Compliance Standards Library

UK Cyber Essentials & Australian Essential 8

Shannon DeLange
Shannon DeLange Idea generator Vanta Team Member Conversation starter
  • Updated

What are UK Cyber Essentials and the Australian Essential 8?

  • UK Cyber Essentials and Australian Essential 8 are government-supported standards developed by NCSC (UK) and ACSC (AU) to mitigate threats to domestic systems and reduce the impact of attacks. Directly based on the most common tactics, techniques, and procedures used by attackers, they are commonly found or asked for in their respective regions.

How are they different from SOC II or ISO 27001? 

These are not traditional compliance frameworks in the same way that SOC II and many of our offerings are. 

  • SOC II, or ISO 27001 focuses on building an overall security program and touches on some elements of technical protection. They assume that an organization following them will implement additional and appropriate technical security measures based on their risk assessment outcomes and needs. Unfortunately, this has proven to be untrue in many cases. Achieving basic compliance outcomes is often seen as “adequate” by organizations, and attackers still succeed regularly, fundamentals are not followed, and the same attacks that worked five years ago often still work reliably today because the way to stop those attacks is inconvenient, and not required for compliance.
  • Cyber Essentials and The Essential 8 are great supplements to effective SOC II or ISO 27001 security programs, but customers should not expect significant overlap because they are focused on very different outcomes. SOC II and ISO 27001 are about security program development; Cyber Essentials and The Essential 8 are laser-focused on practical threat management and attack “blast radius” reduction. Think of them as strict environment-hardening criteria rather than squishy guidance about processes and security at a high level.

To achieve that threat reduction Cyber Essentials and The Essential 8 focus specifically on highly prescriptive and very specific actions companies must take in order to impose cost on attackers.

  • Imposing cost refers to the act of making attacking an environment more expensive, not just in terms of money, but also time, skill, effort, risk, and any other way of forcing an adversary or attacker to spend more resources to successfully achieve their objectives. The more miserable and annoying a place is to exploit for an attacker, the less likely it is to get hit.
  • This includes things like:
    • Allowlisting applications on endpoints (i.e. if it's not on an approved list, it can’t be run or installed on a computer)
    • Patching or mitigating all identified vulnerabilities that have exploitable characteristics, even if it’s technically difficult to do so or inconvenient
    • Considering “scope” as the entire environment rather than just some systems.
      • Remember, attackers don’t have rules of engagement or care about audit scope;  defenders should defend as if everything is fair game
    • Explicitly disabling common attack vectors in productivity software via formal default configurations (Office macros, PDF executable hooks, and more)
    • Explicit anti-malware capabilities and settings that must be in place

Do UK Cyber Essentials & Australian Essential 8 require an audit?

  • No. Neither one requires an audit, but both can be audited and are often requested to be.
    UK Cyber Essentials+ is the same as UK Cyber Essentials, except it undergoes an external audit. There is no variance in naming for The Essential 8 if it is being audited or not.

 

There is a difference between an audit and an assessment. An assessment like SOC II or ISO 27001 gives the assessor some judgment wiggle room on whether controls are adequate or not, given other considerations. An Audit does not do that. If something isn’t in place as expected, the auditor does not entertain rationalizations as to why. Both Cyber Essentials and Essential 8 are Audited, not Assessed. This means budgetary constraints, technical challenges, and the usual ISO 27001 and SOC II workarounds likely aren't going to be acceptable.