Compliance & Accreditation Schemes

Compliance & Accreditation Schemes

The information security industry has evolved significantly in recent years; to ensure its continued improvement, government and regulators are continuing to introduce schemes and frameworks that your organisation may need to comply with.

Context are accredited by a number of these schemes to provide the services to ensure your organisation meets the necessary standards. 

Cyber Essentials & Cyber Essentials Plus

The UK Government's Cyber Essentials scheme is designed to make the UK a safer place to conduct business online. The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against internet-borne threats. 

The scheme consists of 5 baseline controls that businesses should have in place as their presence reduces the risk of data breaches from internet based attacks. 

These five controls are: 

  • Boundary Firewalls
  • Secure Configuration
  • Access Control
  • Malware Protection
  • Patch Management

Being certified for Cyber Essentials is now mandated for businesses that require access to UK Government information.

The Cyber Essentials scheme has two parts:

  1. Cyber Essentials - A first stage that conducts an external vulnerability scan accompanied with a questionnaire, which ensures that internal processes are in place to ensure that best practice is in use. Once this stage has been passed a company is certified as passing Cyber Essentials. 
  2. Cyber Essentials Plus - The second stage is the Cyber Essentials Plus certification. This encompasses a detailed assessment of your infrastructure, with detailed examination of the technologies and servers in use within the company. Once a company had demonstrated that they have created a secure environment they will gain the Cyber Essentials Plus Badge.

Context is certified to provide both assessments for UK businesses. 

By offering the Cyber Essentials Plus services Context can ensure that companies undergoing the program have a smooth journey toward certification. It is our goal to encourage all our customers to undergo this program and reach Cyber Essentials Plus certification. This assessment offers a higher level of assurance than the foundation Cyber Essentials assessment alone as it entails both an onsite and remote verification that controls have been met, and is an important step toward establishing world-class information security practices that meet business needs.

Businesses that satisfy the verification requirement will be issued a certificate demonstrating they meet the criteria. The certificate is valid for a maximum of a year. Re-certification may be required in the event there are changes to the environment.

As a CREST founder company, Context was consulted and provided input at the formulation stages of the scheme and continues to do so as the scheme matures. 

Further detail of the Cyber Essentials scheme, are available here

CREST STAR Assessments

Simulated Target Attack and Response (STAR) services represent a platform for financial services and critical national infrastructure businesses to share threat and intelligence systems. The assessments or tests are primarily threat intelligence-led penetration tests and are considered to be the most realistic form of assurance service within the sector.

The test takes threat intelligence information to deliver highly targeted attacks against an organisation to simulate sophisticated threat actors, our consultants then deliver realistic attack simulations. These simulations provide assurance that organisations have appropriate countermeasures and responses to detect and prevent cyber-attacks.

Context has been performing simulated targeted attack and response engagements for global clients for several years. Using real-world data about attackers from our Response team, we perform focused and realistic exercises that map to sophisticated attacks. 

STAR assessments allow Context to identify weaknesses that go beyond the technical vulnerabilities typically found in a penetration test, and to assess an organisation's overall capability to prevent, detect, and respond to a compromise. 

NCSC CHECK IT Health Check

A NCSC CHECK IT Health Check (ITHC) identifies vulnerabilities in HMG IT systems and networks to assure the confidentiality, integrity or availability of information held on that IT system. Using certified testers who are regularly assessed to validate their penetration testing knowledge and capability, an ITHC is as much about risk assessment as it is penetration testing, and assesses the security posture of the environment as well as the data stored within.

Context has one of the UK’s largest pools of CESG CHECK certified penetration testers.

CESG Commercial Product Assurance (CPA)

Context is qualified to evaluate products on behalf of NCSC under the NCSC Commerical Product Assurance (CPA) service. CPA certification provides a product with entry into an approved list from which government departments and industry partners may purchase.

CPA is essentially a certificated accreditation process for products to be used by government, public sector and any industries requiring access to UK government accredited networks. CPA certification enables product vendors to sell their products into government and public sector departments, the wider public sector and associated industry for use in communications networks requiring IS2 and IS3 accreditation.

Context’s CPA service combines our unique background in security research with an ISO 17025 accredited laboratory to provide top quality security orientated product evaluations that can be trusted.

NCSC Tailored Assurance Services (CTAS)

The NCSC (formally CESG) Tailored Assurance Service (CTAS) scheme provides assurance for a broad range of Government, public sector and Critical National Infrastructure (CNI) organisations in the process of procuring IT systems, products and services. These may range from minor software components to national infrastructure networks.

The service provides answers to specific assurance questions and concerns posed by CTAS accreditors. It also ensures that the subject of an assessment complies with all relevant NCSC and Government regulations through highly tailored evaluation processes, conducted by a CTAS company within a NCSC-approved test laboratory.

Context has been approved by NCSC to provide this service. Achieving approval to work with NCSC on CTAS is another illustration of the reputation for outstanding technical excellence that Context has built since the company was launched in 1998.

PCI ASV External Vulnerability Scans

Context is a PCI Approved Scanning Vendor (PCI ASV) qualified to conduct external vulnerability scanning services to validate compliance with Requirement 11.2 of the Payment Card Industry Data Security Standard (PCI DSS), which outlines the need to run internal and external network vulnerability scans at least quarterly and after any significant change in the network. 

PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers and all other entities that store, process or transmit cardholder data (CHD) and/or any sensitive authentication data (SAD). 

GDPR Compliance

With GDPR coming into effect in early 2018, our team can also advise on all aspects of GDPR compliance, from data management and classification, to key control maturity assessments, creating a complete transformation roadmap tailored to your organisation.

CREST
CREST STAR
CHECK IT Health Check Service
CTAS - CESG Tailored Assurance Service
CBEST
Cyber Essentials
CESG Certified Product
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor