Cyber-security baseline (NCSC Cyber Essentials – UK)
Assesses the implementation of foundational cyber security controls, fulfilling the Amānah (trust) to safeguard stakeholder data. This protects against common threats, ensures operational continuity, and upholds the principles of Ḥifẓ al-Māl (protection of wealth) and Ḥifẓ al-ʿIrd (protection of dignity/reputation). It operationalizes GDPR/DPA 2018 integrity and confidentiality duties (Art. 5(1)(f), Art. 32), prevents ḍarar (harm), and enables trustee oversight of material internal controls.
| Metric | Cyber Security Operational Dashboard |
|---|---|
| Target | CE Certified + >95% MFA/Patching |
| Frequency | Quarterly |
| Method | Composite score of certification status and operational metrics. |
| Unit | Composite |
Level 1: Initial/Ad-hoc
Nascent: No formal cyber security controls are in place. Security measures are ad-hoc, reactive, and undocumented. This represents a state of negligence (tafrīṭ) in fulfilling the Amānah of data protection.
Level 2: Developing
Developing: Some basic, foundational controls (e.g., firewalls, anti-virus) are implemented, but they are applied inconsistently and without formal policies. The organization acknowledges the risk but lacks a structured approach.
Level 3: Established
Defined: The organization has formally adopted and documented the Cyber Essentials baseline. Policies are defined for the five key control areas. This is the minimum acceptable level for fulfilling the Amānah.
Level 4: Advanced
Managed: Cyber Essentials certification is achieved, AND 'Mizan Baseline Extensions' (MFA >95%, backups tested, supplier assurance) are fully operational. Governance includes quarterly reporting to trustees, demonstrating iḥsān (excellence).
Level 5: Optimizing
Optimizing: Achieved Cyber Essentials Plus (audited). Controls are continuously improved via vulnerability scanning, tabletop exercises, and DMARC enforcement. The process is integrated into the organization's wider risk management framework, reflecting a proactive commitment to Ḥifẓ and preventing ḍarar.
Organisation Types
By Organisation Size
| Size | Applicability | Notes |
|---|---|---|
| Micro | exempt | Formal Cyber Essentials certification and enterprise IT reporting are disproportionate for volunteer-run micro charities. |
| Small | partial | Basic cyber hygiene (passwords, malware protection) applies, but formal certification and automated compliance reporting are disproportionate. |
| Medium | full | |
| Large | full | |
| Major | full |
Applicable When
- The organization uses digital technology to manage information or conduct operations
- The organization is legally constituted
- Controls may be implemented directly or via managed service providers (MSPs), with the organization retaining accountability.
Not Applicable When
- The organization operates exclusively offline with no digital data management whatsoever (highly unlikely in the modern era)
Discussion (1)
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.