UK NCSC announces Cyber Advisor service to help SMBs reach cybersecurity standards

The UK’s National Cyber Security Centre (NCSC) has announced a new Cyber Advisor scheme to offer assured cybersecurity consultancy services to small- and medium-sized companies to help them achieve a minimum standard of security. At this initial stage, the NCSC is inviting participants to take part in 100 free assessments which will be used to test and develop the scheme, due to be fully launched in the first quarter of 2023. Once live, individuals will be able to apply to become a Cyber Advisor for a fee.

The scheme will extend the NCSC’s reach to offer a trusted source of cybersecurity advice to a wider range of organisations, it said. This includes the ability to recommend independently assured organisations that can help their customers implement a baseline level of cybersecurity, creating a trusted ecosystem that allows consumers to know better who to engage and what to expect, the NCSC added.

UK NCSC extends security consultancy service to smaller organisations

In a post on its website, the NCSC stated that its existing consultancy assurance only covers specialisms for complex cybersecurity issues. “This service is largely utilised by large organisations with complex cybersecurity requirements, often with potential impact of critical national significance. The aim of the Cyber Advisor scheme is to assure cybersecurity advice for any organisation that is looking to ensure they have baseline cybersecurity controls in place.”

The NCSC said that all Cyber Advisors will be expected to help organisations by:

• Conducting Cyber Essentials gap analysis to assess the organisations internet-facing IT identifying where it fails to meet the Cyber Essentials controls.
• Developing reports on the status of the organisation’s Cyber Essentials controls for senior leadership, detailing the requirements that are met and those that are not, describing why controls are not met and the risks the organisation is exposed to, as well as the recommended actions to take.
• Working with the business to agree remediation activities.
• Planning remediation activities that align to the risk and business priorities.
• Implementing remediation activities – or guide technical teams to do so – sympathetically to operational activities.
• Developing and presenting post-engagement reports summarising the engagement and detailing any remediation work completed, pointing out any residual risk with recommendations for reducing those risks.

Under the scheme, organisations that have a qualified Cyber Advisor on their staff will be able to apply to become an NCSC Assured Service Provider, the NCSC said. Only organisations who become Assured Service Providers and employ a qualified Cyber Advisor will be able to offer NCSC Cyber Advisor services to customers, it added. “An organisation applying to be an Assured Service Provider will be expected to meet requirements demonstrating good cybersecurity and a commitment to achieving an excellent and consistent customer experience through a quality management system. An annual subscription fee will be levied.”

Individuals interested in taking part in the proof-of-concept stage and applying for one of the fully funded Cyber Advisor assessment places can do so online via the NCSC’s delivery partner the IASME.