CERTIKIT Cyber Essentials Implementation Guide v5

1 Toolkit support

The CertiKit Cyber Essentials toolkit includes 50+ templates and guides to allow your organization to put in place the five controls to prepare for Cyber Essentials and Cyber Essentials Plus certification and includes the following support.

1.1 Email support

We understand you may need some extra support and advice, so this is why we offer unlimited email support for 12 months after buying this toolkit.

1.2 Toolkit updates

This toolkit includes lifetime updates, which means whenever there is a revised toolkit, you will receive an email notification and the new toolkit will be available to download.

1.3 Review of completed documents

If you need that extra piece of mind once you have completed your documentation, our experts will review up to three of your documents to check everything is in order and complies to the Cyber Essentials controls.

1.4 Exclusive access to customer discussion group

Complying to Cyber Essentials can be a daunting journey, which is why we offer a range of support channels to suit you. This includes our social media discussion group.

This concise guide takes you through the process of implementing the five Cyber Essentials controls using the CertiKit Cyber Essentials Toolkit. Cyber Essentials is a UK government scheme designed to protect companies and organisations, whatever their size, against a range of the most common cyberattacks. Most of these attacks are basic and carried out by relatively unskilled people. They have been described as the digital equivalent of a thief trying a home’s front door to see if it is unlocked. The Cyber Essentials certification scheme was launched in 2014 by the UK Department for Business, Innovation and Skills (now the Department for Business, Energy and Industrial Strategy) and from April 2020 is operated by the IASME Consortium as a partner to the National Cyber Security Centre (NCSC). The scheme is open to organisations in all countries, so it’s possible to become certified despite not being based in the UK.

Not everyone has the time or money needed to develop a comprehensive cyber security system, so Cyber Essentials has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement:

• The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT systems, without becoming certified.

• If you need more certainty in your cyber security (or you want to show others that you’re taking it seriously), you can apply for basic Cyber Essentials certification. The CertiKit toolkit aims to help you with that process and make it quicker and easier.

• For those who want to take cyber security a bit further, Cyber Essentials Plus certification is also available. The five controls are the same as for the basic level, but Plus also includes a more detailed vulnerability scan from inside your network (i.e. someone comes onsite), to check your devices are configured correctly.

The self-assessment option (i.e., without going for certification) still gives you protection against a wide variety of the most common cyberattacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others. Certification gives you increased peace of mind that your defences will protect against the majority of common cyberattacks simply because these attacks are looking for “soft” targets which do not have the Cyber Essentials technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have Cyber Essentials certification, at either the basic or Plus level.

Of course, every organisation is different, and there are many valid ways to embed the basic disciplines of information security. The best way for you may well depend upon a number of factors, including:

• The size of your organisation.

• The culture your organisation has adopted.

• The industry you operate within.

• The resources you have at your disposal.

• Your legal, regulatory and contractual environment.

So, view this guide simply as a pointer to where you could start and a broad indication of the order in which you could do things. There is no single “right way” to implement information security; the important thing is that you end up with a cyber security system which is relevant and appropriate for your specific organisation’s needs.

3 Cyber Essentials certification

The process of obtaining Cyber Essentials certification is relatively simple and generally costs between £300 and £500 plus VAT, depending on the size of your organisation. Cyber Essentials shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies –shop around for the most appropriate deal for you).

3.1 Relevance to Data Protection Legislation

Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018, and its UK equivalent which followed Brexit. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union (and, via the UK GDPR, within the UK). The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold the post-Brexit GDPR equivalent in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data.

3.2 The Cyber Essentials Controls

So, what does Cyber Essentials actually consist of? Well, there are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are:

1. Firewalls: Secure your internet connection with boundary and host-based firewalls.

2. Secure Configuration: Device settings, passwords and multi-factor authentication (MFA)

3. Security Update Management: Keep your devices and software up to date with security patches

4. User Access Control: Securing user and administrator accounts and limiting access to data and services.

5. Malware Protection: including anti-malware software, allow-listing and code signing

Cyber Essentials guidance from the UK National Cyber Security Centre and their partner

IASME breaks these down into finer details. These controls have been chosen as the highest priority ones from other, more detailed, available guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Cyber Assurance standard, although Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk

assessment. For those organisations considering ISO27001 certification (possibly in addition to Cyber Essentials), CertiKit has a separate toolkit here.

