO 27001 accreditation will take considerably longer. This is again dependent on an organisation’s complexity and size. Factors such as the cost of training and literature for staff, the cost for external remedial assistance and technology to achieve the specification and the cost of the actual certification itself are all factors. Estimated costs for the certification process alone without remedial work for an organisation of around 150 employees can be in the region of £10,000 plus. Further information can be found at the BSI website, here.

Contact

Email: CyberResilience@gov.scot