Question 1

What Is Cyber Essentials

Accepted Answer

Cyber Essentials is a cybersecurity certification scheme created by the UK government to assist organisations of all sizes in protecting themselves from common cyber attacks. It includes a collection of basic cybersecurity rules that organisations can use to reduce the risk of typical cyber assaults.

The scheme focuses on five main areas:

Firewalls: Ensuring that internet-connected devices have appropriate firewalls to secure the network.
Secure Configuration: Implementing secure settings and configurations for devices and software.
User Access Control: Managing user access to systems and data, ensuring that only authorised individuals have access.
Malware Protection: Protecting against malware and other malicious software through the use of antivirus and antimalware solutions.
Patch Management: Keeping software and systems up-to-date with the latest security patches.

To demonstrate compliance with these cybersecurity policies, organisations can conduct a self-assessment or obtain certification from a third-party certification authority. Achieving Cyber Essentials certification can help organisations improve their cybersecurity posture, earn the trust of customers and partners, and demonstrate a commitment to protecting sensitive data.

Question 2

What Is Cyber Essentials Plus

Accepted Answer

Cyber Essentials Plus is an enhanced level of certification within the Cyber Essentials programme. While Cyber Essentials focuses on self-assessment and fundamental cybersecurity controls, Cyber Essentials Plus requires a more in-depth and hands-on assessment of an organisation's cybersecurity measures.

The fundamental distinction is in the verification procedure:

Self-Assessment (Cyber Essentials): In the basic Cyber Essentials certification, organizations complete a self-assessment questionnaire to demonstrate their compliance with the specified cybersecurity controls. This is a self-declaration process.
Technical Verification (Cyber Essentials Plus): In Cyber Essentials Plus, an independent cybersecurity expert or a certification body conducts a more rigorous assessment. This includes an on-site or remote technical audit of the organization's systems and networks. The aim is to verify that the cybersecurity controls are not only implemented but are also effective in practice.

Cyber Essentials Plus uses simulated cyber attacks to test an organization's defences, and the certification process often includes vulnerability assessments and penetration testing.

Achieving Cyber Essentials Plus certification assures stakeholders, clients, and partners of an organization's cybersecurity resilience. It indicates that not only has the organisation established the essential controls, but that an independent assessment has validated the effectiveness of those measures through practical testing. This extra degree of examination gives Cyber Essentials Plus a more rigorous and comprehensive certification than the original Cyber Essentials.

Question 3

How To Get Cyber Essentials Certification

Accepted Answer

To obtain Cyber Essentials certification, you can follow these general steps:

Understand the Requirements: Familiarise yourself with the Cyber Essentials requirements outlined by the UK government. There are specific controls related to firewalls, secure configuration, user access control, malware protection, and patch management.
Prepare Your Organisation: Ensure that your organisation has implemented the necessary cybersecurity controls. This may involve updating software, configuring firewalls, managing user access, installing antivirus software, and maintaining secure configurations.
Self-Assessment (Cyber Essentials): For the basic Cyber Essentials certification, you can perform a self-assessment using the online questionnaire provided by the Cyber Essentials scheme. This questionnaire will guide you through the controls, and you'll need to answer questions related to your organisation's cybersecurity practices.
Submit Your Self-Assessment: After completing the self-assessment questionnaire, submit it through the Cyber Essentials online portal. The certification body will review your responses.
Cyber Essentials Plus (Optional): If you want to achieve the higher level of certification, Cyber Essentials Plus, you'll need to undergo a technical verification process. This typically involves engaging with a certification body or a qualified assessor who will conduct an on-site or remote audit, including vulnerability assessments and penetration testing.
Receive Certification: Once your self-assessment (and, if applicable, the technical verification) is successful, you will receive the Cyber Essentials certification. You can use this certification to demonstrate your commitment to cybersecurity to clients, partners, and stakeholders.
Maintain Compliance: Cybersecurity is an ongoing process, and it's important to maintain the implemented controls and stay vigilant against evolving cyber threats. Regularly review and update your cybersecurity practices to remain compliant.