3.3 The Certification Process

Cyber Essentials certification involves three simple steps:

1. Go to the IASME website to register and pay for your assessment

2. Verify that your computer systems that are in scope are suitably secure and meet the standards set by Cyber Essentials.

3. Complete and submit the questionnaire via the portal – IASME or one of its chosen third parties will assess and verify your answers.

Cyber Essentials defines a set of requirements in the five control areas, and you will need to make sure your systems and software meet these before you move on to the next stage of certification (see the guidance in the rest of this guide). You may be required to supply various forms of evidence before IASME can award certification at the level you seek, so it’s best to have this available in case it’s asked for. The assessment questions can be downloaded free of charge from the IASME website.

3.4 Certification Scope

You will need to define the scope of your intended certification. This determines what is certified and, in the case of Cyber Essentials Plus, what is tested. Generally, the scope will be defined by a physical location, such as your main office, but you can choose whether or not to include other aspects, such as remote offices too. Note that from January 2022, cloud services must also be included in your scope.

There are a few other points to understand about scope:

• BYOD (Bring Your Own Device) devices (that is, user-owned) are in scope if they are used to access work data, unless all they are used for is phone calls, texts and MFA (Multi-Factor Authentication) apps.

• Home working – all devices used for home working are in scope, whoever owns them, but a user’s self-provided router is not, as the organisation will typically have little control over its configuration.

• Wireless devices are in scope if they can communicate with the Internet (as Cyber Essentials is mainly concerned with protecting from attacks launched over the web).

• Cloud services – you must be clear about how the cloud service provider provides their part of the security picture, and this must be documented in a contract or similar.

• User accounts and devices provided by your organisation to be used by third parties to access your infrastructure are still your problem and must be defined as being in scope.

Note that a requirement for the cyber insurance that is provided as part of Cyber Essentials is that the whole organisation is included in the scope.

3.5 Submitting Your Answers

Having understood the requirements which Cyber Essentials puts on the installation, configuration and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to IASME via their portal They may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification.

Once IASME says you’ve passed, you will be awarded your Cyber Essentials certificate and can use the logo on your website and marketing materials, if you want to. Your certificate remains valid for one year, after which you will need to recertify if you want to stay on the list of certified organisations on the NCSC website.

So, the process for Cyber Essentials certification is relatively straightforward. And the CertiKit Cyber Essentials Toolkit aims to make it even more so.

4 The Cyber Essentials Toolkit

The CertiKit Cyber Essentials Toolkit (referred to within this document simply as “the Toolkit”) provides an array of useful documents which provide a starting point for addressing the five controls covered by the scheme. The documents are in Microsoft Office format and consist of Word documents, Excel workbooks and PowerPoint presentations. To open and edit the documents you will need to use the relevant Microsoft application at version 2010 or later.

The documents themselves have a common layout, look and feel, and adopt the same conventions for attributes such as page widths, fonts, headings, version information, headers and footers. Custom fields are used for the common items of information that need to be tailored. The layout and headings of each document have been designed to guide you carefully towards meeting the requirements of Cyber Essentials, and example content has been provided to illustrate the type of information that should be given in the relevant place. This content is based upon an understanding of what a “typical” organisation might want to say, but it is likely that your situation will vary from this profile in some ways, so you will need to think carefully about what content to keep and what to change.

The key to using the Toolkit successfully is to review and update each document in the context of your specific organisation. Don’t accept the contents without reading them and thinking about whether they meet your needs – does the document say what you want it to say, or do you need to change various aspects to make it match the way you do things? This is particularly relevant for policies and procedures where there is no “right” answer. The function of the document content is to help you assess what’s right for you, so use due care when considering it. Where the content is likely to need to be amended, we have highlighted these sections. But please be aware that other non-highlighted sections may also make sense for you to update for your organisation.

The remainder of this guide will take you through what you may need to do in each control area and show how the various items in the CertiKit Cyber Essentials Toolkit will help you to meet the requirements quickly and effectively. As we’ve said earlier, regard this guide as helpful advice rather than as a detailed set of instructions to be followed without thought; every organisation is different, and the idea of the Toolkit is that it moulds itself over time to fit your specific needs and priorities.

