Government and Operators of Essential Services (OES)

Jersey royal court and states buidling

Because Jersey is small and independent, we face unique cyber security risks. Our population is the size of a small UK city. But unlike a small UK city, we manage our own infrastructure and essential services.

Our Government also has different responsibilities. In some ways the Government of Jersey acts like a city council. Like a city council, it maintains our roads and public spaces, and protects the environment. But the Government of Jersey also does more than a city council would: it also manages our hospital and emergency services.

Apart from the Government, several other organisations provide the services that we all rely on. This includes power, fuel and water, off-Island transport, freight handling, and food production. We refer to these organisations as Operators of Essential Services (OES).

If any one of these OES was the victim of a cyber attack it could cause:

  • disruption to power supply, drinking water, or telecoms
  • a drop in the amount of food and fresh produce arriving in the Island
  • difficulties in travelling to or from Jersey

Any attack is likely to have an indirect effect on other organisations. Depending on the type of attack and how serious it is, it could threaten wellbeing. In the most serious cases, a successful cyber attack could threaten lives.

These risks all mean that these organisations should be taking cyber security measures. This will protect their organisation, their customers, and the Island.

We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.

If you have any questions, you can contact us:


Beginning section How to protect your organisation

How to protect your organisation

Potential cyber criminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your organisation is from every cyber attack.

However, there are several steps you can take to reduce how likely you are to be victim.


Backup your important information

  • Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
  • Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
  • Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.


Use strong password protection

  • Turn on password protection wherever it is available: this includes across your devices and the services you use.
  • Make sure that all staff are using strong passwords. The National Cyber Security Centre (NCSC) suggests using a combination of three random words.
  • Use extra security protections, including 2 step verification, wherever it is available. You can find more guidance on this via the National Cyber Security Centre (NCSC)


Protect yourself from viruses and malware

  • Make sure that all your computers have antivirus software installed.
  • Update all your IT devices regularly. This process is called patching. It means that the developer of your device has identified security issues and fixed them. Your staff should also patch any personal devices they use for work.
  • We recommend that you aim to install patches no more than 14 days after they’re released by the developer.
  • You should install antivirus software and firewalls on all devices. This includes any personal devices that staff use as part of their work. Antivirus software detects and removes any malicious software or viruses from your computer. Firewalls create a protective barrier between your network and external networks.


Be wary of phishing attacks

  • Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
  • Ensure that staff are aware of this risk, and that they remain vigilant.


Have a plan

  • If you develop and test an incident response plan, it won’t prevent a cyber security attack. But if you have an incident response plan, it’ll help you respond if you do experience an attack.
  • An incident response plan sets out what you would do in the event of a cyber attack. This includes who will make decisions, how you can contact them, and what process you will follow.
  • An incident report will also set out when to seek legal or HR support.
  • You can find more information about incident response plans via the UK’s National Cyber Security Centre (NCSC).

Beginning section Cyber Essentials

Cyber Essentials

Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.

Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.

Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.

Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2 April 2024).

Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.

Find out more about on-Island providers of Cyber Essentials.


Beginning section Jersey Cyber Shield

Jersey Cyber Shield

Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to work with the security measures you already have to give you extra protection.

We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.

Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)

You can find out more about Jersey Cyber Shield on this page.


Beginning section The NCSC Cyber Assessment Framework (CAF)

The NCSC Cyber Assessment Framework (CAF)

The National Cyber Security Centre has designed the Cyber Assessment Framework (CAF) for organisations who deliver essential functions.

CAF is a free tool to help you assess how your organisation manages the cyber security risks you face. The CAF includes 14 outcomes across four areas:

  • managing security risk
  • protecting against cyber attack
  • detecting cyber security events
  • minimising the impact of security incidents

The CAF focuses on outcomes, rather that giving you a to-do list of actions to take. It includes guidance on how you can apply the principles to your organisation. It also links to other guidance including the NIST Cyber Security Framework.

Unlike other standards or frameworks, CAF doesn’t just focus on information technology. It also includes the operational technology organisations use to deliver their essential service.

If you use the CAF, you should check that you are still meeting the requirements of your regulatory body, where applicable.

Find out more via the NCSC website.


Beginning section National Institute of Standards and Technology (NIST) Cyber Security Framework

National Institute of Standards and Technology (NIST) Cyber Security Framework

NIST’s Cyber Security Framework helps organisations manage cyber security risks. The framework includes five sections which – used together – will help you manage risks over time.

The Framework does not set out steps to follow, but gives an outline of the things you need to consider. It gives guidance on the types of controls you can put in place, and what practices you can adopt.

Version 2.0 of the Framework is the most up-to-date version. You can read the full Framework here. There are also Quick Start Guides for different types of organisations.


Beginning section International Organisation for Standardisation (ISO) Guidelines

International Organisation for Standardisation (ISO) Guidelines

The International Organisation for Standardisation (ISO) sets out best practice on a range of topics in Guidelines. These Guidelines are flexible so that organisations of different sizes can use them.

There are two Guidelines that can help you improve cyber security in your organisation. You should review which standard is most relevant to you. It may be that a combination of the standards is most useful.

ISO/IEC 27032:2023 is for any organisation which uses the internet as part of its day-to-day-work. ISO/IEC 27032:2023 includes guidance on:

  • the links between internet security, web security, network security and cyber security
  • how to address common internet security issues
  • how to work with your stakeholders to resolve cyber security issues

ISO/IEC 27001:2022 is for companies of any size that own or manage data as part of their day-to-day work. ISO/IEC 27001:2022 includes guidance on:

  • how to vet people, policies and technologies to ensure they are secure
  • how to establish an Information Security Management System (ISMS)
  • how to develop policies procedures and controls as part of your ISMS

Please note that the standards are updated from time to time to reflect the latest practice.


Beginning section Reporting an incident

Reporting an incident

If you experienced a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.

In some circumstances, we can provide direct technical support, and help you communicate.

You can also report an incident by phone on 01534 500050, via email (incidentreports@jcsc.je) or online via this form.

Find out more about how we can help.

Who you need to contact will depend on the type of attack, and the organisation.

There are a range of organisations you should contact: in some cases, this will depend on the nature of the incident.

The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.

Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.

Action Fraud. Action Fraud is the UK reporting centre for fraud and cyber crime. You can make a report via the Action Fraud website.