It's worth noting that the Cyber Essentials scheme is primarily associated with the UK, but the principles and practices it advocates can be valuable for organisations globally. If you are not in the UK, you may explore other cybersecurity certifications and frameworks that align with your region's standards and regulations.

Question 4

How Long Does Cyber Essentials Certification Last

Accepted Answer

The Cyber Essentials credential has a one-year expiration date. Organisations certified as Cyber Essentials must renew their certification every year to show that they are still adhering to the necessary cybersecurity criteria.

It's crucial to remember that the certifying authority or governing body may update or modify certification validity periods and renewal procedures. Therefore, for the most up-to-date and correct information regarding certification duration and renewal processes, it is advised to check the official Cyber Essentials website or get in touch with the appropriate certifying body.

Keep in mind that cybersecurity is a dynamic field, with best practices and threats evolving over time. Regularly upgrading and reviewing cybersecurity measures is critical for maintaining a robust defence against evolving threats. Organisations should stay up to date on changes to cybersecurity requirements and alter their processes accordingly to improve their overall security posture.

Question 5

What Is Cyber Essentials Plus Certification

Accepted Answer

Cyber Essentials Plus is an additional level of cybersecurity certification that expands on the basic Cyber Essentials certification. While Cyber Essentials emphasises self-assessment and adherence to essential cybersecurity policies, Cyber Essentials Plus requires a more thorough and hands-on verification methodology.

Here are the key features of Cyber Essentials Plus:

Technical Verification: Cyber Essentials Plus includes a technical verification process, which goes beyond the self-assessment aspect of basic Cyber Essentials. An independent cybersecurity expert or a certification body conducts a more thorough examination of an organisation's systems and networks.
On-Site or Remote Audit: The technical verification often involves an on-site or remote audit to assess the implementation and effectiveness of cybersecurity controls. This can include examining network configurations, conducting vulnerability assessments, and performing penetration testing.
Simulated Attacks: As part of the assessment, organisations may undergo simulated cyber attacks to evaluate the resilience of their systems and defenses. This can provide a more realistic understanding of how well the cybersecurity measures withstand potential threats.
Vulnerability Assessments and Penetration Testing: Cyber Essentials Plus typically includes vulnerability assessments and penetration testing to identify and address potential weaknesses in an organisation's cybersecurity infrastructure.
Higher Level of Assurance: Achieving Cyber Essentials Plus certification provides a higher level of assurance compared to basic Cyber Essentials. It signifies that not only has an organisation implemented the necessary controls, but an independent assessment has verified their effectiveness through practical testing.

Question 6

How Much Does Cyber Essentials Cost

Accepted Answer

The cost of obtaining Cyber Essentials certification varies depending on several factors, including the organisation's size, level of certification (basic Cyber Essentials or Cyber Essentials Plus), and whether the assessment is performed internally or by an external certification body.

Below are some general considerations:

Self-Assessment (Basic Cyber Essentials): If an organisation chooses to perform the self-assessment for basic Cyber Essentials internally, the cost may be limited to the time and resources required to implement the necessary cybersecurity controls and complete the online questionnaire. The self-assessment is typically more cost-effective compared to the Plus certification.
External Certification Body (Basic Cyber Essentials or Cyber Essentials Plus): Engaging an external certification body for Cyber Essentials or Cyber Essentials Plus involves additional costs. The certification body may charge fees for their services, which can include reviewing documentation, conducting on-site or remote assessments, and providing the official certification.
Technical Verification (Cyber Essentials Plus): Cyber Essentials Plus, with its technical verification and potential on-site assessments, generally incurs higher costs compared to basic Cyber Essentials. The involvement of cybersecurity experts, vulnerability assessments, penetration testing, and the more comprehensive evaluation contribute to the increased cost.
Consultancy Services: Some organisations may choose to hire cybersecurity consultants or experts to assist in the preparation for certification. These consultants can help ensure that the organisation meets the required standards and is well-prepared for the certification process.

Organisations should examine the benefits of obtaining Cyber Essentials certification in terms of improving their cybersecurity posture and creating trust with clients, partners, and stakeholders. Costs can vary between certifying bodies and service providers, so it's best to get quotes and understand the exact services included in the cost.

For the most accurate and up-to-date cost information, organisations should contact certifying bodies or appropriate authorities in their region that manage the Cyber Essentials programme.