We also appreciate that you may be limited for time and so we have kept the guidance short and to the point, covering only what we think you might need to know to achieve certification to Cyber Essentials.

5 Implementation resources

Relevant Toolkit documents:

• Toolkit Completion Instructions

• Cyber Essentials Implementation Guide

• Cyber Essentials Overview

• Cyber Essentials Toolkit Index

• Cyber Essentials Evidence

• Documentation Log

• Project Definition

• Cyber Essentials Project Plan

• Information Security Policy

• Awareness Training Presentation

• Acceptable Use Policy

• Remote Working Policy

• Gap Assessment Tool

• Progress Report

We know from experience that better cyber security doesn’t happen by accident and adding a layer of basic project management to the exercise will make things run a lot more smoothly. So, within the Toolkit we have provided a number of resources that will help you to define your project, manage it and communicate effectively with the relevant people within your organisation. In addition to a project definition, progress report and documentation log, we have added a presentation to be used to raise awareness among your staff and a couple of useful policies which address information security at an overview level.

We have also included an overall Information Security Policy which is intended to act as a high-level guide to how your organisation approaches information security. Although this is not explicitly required by Cyber Essentials, you may find that various parties such as big customers may want to see this document, so it can come in very useful. The policy lists the supporting policies within the toolkit (such as Mobile Device Policy and Access Control Policy) and It’s fine to keep it this way; some organisations decide to combine these policies into a single document, and that’s fine too, there’s no right or wrong way to structure your approach to policies.

The Gap Assessment Tool will help you judge how close you currently are to meeting the certification requirements of Cyber Essentials, identify specific actions to be carried out, and provide charts and reports to management on where things stand.

Having defined what it is you’re trying to achieve and set the scene within your organisation, it’s time to start looking at the specific controls that Cyber Essentials requires to be in place.

6 Implementing the five controls of Cyber Essentials

6.1 Control 1: Firewalls

Relevant Toolkit documents:

• Network Security Policy

• Firewall Rule Change Process

• Firewall Configuration Standard

• Firewall Rule Change Log

• Firewall Review Form

• EXAMPLE Firewall Configuration Standard

• Network Diagram Example

Cyber Essentials certification requires that you configure and use one or more firewalls to protect all your devices from the Internet, including those that connect to public or other untrusted Wi-Fi networks. A firewall simply uses rules to block or allow traffic entering or leaving your network, and these rules can be changed according to what you need to achieve for example if you need to be able to log on to a work computer from home.

A “Boundary Firewall” is a software or hardware device used to shield your internal network as a whole from the Internet. For a more complicated set-up with more than one location, you might require multiple boundary firewalls. Personal, or “host-based”, firewalls are usually included on desktop and laptop computers with operating systems, such as Windows, often at no extra charge, or they may be part of an antivirus suite. Make sure these are enabled on every device that has one.

Some internet routers (for example, broadband routers) also act as boundary firewalls. But a firewall can also be a stand-alone piece of hardware connected to the router (search for “SOHO firewall” to see some examples). If you’re not sure, it may be appropriate to ask your internet service provider if your router contains a boundary firewall. To configure the firewall rules on a typical Internet router, you will connect to it from within your internal network using a browser such as Google Chrome and log on to the admin panel.

We recommend starting with a Network Security Policy that defines your approach to securing your network(s) and provides some context to the setup of your firewall(s). Once that’s defined, it’s a case of making sure that your firewall rules are appropriate for your organisation and that any changes to them are properly justified so that holes which unwanted network traffic can exploit are not introduced over time.

In the Toolkit, we provide a template standard for your firewall configuration and a way of recording changes to, and reviews of, your firewall rulesets. We also provide a diagram of a small network to show how the different components may fit together. It’s a good idea to create a picture of your own network both to aid understanding and document how it is structured.

