Cyber Essentials is a certification scheme designed to help businesses protect themselves from common cyber threats. It provides a framework of essential security controls that businesses can implement to reduce their risk of a cyber attack.
By achieving Cyber Essentials certification, businesses can demonstrate to customers, suppliers and other stakeholders that they have taken steps to protect their sensitive data and systems. This can help to build trust and confidence in the business, as well as improve its reputation.
Cyber Essentials certification can also help businesses to reduce their insurance premiums and improve their overall risk management.
Below, we answer some of the most frequently asked questions about Cyber Essentials – including how much it costs.
How is Cyber Essentials accredited to businesses?
To achieve Cyber Essentials certification, businesses must demonstrate that they have implemented the five technical controls set out by the NCSC. These controls address key vulnerabilities often exploited by cybercriminals. These include:
- Firewalls: Firewalls should be used to control network traffic and prevent unauthorised access to systems.
- Secure configuration: Businesses systems are configured correctly and securely, using strong passwords, disabling unnecessary services and patching vulnerabilities.
- Patch management: Businesses must keep their systems up-to-date with the latest security patches to protect against known vulnerabilities.
- User access control: Strong user access controls are used to prevent unauthorised access to their systems. This includes using strong passwords, limiting user privileges and monitoring user activity.
- Malware protection: Businesses must have effective malware protection in place to detect and prevent malicious software from infecting their systems. This includes using antivirus software, firewalls, and security awareness training for employees.
The certification process involves a self-assessment questionnaire and a vulnerability scan. The questionnaire asks businesses about their security practices and procedures, while the vulnerability scan checks for weaknesses in their systems. Once a business has successfully completed these steps, it will be awarded Cyber Essentials certification.
What are the assessment criteria for Cyber Essentials?
The strict pass criteria associated with Cyber Essentials is set by the UK Government’s National Cyber Security Centre (NCSC), who assess whether a business has passed or failed. The first criteria you need to meet is being a UK-based business with a minimum of five employees.
Organisations then need to get most of the questions correct in each section of the self-assessment questionnaire to pass that part of the Cyber Essentials assessment. Passing the self-assessment questionnaire section will enable you to move onto the vulnerability scan which forms the Cyber Essentials Plus certification.
In both the self-assessment and the vulnerability scan, the assessor will be looking to determine how you apply the five core controls and any other weaknesses within your security posture.
Does the NCSC do the assessments?
While the NCSC sets the standards and oversees the scheme, they do not directly certify businesses.
Certification providers are authorised by the NCSC to assess businesses against the Cyber Essentials requirements. These providers can provide the self-assessment questionnaire, vulnerability scan and assessment to ensure you meet the criteria for certification.
Some providers may also be able to support you to address issues in your business to move you closer to the Cyber Essentials benchmark.
IASME has a directory of Cyber Essentials providers to help you find one near you.
How much does Cyber Essentials cost?
The cost of Cyber Essentials certification can vary depending on several factors, including the size of your business, the complexity of your IT infrastructure and the certification provider you choose.
Here’s a breakdown of the potential costs involved:
- Self-assessment and vulnerability scan: These are typically included in the certification fee, but some providers may charge extra for additional services.
- Certification fee: This fee is typically charged by the certification provider and can range from a few hundred to a few thousand pounds.
- Third-party provider costs: If you choose to use a third-party provider to assist with the certification process, you may incur additional costs for their services.
It’s important to compare quotes from different providers to find the best deal for your business. Additionally, you may be able to reduce costs by conducting the self-assessment and vulnerability scan in-house.
Should you apply for a Cyber Essentials certification in addition to an ISO 27001 certification?
There is increasing demand for companies to have both Cyber Essentials and ISO 27001 certifications to be eligible to apply for large tenders. ISO 27001 is process driven, whereas the Cyber Essentials Certification is technically driven.
We therefore recommend you consider obtaining both for your business, especially if you want to prove yourself as a secure partner for tenders and improve customer trust.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the next level of assurance through the external testing of the organisation’s cyber security approach. It requires you to meet stricter criteria, with controls around data protection, incident response and supply chain management. Unlike Cyber Essentials’ self-assessment approach, it requires independent verification by a certified Cyber Essentials Plus assessor, which is provided by IASME.
The Cyber Essentials Plus certification can only be obtained by a business after the Cyber Essentials Standard has been awarded. This fully audited certification is awarded by an external Certification Body and offers a higher level of assurance through the external testing of the business’ cyber security approach. A thorough security scan of the network is undertaken, and all vulnerabilities are identified.
Cyber Essentials Plus is recommended for businesses who:
- Want to tender for large value projects
- Work with highly regulated industries
- Are looking for an enhancement of their ISO 27001 certification
How can a company upgrade their Cyber Essentials certification to Cyber Essentials Plus?
First, you need to implement the additional security controls required by Cyber Essentials Plus. Then, you’ll need to arrange for an independent assessment by a certified Cyber Essentials Plus assessor.
In response to this assessment, you’ll need to address any identified gaps in your security practices and maintain continuous monitoring of your security posture.
If you can showcase the above, you will be given Cyber Essential Plus certification. Please note, you need to repeat this process annually to keep your certification.
How long will it take to certify a company?
The time it takes to certify a company for Cyber Essentials can vary depending on several factors, including:
- The size and complexity of the business’s IT infrastructure.
- The current state of the business’s security practices.
- The efficiency of the certification process.
Generally, the certification process can take anywhere from a few weeks to a few months.
What is the value of working with a third party to receive Cyber Essentials certification?
As mentioned, you will need to work with a third-party provider to receive both Cyber Essentials and Cyber Essentials Plus certification.
However, a third-party provider can also help you prepare for the assessment. This includes conducting an internal audit to understand where your weaknesses are so they can be addressed ahead of the formal assessment. They can also provide guidance and tools to help you meet the required criteria and strengthen your security posture.
Why do clients choose Infinity Group for Cyber Essentials?
We’ve worked with many clients to undertake their Cyber Essentials audits. Our affordable Cyber Essentials certification packages include an on-site audit of your current setup, including a list of recommendations in line with Cyber Essentials’ strict certification criteria. Our specialist IT security team in-house that can easily undertake the tasks outlined in the audit quickly to ensure our clients pass the certification as quickly as possible with minimal time needed from them.
In the case of Cyber Essentials Plus, we can also arrange for you to undertake an assessment for this once you have received Cyber Essentials certification. We can also support you in meeting the criteria required for this.
How long will it take us to audit and certify a company?
The actual audit can take place at your office or remotely, with one of our cyber security consultants on-site for half a business day (4 hours).
We can complete the Cyber Essentials Standard certification within 2-3 weeks. This includes time for us to complete the audit, produce the report and arrange for the accredited body we partner with to assess your business for the Cyber Essentials certification.
If work is needed to be completed to make your business compliant following the audit, this may extend the timeframe further. But we will work with you to get everything into shape as smoothly and as quickly as possible.
Infinity Group are accredited Cyber Essentials auditors. To find out more about the Cyber Essentials Scheme, Cyber Essentials Plus and the cost relating to both certifications, please get in touch.