Question 7

Why Is Cyber Essentials Important

Accepted Answer

Cyber Essentials is important for several reasons, as it provides a foundational framework for improving and demonstrating an organisation's cybersecurity posture. Here are key reasons why Cyber Essentials is considered important:

Basic Cybersecurity Hygiene: Cyber Essentials outlines fundamental cybersecurity controls that organizations should implement. This includes measures related to firewalls, secure configuration, user access control, malware protection, and patch management. By adhering to these controls, organisations establish a baseline of cybersecurity hygiene.
Protection Against Common Threats: The controls specified in Cyber Essentials are designed to protect against common cyber threats. By addressing vulnerabilities and implementing best practices, organisations can reduce the risk of falling victim to prevalent cyber attacks such as phishing, malware, and unauthorised access.
Customer and Partner Trust: Achieving Cyber Essentials certification demonstrates an organisation's commitment to cybersecurity best practices. This can build trust with customers, partners, and stakeholders who may have concerns about the security of sensitive information. It serves as a visible sign that the organisation takes cybersecurity seriously.
Competitive Advantage: Cyber Essentials certification can provide a competitive advantage in the marketplace. Many organisations, especially those involved in government contracts or industries with stringent security requirements, may prefer to work with suppliers and partners who have demonstrated a commitment to cybersecurity through certification.
Regulatory Compliance: In some cases, Cyber Essentials certification may be required to meet specific regulatory or contractual obligations. Government agencies and industry regulators may mandate or recommend the certification as part of cybersecurity compliance measures.
Risk Mitigation: Cyber Essentials helps organisations identify and mitigate cybersecurity risks. By implementing the recommended controls, organizations can enhance their resilience against potential threats and minimise the impact of security incidents.
Continuous Improvement: The certification process encourages organisations to continuously assess and improve their cybersecurity practices. Regularly reviewing and updating security measures is crucial in the face of evolving cyber threats.
Global Relevance: While initially associated with the UK, the principles outlined in Cyber Essentials are globally relevant. Organisations worldwide can benefit from adopting these foundational cybersecurity practices to strengthen their overall security posture.

Cyber Essentials is important for establishing a baseline of cybersecurity hygiene, protecting against common threats, building trust, and meeting regulatory requirements. It serves as a practical and valuable tool for organisations looking to enhance their cybersecurity resilience.

Question 8

How Do I Get Cyber Essentials Certification

Accepted Answer

To obtain Cyber Essentials certification, you can follow these general steps:

Review the Cyber Essentials Requirements: Familiarize yourself with the Cyber Essentials requirements outlined by the relevant certification authority or governing body. The requirements typically cover areas such as firewalls, secure configuration, user access control, malware protection, and patch management.
Prepare Your Organisation: Ensure that your organization has implemented the necessary cybersecurity controls. This may involve updating software, configuring firewalls, managing user access, installing antivirus software, and maintaining secure configurations.
Select Certification Level: Decide whether you want to pursue the basic Cyber Essentials certification or the more advanced Cyber Essentials Plus. The Plus certification involves a more rigorous assessment, including technical verification by an independent assessor.
Self-Assessment (Cyber Essentials): For basic Cyber Essentials certification, you can perform a self-assessment using the online questionnaire provided by the Cyber Essentials scheme. This questionnaire will guide you through the controls, and you'll need to answer questions related to your organisation's cybersecurity practices.
Submit Your Self-Assessment: After completing the self-assessment questionnaire, submit it through the Cyber Essentials online portal. The certification body will review your responses.
Cyber Essentials Plus (Optional): If you choose to pursue Cyber Essentials Plus, you'll need to engage with an independent certification body or assessor. They will conduct a more thorough assessment, including on-site or remote technical verification, vulnerability assessments, and potentially penetration testing.
Receive Certification: Once your self-assessment (and, if applicable, the technical verification) is successful, you will receive the Cyber Essentials certification. You can use this certification to demonstrate your commitment to cybersecurity to clients, partners, and stakeholders.
Renew Certification Annually: Cyber Essentials certification is typically valid for one year. Organisations need to renew their certification annually by reassessing and ensuring continued adherence to the cybersecurity controls.
Consider Professional Assistance: Some organisations choose to seek professional assistance from cybersecurity consultants or certification bodies to ensure a smoother certification process, especially for Cyber Essentials Plus.