6.2 Control 2: Secure Configuration

Relevant Toolkit documents:

• Logging and Monitoring Policy

• Software Policy

• Mobile Device Policy

• Backup Policy

• Cloud Computing Policy

• Password Policy

• Hardware Inventory

• Configuration Standard

• BYOD Policy

• Cloud Services Register

• Configuration Management Policy

• Asset Management Policy

• Configuration Specification

• Cloud Services Questionnaire

• EXAMPLE Configuration Specification

• EXAMPLE Configuration Standard

• EXAMPLE Hardware Inventory

• EXAMPLE Cloud Services Register

This control involves choosing the most secure settings for your devices and software. Cyber Essentials certification requires that only necessary software, accounts and apps are used. Most “out-of-the-box” hardware such as laptops are shipped with a set of added-value software and default settings that encourage you to use them, rather than to make them as secure as possible. Attackers often know this, and it makes new computers and devices particularly vulnerable.

This means that a process often known as “hardening” is needed, to remove anything that is not required and bring the configuration to a secure starting point. This may involve uninstalling software, amending configuration settings and changing passwords. Those items that are permitted may be defined in a Configuration Standard, which is a document that sets out how a particular device should be set up.

It’s important to know what hardware you have, so that you can verify that it is all configured correctly. The Toolkit includes a Hardware Inventory spreadsheet to record details of your devices, and you may be able to obtain some of this information from software tools you already use, such as Microsoft InTune or Endpoint Manager (available as an add-on to Office365).

When implemented correctly, passwords are an easy and effective way to prevent unauthorised users accessing your devices. Unfortunately, they can also represent the weakest link in your cyber defences. Passwords should be easy to remember and hard for someone else to guess. The default usernames and passwords which come with new devices, such as “admin” and “password” are the easiest of all for attackers to guess and

lists of these may be freely available on the Internet. Change all default passwords before devices are made live (especially your Internet router). The use of other techniques such as PINs and fingerprint recognition (or more recently, facial recognition) can also help secure your devices, such as smartphones.

For higher-risk accounts, such as those with access to financial and administration functions, multi-factor authentication, or “MFA” is a highly desirable addition. This usually involves a code being sent by SMS text to your smartphone which must then be entered after your password. Various authentication apps are also available and widely used, such as Google Authenticator, and these are generally regarded as a more secure option. This means that just knowing the password is not enough, and you must also be in possession of the smartphone (or other type of device, such as the calculator-like gadgets used with many banking websites) to be able to log on. So, someone on the other side of the world who has discovered or guessed your password will be frustrated.

The National Cyber Security Centre has issued updated guidance on how to approach passwords, and the Password Policy in the Toolkit takes account of this.

Within the Toolkit, we also provide a range of policy documents which help to define your approach to areas such as event logging (important for spotting when someone is trying to hack into your systems), backups (vital to recover from a ransomware attack), mobile devices (often a weak link in cyber security) and cloud computing (vulnerable as it is outside your internal network).

6.3 Control 3: Security Update Management

Relevant Toolkit documents:

• Patch Management Policy

• Software Inventory

• EXAMPLE Software Inventory

Cyber Essentials requires that patches (also known as updates) are applied promptly to the software in use within the organisation, so that the bugs that they fix can’t be exploited by an attacker. There are several ways of doing this and, in the toolkit, we provide a Patch Management Policy to define your organisation’s approach to patching.

Of course, it’s difficult to know whether your software is being patched if you’re not aware of what software you’re using, so we also provide a Software Inventory to help you to identify the programs that should be patched and whether they are still under support from the vendor. For instance, Microsoft ended its support for Windows XP in 2014 and that for Windows Vista in 2017. For the purposes of Cyber Essentials certification, all software must be under support from the vendor, or else removed from scope by making it inaccessible from the Internet

In many cases, it may be as simple as turning on the auto-patching function within the software program so that it identifies that a patch is available, downloads it and applies it without any human intervention. But sometimes patches go wrong (this has been the case with some Windows updates in the past) so it’s a good idea to put some thought into your approach. Note that Cyber Essentials places a timing requirement of fourteen days or less for critical or high-risk updates to be applied.

For a larger computer population, software inventory and patch management software is very useful in this area to identify what is installed where, and the status of patching on specific computers. Two examples of this are Microsoft Endpoint Manager/InTune (variously known previously as SMS and SCCM) and Desktop Central from ManageEngine.

