Security is the backbone of your business
Why do you need Cyber Essentials?
Cyber Essentials covers everything your business should do to protect itself from cyberattacks. Think of it as ‘cyber hygiene’ – a bit like washing your hands, brushing your teeth or wearing a face mask.
Simply being certified can reduce your cyber risk by up to 98.5%. And, it’s a great way to demonstrate to new customers and partners that you take cybersecurity seriously – helping you grow as well as stay safe.
We’ll have you certified fast. No jargon. No endless back and forth. And all the expert guidance you need to pass first time.
Cyber Essentials covers everything your business should do to protect itself from cyberattacks. Think of it as ‘cyber hygiene’ – a bit like washing your hands, brushing your teeth or wearing a face mask.
Simply being certified can reduce your cyber risk by up to 98.5%. And, it’s a great way to demonstrate to new customers and partners that you take cybersecurity seriously – helping you grow as well as stay safe.
We’ll have you certified fast. No jargon. No endless back and forth. And all the expert guidance you need to pass first time.
What's the difference
Cyber Essentials or Cyber Essentials Plus
Cyber Essentials
Cyber Essentials is an independently verified self-assessment certification that demonstrates that an organisation has the most important cyber security controls in place.
The annually renewable certification scheme consists of five controls that will reduce the impact of commodity* cyber attacks from the internet.
*Commodity is a term used to describe common, low skill, low sophistication cyber attacks that rely on tools which are widely available on the internet.
Cyber Essentials is an independently verified self-assessment certification that demonstrates that an organisation has the most important cyber security controls in place.
The annually renewable certification scheme consists of five controls that will reduce the impact of commodity* cyber attacks from the internet.
*Commodity is a term used to describe common, low skill, low sophistication cyber attacks that rely on tools which are widely available on the internet.
Cyber Essentials Plus - The same scheme but a higher level of assurance
Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials and starts with the Cyber Essentials verified assessment questionnaire. The difference is that Cyber Essentials Plus also includes a technical audit of your IT systems to verify that the controls are in place. In this way, it gives more assurance that you are complying with the scheme.
It is also worth noting that the pass bar is set to a slightly higher level for Cyber Essentials Plus. Whereas it is possible to be able to pass the Cyber Essentials verified self-assessment with one or two non-compliances, if this is discovered on Cyber Essentials Plus, then the applicant has 30 days to remediate, but will not be able to pass until it is remediated. This means that even though the technical requirements are the same, the pass bar is set to a higher level. It is an audit of the technical requirements rather than a direct audit of the answers given in your verified self-assessment.
Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials and starts with the Cyber Essentials verified assessment questionnaire. The difference is that Cyber Essentials Plus also includes a technical audit of your IT systems to verify that the controls are in place. In this way, it gives more assurance that you are complying with the scheme.
It is also worth noting that the pass bar is set to a slightly higher level for Cyber Essentials Plus. Whereas it is possible to be able to pass the Cyber Essentials verified self-assessment with one or two non-compliances, if this is discovered on Cyber Essentials Plus, then the applicant has 30 days to remediate, but will not be able to pass until it is remediated. This means that even though the technical requirements are the same, the pass bar is set to a higher level. It is an audit of the technical requirements rather than a direct audit of the answers given in your verified self-assessment.
How does the verified self-assessment work?
The Cyber Essentials assessment consists of a verified self-assessment questionnaire which must be answered on the assessment platform after registering for certification. Organisations are encouraged to download the question set from the IASME website to help them understand the questions and prepare their answers in advance before registering for certification. It is possible to cut and paste your answers from the preparation spreadsheet onto the assessment platform, but your completed answers on a spreadsheet will not be accepted for assessment.
Once registered for certification, organisations log onto a secure portal to answer exactly the same questions that are available to be downloaded from the website. The questions address the scope of the assessment and the five core controls. These include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board must e-sign a document to verify that all the answers are true and then a qualified external Assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.
The Cyber Essentials assessment consists of a verified self-assessment questionnaire which must be answered on the assessment platform after registering for certification. Organisations are encouraged to download the question set from the IASME website to help them understand the questions and prepare their answers in advance before registering for certification. It is possible to cut and paste your answers from the preparation spreadsheet onto the assessment platform, but your completed answers on a spreadsheet will not be accepted for assessment.
Once registered for certification, organisations log onto a secure portal to answer exactly the same questions that are available to be downloaded from the website. The questions address the scope of the assessment and the five core controls. These include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board must e-sign a document to verify that all the answers are true and then a qualified external Assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.
How does the Cyber Essentials Plus audit work?
An organisation can complete their Cyber Essentials Plus audit within 3 months of their last Cyber Essentials certification.
The audit can be carried out on site or remotely and includes vulnerability scans of the organisation’s scoped infrastructure. The auditor will also carry out some checks by observing users carrying out every day tasks on a set of sampled devices.
The tests that currently take place are:
An external scan from the internet against each one of the applicant’s public IP addresses. The purpose of this scan is to check for any vulnerabilities or open services that could be publicly discovered and to confirm that access control has been configured securely.
A sample of devices that is representative of the applicant’s infrastructure is tested. This will include servers, desktop computers, laptops, thin clients, tablets and mobile phones. To make sure a full sample is taken, each type of Operating System is required to be tested.
The sampled devices will have the following checks carried out:
- A full vulnerability scan or manual check against each device to confirm that all installed software is supported and has had all high and critical vulnerability patches applied within 14 days.
- Where it is in place, a check of malware protection for each device. This will include manual configuration checks or test files being sent via email and through a web browser and observing what happens when the user clicks on the files. (All test files are safe and benign.)
- A check for account separation where the auditor asks each user from every sampled device to confirm they can not carry out administrator functions on their standard user accounts.
- A check against all cloud services to confirm that the users of the sampled devices are presented with a multi-factor authentication challenge when trying to log on to all cloud services that they use. (All cloud services need to have at least one standard user and one administrator’s account checked.)
An organisation can complete their Cyber Essentials Plus audit within 3 months of their last Cyber Essentials certification.
The audit can be carried out on site or remotely and includes vulnerability scans of the organisation’s scoped infrastructure. The auditor will also carry out some checks by observing users carrying out every day tasks on a set of sampled devices.
The tests that currently take place are:
An external scan from the internet against each one of the applicant’s public IP addresses. The purpose of this scan is to check for any vulnerabilities or open services that could be publicly discovered and to confirm that access control has been configured securely.
A sample of devices that is representative of the applicant’s infrastructure is tested. This will include servers, desktop computers, laptops, thin clients, tablets and mobile phones. To make sure a full sample is taken, each type of Operating System is required to be tested.
The sampled devices will have the following checks carried out:
- A full vulnerability scan or manual check against each device to confirm that all installed software is supported and has had all high and critical vulnerability patches applied within 14 days.
- Where it is in place, a check of malware protection for each device. This will include manual configuration checks or test files being sent via email and through a web browser and observing what happens when the user clicks on the files. (All test files are safe and benign.)
- A check for account separation where the auditor asks each user from every sampled device to confirm they can not carry out administrator functions on their standard user accounts.
- A check against all cloud services to confirm that the users of the sampled devices are presented with a multi-factor authentication challenge when trying to log on to all cloud services that they use. (All cloud services need to have at least one standard user and one administrator’s account checked.)