It's important to check with the official Cyber Essentials website or the relevant certification authority for the most up-to-date information and specific guidance regarding the certification process in your region.

Question 9

When Was Cyber Essentials Launched

Accepted Answer

The UK Government established Cyber Essentials in June 2014 as part of its National Cybersecurity Strategy. The project was created to assist organisations, particularly small and medium-sized firms (SMEs), in strengthening their cybersecurity defences against prevalent cyber threats.

The primary purpose of Cyber Essentials is to provide a set of basic cybersecurity measures that organisations can use to protect themselves against frequent cyber threats. Its goal is to set a baseline for cybersecurity hygiene and encourage organisations to implement core security practices.

Since its inception, Cyber Essentials has been seen as a beneficial certification for organisations wishing to improve their cybersecurity posture and demonstrate their dedication to protecting sensitive information. The concept applies to a wide range of industries and has been accepted by both corporations and government agencies.

Question 10

What Are The Benefits Of Cyber Essentials Certification

Accepted Answer

Obtaining Cyber Essentials certification offers several benefits for organizations, including:

Improved Cybersecurity Posture: Cyber Essentials certification encourages organizations to implement foundational cybersecurity controls, enhancing their overall cybersecurity posture. This includes measures to protect against common cyber threats such as malware, phishing, and unauthorised access.
Risk Mitigation: By adhering to the controls outlined in Cyber Essentials, organizations can identify and mitigate cybersecurity risks. This proactive approach helps prevent and minimize the impact of potential security incidents.
Customer and Partner Trust: Cyber Essentials certification is a visible demonstration of an organisation's commitment to cybersecurity best practices. This can build trust with customers, partners, and stakeholders, especially in industries where security is a critical concern.
Competitive Advantage: Cyber Essentials certification can provide a competitive advantage in the marketplace. Many organisations, especially those in government contracts or industries with strict security requirements, may prefer to work with suppliers and partners who have demonstrated a commitment to cybersecurity through certification.
Regulatory Compliance: In some cases, Cyber Essentials certification may be required to meet specific regulatory or contractual obligations. Achieving certification ensures that an organisation complies with cybersecurity standards and regulations.
Reduced Cyber Insurance Premiums: Some insurance providers may offer reduced premiums or better terms for organizations that have obtained Cyber Essentials certification. This certification can be seen as a proactive step in managing cyber risks.
Increased Cyber Resilience: Implementing the controls outlined in Cyber Essentials contributes to increased cyber resilience. Organizations are better prepared to withstand and recover from cyber attacks, reducing potential downtime and financial losses.
Global Recognition: While Cyber Essentials originated in the UK, its principles are globally recognized. The certification can be valuable for organisations operating internationally, demonstrating a commitment to cybersecurity best practices.
Demonstrated Due Diligence: Cyber Essentials certification serves as evidence of an organisation's due diligence in protecting sensitive information. This can be particularly important when handling customer data or sensitive business information.
Continuous Improvement: The certification process encourages organisations to continuously assess and improve their cybersecurity practices. Regularly reviewing and updating security measures is crucial in the face of evolving cyber threats.

Overall, Cyber Essentials certification provides a structured approach for organisations to strengthen their cybersecurity defenses, instill trust, and stay competitive in an increasingly digital and interconnected business environment.

Cyber Essentials

Demonstrate your commitment to Cyber Security

Basic security controls required for Cyber Essentials certification

Management of software patches & updates

Secure connections to the internet

Secure devices & configurations

Controlled access to devices & data

Protection from viruses & other malware

Levels of Cyber Essentials certification

Cyber Essentials certification

Cyber Essentials Plus

What Does Cyber Essentials Plus Involve?

Clients we've helped

Our expertise. Your questions answered

What’s the easiest thing to implement in my office?

Am I investing my Cyber Security budget correctly?

How do I educate my team to handle cyber threats?

What do I do when something goes wrong?

Contact us

Head office

London office

APAC office