6.4 Control 4: User Access Control

Relevant Toolkit documents:

• Access Control Policy

• Internet Acceptable Use Policy

• User Access Management Process

• Cryptographic Policy

• Physical Security Policy

• System Owners

• Admin User Accounts

• Cyber Essentials Poster - Passwords

• EXAMPLE System Owners

• EXAMPLE Admin User Accounts

Cyber Essentials certification requires that you control access to your data through user accounts, and that administrative privileges (for example the ability to create users and define who can access what) are only given to those who need them. An Access Control Policy and a User Access Management Process are included in the Toolkit to help you define how this will work within your organisation.

To be able to control your user access, it’s important to know what systems your company uses and the user accounts that are registered within them. This can be more difficult than it sounds, especially if you make significant use of cloud services available via the Internet. The Toolkit provides spreadsheets that help to define your systems, establish who your system owners are (these are the people who will decide who should have access to the systems or not) and record users (especially admin users) and their current access levels. For a large number of users this information may be better produced from each application itself via reports. Check regularly that only the right users have access, and that no rogue accounts have been created without your knowledge.

Cyber Essentials emphasises that admin accounts should only be used for admin work, and that separate standard user accounts should be in place for everyday computer use,

including accessing the Internet. Requirements for MFA have been strengthened recently to cover not only admin users of cloud services, but standard users too. Check which of your cloud services provide an MFA option and enable it where applicable.

Requirements for passwords have also been enhanced, and various options are allowed, including a minimum password length of twelve characters, or eight characters with a facility to preclude common passwords such as “Password123”. Expiring passwords (for example after 90 days) and insisting on password complexity rules (such as including a number and a special character) are no longer encouraged as best practice.

It’s a good idea to prevent users from installing software on their own computers or, if you find this too restrictive, to only allow software from recognised sources, such as the Microsoft Store, to be downloaded.

We provide a number of other policies in the Toolkit that cover related areas such as use of encryption, physical security and what constitutes acceptable use of the Internet.

We also provide an awareness-raising poster for you to print out (ideally A3 size) and place in user areas. The poster emphasises the need to choose strong passwords and how this may be done.

6.5 Control 4: Malware Protection

Relevant Toolkit documents:

• Anti-Malware Policy

• Electronic Messaging Policy

• Incident Response Plan Ransomware

• Threat Intelligence Policy

• Cyber Essentials Poster – Phishing

The term Malware comes from “malicious software”, a general term for computer programs that are designed to have some form of adverse impact on computers on which they run. This includes ransomware, which makes files unusable (because it has encrypted them) until the victim pays a ransom, often in a form of cryptocurrency such as Bitcoin, to obtain the key to decrypt the files.

Malware, such as a virus, can be transmitted in an increasing variety of ways, including via an infected email attachment, a compromised website or a user inserting an infected USB stick into their computer. The Toolkit provides a policy covering the correct use of email and a poster to raise awareness of Phishing – the sending of fake emails with malicious intent.

Cyber Essentials requires that you use one or more common techniques to address malware, including antivirus software and allow-listing.

Antivirus software is generally included on the main operating systems used on user computers, for example Windows 10 or 11, and nowadays it does a reasonable job of identifying malware. However, this is very much an “arms-race” situation between the antivirus software vendor and the writers of the viruses, and you may decide that paid-for alternatives provide a better solution. These solutions are often the subject of magazine and online reviews so it’s worth Googling to see what the latest views from the technical community are of their relative merits. Depending on how many computers you are managing, it may be important that some form of central management console is available to be able to assess the health of antivirus controls across the organisation’s computer population as a whole.

Allow-listing requires that you create a list of programs that are allowed to run on the computer and prevent anything else being installed on it. This is useful if the software you use is predictable but can be unwieldy if you need to be able to move quickly to install a new application for urgent business needs.

In the Toolkit, we provide a policy document that covers anti-malware which will supplement your malware protection approach, and a policy regarding how to keep in touch with emerging threats

7 Conclusion

This implementation guide has taken you through the process of helping your organisation to achieve Cyber Essentials certification, supported by the CertiKit Cyber Essentials Toolkit.

Implementing the steps contained in the scheme is always a culture change towards becoming more proactive as an organisation and, with the day-to-day reactive pressures of running a business, it can sometimes seem daunting. However, we hope you will find that the Toolkit is of value in clarifying what needs to be done and speeding up the process of compliance.

