Technical Bulletin: How TIA QuEST Forum’s SCS 9001 Supply Chain Security Standard Compares to the National Cyber Security Center’s Cyber Essentials and Cyber Essentials Plus

In 2014, the UK government developed a set of security guidelines known as “Cyber Essentials”(1). Cyber Essentials defines a basic set of cyber security best practices that organizations should implement to protect themselves from cyber-attacks. Cyber Essentials is described as “the minimum standard for cyber security in the UK” and certification is required to do business with certain UK government agencies.

Cyber Essentials Plus is identical to Cyber Essentials, with the only difference being that Cyber Essentials is a self-certification and Cyber Essential Plus requires a third-party assessment. Within this bulletin, reference to Cyber Essentials will be used. This Technical Bulletin provides an overview of NCSC’s Cyber Essentials and how the Telecommunications Industry Associate (TIA) QuEST Forum’s SCS 9001 Supply Chain Security Standard accounts for the requirements and recommendations stated therein.

(1) The U.S. Federal Agency Cybersecurity and Infrastructure Security Agency, or CISA, has also produced a guide called CISA’s Cyber Essentials. CISA’s Cyber Essentials is targeted at small businesses and local government agencies to assist in developing an actionable understanding of where to start implementing organizational cybersecurity practices. These two initiatives are not to be confused; they are different.