Cyber Essentials: Contractors

Introduction

With cyber-related incidents making headlines daily, cyber security is an ever-increasing priority for organisations. Cyber Essentials is often a great place to start, with the implementation of just five technical controls proving to be highly effective in reducing risks against common cyber threats. However, a challenging question that often arises is how to consider contractors under the Cyber Essentials scheme. In this article, we explore that topic, explain the requirements, consider the options, and provide insights based on a practical example.

 

Why It Matters

Cyber Essentials is a UK government-backed scheme designed to help organisations protect against common cyber threats. Contractors often have access to organisational data and services, making their compliance with Cyber Essentials crucial. Ensuring contractors meet these standards helps mitigate risks associated with data breaches, unauthorised access, cyber threats and supports compliance with the Cyber Essentials scheme. Contractors are a key target for threat actors, given their access to organisational data and services – so getting it wrong can have significant implications.

 

Considerations

• Accounts: All accounts that an organisation owns are in scope for the Cyber Essentials assessment. This includes those used by third parties, suppliers, contractors, and managed service providers
• Device Ownership and Scope: Internet-connected devices that have access to organisational data and services are typically in scope for the Cyber Essentials scheme. However, ownership of the device can play a key factor in whether they form part of the assessment. Table 2 of the Cyber Essentials Requirements for IT Infrastructure V3.2 (page 11) lists what is in and out of scope for devices not owned by your organisation. Third-party contractors are shown. Devices used by contractors are in scope if owned by the organisation applying for certification. Devices are out of scope if owned by the third party or BYOD by the contractor
• Device Responsibility: On the same page of the document, the requirements state: “For devices out of scope for the assessment, your organisation is still responsible for confirming that the devices interacting with organisational services and data are configured correctly. It’s up to you how you achieve this, as it falls outside of the assessment scope.” This means that even though contractor devices may be out of scope for the assessment, organisations must still ensure that the same Cyber Essentials technical controls are applied
• Summary

• • Accounts used by contractors are always in scope.
  • Devices used by contractors are in scope if owned by the company.
  • Devices are out of scope if owned by a third party or BYOD.
  • If out of scope, organisations must still ensure the Cyber Essentials controls are being applied.

 

Keynote

• Contractors having their own Cyber Essentials certification support compliance across the supply chain.
• Contracts or terms and conditions stating that Cyber Essentials controls are understood and in place can be used.
• Other methods can also be used, but the responsibility lies with the organisation applying for certification.

 

Example Scenario

Organisation ABC has 40 internal staff and 20 external contractors.

• All staff and contractors have user accounts to access organisational data and services.
• All internal staff have company-owned devices.
• All contractors use their own devices.

To support compliance with the Cyber Essentials scheme, Organisation ABC:

• Lists all internal staff devices in the self-assessment.
• Does not list contractor devices in the assessment as they are not company-owned.
• Ensures contractor devices meet Cyber Essentials requirements through policy, contracts, or proof of certification.
• Carries out regular checks on contractor devices (e.g. OS updates and patching).

 

How We Help 

At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements: 

• NCSC Cyber Advisor certified – this qualification means we’re proven to help organisations understand and implement technical controls, without using jargon 
• NCSC Assured Service Provider – our organisation is also proven to meet the standards set by the National Cyber Security Centre (NCSC) 
• IASME Assessor for Cyber Essentials and Cyber Essentials Plus – we’re qualified to carry out assessments for both levels of the scheme 
• Certification Body – we’re trusted to issue certificates to organisations that have met the required standards, for Cyber Essentials and Cyber Essentials Plus 

 

Conclusion

Considering contractors for cybersecurity is essential. By ensuring contractors comply with the Cyber Essentials standards, organisations can mitigate risks and protect against the common forms of internet-based threats. Clear contractual obligations, standards, requirements, and communication can all be key to achieving this goal. Implementing these practices can help safeguard the organisation and help to ensure a secure working environment. RB Consultancy Ltd holds NCSC Assured Service Provider and Cyber Advisor status. We’re also an IASME Certification Body with licensed Assessor status for Cyber Essentials and Cyber Essentials Plus.  Contact us for support with the Cyber Essentials scheme.