We wish you good luck in your work and, as always, we welcome any feedback you wish to give us via feedback@certikit.com

8 Frequently asked questions

8.1 Why should our organisation be Cyber Essentials certified?

A virus could result in your organisation losing company and client data, disrupting cashflow and taking up staff time. An attack could also put off customers, damage your reputation and even prevent you from trading. Loss of personal data could breach laws such as the GDPR or the Data Protection Act and lead to fines or prosecution.

Obtaining the certification will protect your organisation against common cyber threats, show your customers you take cyber security seriously and enable you to bid for government contracts.

8.2 Is Cyber Essentials certification mandatory?

Simply put, no it isn’t. But since October 2014, it has been mandatory for suppliers of more sensitive contracts with the British Government to be certified. If your organisation is not certified, you may not be entitled to bid for those lucrative public sector contracts.

8.3 What does it cost?

There is now a graduated pricing scheme according to the size of the organisation, between £300 and £500 for the basic Cyber Essentials certification.

8.4 If we have multiple offices, can we certify just one?

Yes! The boundary of scope would then be limited to that one office. The Cyber Essentials certificate would state that the office that is certified, rather than the entire company. Note that this may preclude the use of the cyber insurance that comes with Cyber Essentials certification however.

8.5 What else do I get for my money?

As well as peace of mind, you will get a numbered certificate, which lists your boundary of scope. You will also be given permission to display a Cyber Essentials logo on your stationery, website and email signature. It looks like this:

You also have the option for some free cyber insurance to cover your organisation against the costs of a breach or incident.

8.6 How will people know we’re certified?

IASME lists all certified organisations on its website. Click here and then enter an organisation’s name in the search box to see whether or not it is certified to basic or Cyber Essentials Plus level.

8.7 Does Cyber Essentials Certification expire?

Organisations must re-certify every year to ensure their equipment and processes are secure. IASME removes organisations from its certified list if they have not been certified in the past 12 months.

8.8 We already have the ISO27001 standard – do we still need Cyber Essentials?

ISO 27001 is an information security standard published by the International Organization for Standardization. There is increasing demand for organisations to have both, especially if they want to be eligible to bid for large tenders, such as those with the Government. For the five controls covered, Cyber Essentials is more prescriptive than the ISO27001 standard, so may provide additional protection.

8.9 What is Cyber Essentials Plus?

As well as all the benefits of the basic scheme, Cyber Essentials Plus includes authenticated vulnerability scans of an organisation's workstations and mobile devices. This increases the

validity of the certification considerably by providing evidence of compliance against a number of scenarios, including the following:

• Can malicious files get through via internet traffic or email messages?

• Should such content infect a system, how effective is the antivirus and anti-malware software?

• Should the mechanisms fail, how likely is it that the organisation will be compromised due to a failure to patch workstations?

9 Glossary of terms used

Here is a list of some of the terms used in the CertiKit Cyber Essentials Toolkit.

• Applicant: the organisation seeking certification, or sometimes the individual acting as the main point of contact, depending on context.

• Boundary of scope: the whole of an applicant’s IT infrastructure, or a sub-set of it. Either way, the boundary must be clearly defined in terms of the business unit managing it, the network boundary and the physical location.

• Devices: includes all types of hosts, networking equipment, servers, networks and end-user equipment such as desktop computers, laptop computers, tablets and mobile phones (smartphones), whether physical or virtual.

• Firewall: a device which restricts access to devices’ network services to reduce exposure to a cyber-attack.

o A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. This is usually, though not always, a piece of software on the router.

o Alternatively, a personal, or host-based, firewall may be configured on a computer, tablet or smartphone. This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that they apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules.

• Malware: such as computer viruses, worms and spyware. This is software that has been written and distributed deliberately to perform malicious actions. Potential sources include email attachments, downloads and direct installation of unauthorised software.

• Multi-factor authentication (MFA): an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has) and inherence (something the user and only the user is).

• Patching: a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs.

• Ransomware: a form of malware which makes data or systems it has infected unusable until the victim makes a payment.

• Software: includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firmware.

• Virus: a type of malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code.

• Allow-listing: the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. The goal of allowlisting is to protect computers and networks from potentially harmful applications.