Cyber Essentials and Cyber Essentials Plus are government-backed accreditation for all businesses. It is a certification scheme that requires businesses to meet certain standards and measures to ensure that they are aware of the risks. Which risks? Well, something as simple as malware could affect your business if you don’t have the right controls in place.
Cyber Essentials scheme was launched in June 2014 by the NCSC, and only applies to companies or organisations in the UK. The initial target of this scheme was small companies that were not aware of security issues.
Cyber Essentials is the information assurance service of the government which is operated by the National Cyber Security Centre in the UK. It encourages organisations to adopt good practices in information security. It was developed in collaboration with industry partners. The administration and management of the scheme have been handed to IASME. It is a regulated scheme and must be licensed by accredited bodies designated by IASME.
What is Cyber Essentials Scheme?
Cyber Essentials (CE) Certification is a self-assessment questionnaire submitted to a certification body. It is assessed against five key technical controls. Consider them to be a checkpoint. If you are missing any of these controls, your business is at risk and if there are gaps in security hygiene found – you will get recommendations to rectify such gaps and protect your organisation.
It is an excellent start for businesses at the first step of the security maturity ladder that ensures cyber security hygiene for most common attacks. This means whether it is for the public/private sector or SME or a large corporation, there is one common benchmark that can be used to gauge the condition of any organisation.
An independent body assesses each company and determines what steps must be taken. Then continual assessments ensure that companies do not suffer from complacency which leads to gaps.
The main advantages of this scheme for your business are:
- Demonstrate cyber security commitment to your customers and supply chain.
- You and your team have a clear picture of your organisation’s security maturity level.
- Validation of security controls against the most common cyber attacks.
- Use it to your business advantage to attract new business as it’s a requirement for the public sector and government contracts. Many private organisations may also seek this as an assurance factor.
How does it work?
Most cybercriminals are opportunistic looking into adding any sensitive data with an underground market value under their control. Stolen data is valuable in varied forms, more than you can imagine.
Based on the nature of sensitive data items, it could be sold to multiple sellers depending upon its misuses (identity fraud, social engineering attacks, credit card accounts or logging in into various accounts of the victim).
The argument ‘only big companies are the target’ doesn’t stand. Threat actors look for insecure installations, misconfigured applications, exposed endpoints, open databases and any sort of stepping stone that could lead to a further privilege level.
Cyber Essentials scheme helps organisations avoid such pitfalls by ensuring basic homework is in place. If an organisation is willing to take on a proactive approach, there is Cyber Essentials Plus certification – a step up from basic Cyber Essentials.
- The first step to securing your systems is often the hardest.
- Cyber Essentials is a self-assessment that allows you to demonstrate the appropriate cyber security measures are being taken for your system/data/network.
- Before achieving the Cyber Essentials Plus certification, many businesses choose to first achieve their Cyber Essentials certification.
- Cyber Essentials (CE) is a stepping stone to more advanced Cyber Essentials Plus (CE+) certification.
Cyber Essentials Controls
The key control areas assessed for Cyber Essentials certification are:
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
Determining what needs to be done, will take your business forward in terms of keeping data secure and safe from common cyber attacks. If you are looking for extensive technical assessments in each of these areas, check out our main offerings page around technical risk.
There is no involvement of external processes such as onsite auditors, marking, etc for basic certification, but you can choose to involve an accredited assessor if you wish to support CE journey.
Cyber Essentials Certification Process
Whether you are going for a tender, a public sector or a procurement pre-requisite, you’ve made the right decision to go for this certification. More than certification, it actually prompts your team to act on security controls that may or may not improve otherwise.
- Initial scoping & objectives are agreed upon during the initial call. Some customers are comfortable doing self-assessment questionnaires and some require support (attracts extra charges).
- Customer submitted questionnaire is reviewed by our assessors. Should you fail in certain areas, we advise to correct and timelines are agreed for submission.
- After the assessment, CE certificate is issued to the customer.
What is Cyber Essentials Plus certification?
Cyber Essentials Plus Certification is the next step after achieving your Cyber Essentials certification. It starts with the completion of assessment tests, which will detect/recommend security gaps and a list of actionable items that need to be completed to fix them.
It is a more advanced assessment than basic certification where security experts from the certification body carry out a hands-on technical assessment. It ensures that verification is performed in line with good security practices.
The difference between CE and CE+ certification is the involvement of external assessors who examine and understand the issues affecting the organisation and can provide insights around whether identified risks should be remediated for a pass.
This is performed on a wider scope than covered by CE. It includes checks around secure communication controls, secure configuration of operating systems and builds in use and ensures that the business follows a proactive approach to cyber security against advanced threats.
CE+ Certification Process
- An assessor shall work with the customer to assess a sample of assets at your organisation (depending upon the scale of your network, systems). Device hardening configuration checks are performed in the form of a technical audit.
- A vulnerability scan is performed on the systems in scope to confirm cyber security measures in place.
- An external network pen test is performed on the Internet-facing infrastructure.
- Malware protection assessment is conducted with fake malicious content to assess the behaviour of endpoint controls and resources in place.
Customers are provided with a few weeks timeframe (up to 30 days) to remediate the identified vulnerability findings (if any). On successful certification, your organisation is awarded a certificate that is valid for 12 months. You may or may not choose to opt into a list of Cyber Essentials certified companies list on the online register.
Cost of Cyber Essentials
Basic cyber essentials costs anywhere between £350 – £500. For customers who opt for Internet security health check, we offer free of charge Cyber Essentials.
For Cyber Essentials Plus certification, organisations may find it priced anywhere between £1400-£2500.
Which one is right for you – Cyber Essentials or Cyber Essentials Plus?
Cyber Essentials Plus is right for you if your organisation wants to go beyond the bare basics and follow a proactive approach towards security. It helps your organisation with tangible improvements to defensive controls.
Cyber Essentials is the basic framework geared towards the first step in cyber hygiene. It is the right choice for you if your organisation is very small and want to demonstrate basic controls. Should you need to discuss or require guidance, we have specific services for security compliance.
Get in touch if you need guidance, initial information or visit our security compliance services.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.