The Welsh Government Cyber Essentials Requirement
The Welsh Government made it mandatory for third-party suppliers with a ‘moderate' or ‘high' level of risk when dealing with sensitive information to be Cyber Essentials certified from the 1st of April last year. However, many businesses still seem to be unaware of this change and have failed to take timely action.
Do I Need Cyber Essentials?
The Welsh Government has made it mandatory for new contracts, where the supplier have ‘moderate' to ‘high' levels of risk, to be Cyber Essentials accredited. Of the five levels of risk identified (0 to 4), Cyber Essentials is a requirement from Level 1 upwards. Here is a quick rundown of what you need to know:
- Level 0 is ‘low risk', meaning that no special arrangements are needed when minimal amounts of non-sensitive personal data are processed or where data is in the public domain already.
- Level 1 relates to ‘moderate risk' – where sensitive information may need to be protected. Third-parties at this level would need to adhere to the UK Government's Cyber Essentials for contracts with low values and small amounts of personal or sensitive data.
- Level 2, or ‘sensitive information', requires your business to be Cyber Essentials accredited for the duration of the contract.
- Level 3 requires your business to be Cyber Essentials Plus accredited.
- Level 4, otherwise known as ‘high risk' (large nationwide framework contracts), will require you to obtain IOS27001 together with Cyber Essentials Plus as they are deemed “high value contracts or those with significant amounts of personal or sensitive data.”
Organisations are required to be compliant throughout the term of their contract. In a document intended for local authorities the Welsh Government details what level of certification is required from third-parties.
“If you are procuring services from third party suppliers, awarding grants or entering into data sharing agreements with third parties who will have access to our information you will need to consider the sensitivity of that information,” it reads. “A Business Impact Assessment will indicate the sensitivity of the information involved…”
“For those contracts which involve handling information in the moderate or high risk categories, described below, it is mandatory that suppliers demonstrate that they meet the technical requirements prescribed by the Cyber Essentials Scheme.”
“The Cyber Essentials Scheme defines a set of controls which, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threat coming from the internet. Evidence of holding a Cyber Essentials (or equivalent) certificate is desirable before contract award, but essential at the point when data is to be passed to the supplier.”
A Welsh Government spokesperson said: “Cyber Essentials is required for all relevant Welsh Government contracts involving the handling of personal or sensitive information. This will also apply to National Procurement Service collaborative frameworks.”
Cyber Essentials is also mandatory for relevant UK government suppliers.
How Does Cyber Essentials Work?
Cyber Essentials is built upon the Ten Steps to Cyber Security and incorporates five main controls; boundary firewalls and gateways, secure configuration, access control, malware protection and patch management. This is assessed both internally, through a self-assessment stage and independently, through an external assessment.
The Assurance Framework is built to assist businesses and guide the company through the basic levels of security and into tighter and more secure levels of protection, if they are required and suitable for the business type. The Assurance Framework follows four steps;
- The identification of cyber security threats and weaknesses.
- Stage1: Cyber Essentials - Self-assessment: Confirming that the business meets the Cyber Essentials requirements. This is then independently verified.
- Stage 2: Cyber Essentials Plus - Independent verification that the systems in place meet the Cyber Essentials requirements.
- The requirements have been met and the systems put into place to meet them become routine for the business and are an integral part of the business’ operations.
If your business is supplying, or intending to supply, to the Welsh Government or indeed the MOD you can start your application process for cyber essentials scheme with an authorized supplier here.