Cyber Essentials Requirements

What is Cyber Essentials?

Cyber Essentials is a scheme to help companies and organisations protect themselves against cybercrime. It includes a set of basic technical tools and techniques that you can use to guard against the most common cyber-attacks. Businesses who meet the Cyber Essentials standard can gain a certificate to prove their compliance.

Cyber Essentials isn’t just for big business, or those with lots of resources.

Any business, of any size, can get certified and realise its benefits.

Cyber Essentials was created by the UK Government in 2014.

It’s operated by the National Cyber Security Centre (NCSC) and supported by industry bodies including:

• Federation of Small Businesses (FSB)
• Confederation of British Industry (CBI)
• A number of insurance organisations

They usually offer incentives to businesses to get Cyber Essentials certified.

Even though Cyber Essentials is a UK government scheme, companies outside the UK can still gain certification.

What does Cyber Essentials cover?

The main areas covered by Cyber Essentials are:

• Guarding against phishing and ransomware attacks by training staff in how to spot scams, choosing good passwords and keeping software updated
• Combating malware and viruses by installing and configuring anti-malware and anti-virus applications, and making sure you only use applications you can trust
• Fending off network attacks from outside by setting up and configuring firewalls and routers correctly
• Controlling access to your data with properly configured accounts, so people only access servers and files they genuinely need to use.

The idea behind Cyber Essentials is that most cyber-attacks are blunt instruments, rather than sophisticated hacks.

The certification defines a focused set of controls with clear guidance on basic cyber security for companies of all sizes.

It offers a sound foundation of cyber security measures that can be implemented with a relatively low cost.

Criminals with fairly basic equipment and skills can launch simple attacks against a lot of businesses.

They are opportunistic in the hope that some of them will get through.

As an example:

Don’t be that low-hanging fruit.

Take what precautions you can, to keep safe.

So, what do existing certified companies think of the Cyber Essentials certification?

According to the NCSC, 93% of certified companies surveyed say they are confident they are protected against common, internet-based cyber attacks.

They found that certified companies are more likely than their non-certified counterparts to be:

• Aware of the risks posed by cyber-attacks (including at a senior level)
• Confident that they are protected from these attacks
• Implementing cyber security controls, including taking steps beyond the technical controls required to become certified
• Positive about the scheme, particularly its impact on customer and investor confidence

Which leads us on nicely to the difference between Cyber Essentials and Cyber Essentials Plus:

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials includes two levels:

• Cyber Essentials
• Cyber Essentials Plus

Cyber Essentials

Cyber Essentials allows you to assess your own security against cyber threats and learn what you can do to prevent them.

To gain the certification, you complete a Self-Assessment Questionnaire (SAQ) that covers the following areas:

• Your Company
• Scope of Assessment
• Insurance
• Office Firewalls & Internet Gateways
• Secure Configuration
• Security Update Management
• User Accounts
• Administrative Accounts
• Malware Protection

A member of your board must sign the SAQ to affirm that it’s accurate and complete.

Even though you submit the Cyber Essentials questionnaire yourself, we recommend you get expert third-party input to make sure you’ve got everything right.

Some of the questions can be complex, particularly if you manage your own IT and don’t have a technical background. 

So, what about Cyber Essentials Plus?

Cyber Essentials Plus

Cyber Essentials Plus is very similar, but includes a higher level of validation.

It includes a technical audit of the systems involved as well as the SAQ.

You can re-use an SAQ you completed for Cyber Essentials for Cyber Essentials Plus.

You’ll need to apply within three months of completing the SAQ.

Your Cyber Essentials Plus audit will be carried out by a qualified organisation known as a Certification Partner.

The audit will include looking for:

• External vulnerabilities
• An internal scan
• An on-site assessment, for which they’ll have to visit your premises.

During the on-site visit, the auditor will look at a representative sample of your devices to make sure they’re being managed in the right way.

If you pass your audit, your certification body will give you a Cyber Essentials Plus certificate, providing independent confirmation that you meet the standard.

If you fail, you’ll need to fix the outstanding issues before you re-apply.

Is Cyber Essentials certification worth it?

In short, yes.

Basic Cyber Essentials is a good option if you just want to demonstrate that you have essential controls in place.

If your business is based at a single location, and your network is only accessed by team members when they physically come into work, then basic Cyber Essentials is probably enough for you.

The more access points there are to your network, the more likely you’ll need Cyber Essentials Plus.

For example:

Why become Cyber Essentials certified?

The main reason to gain Cyber Essentials certification is to get a clear picture of the cyber threats you’re facing, and protect your business against them.

Cybercrime is a real and growing danger.

Just by having Cyber Essentials, you make yourself a less attractive target for cyber criminals.

Think about it:

The group without protection is a much easier target than the one with.

If you aren’t certified, you mark yourself out as potentially vulnerable.

This could act as encouragement for hackers to try more subtle and powerful attacks.

Cyber Essentials also shows customers, suppliers and partners that you take digital security seriously.

It shows that they can trust you with their confidential data.

Every certified business is listed on the NCSC’s website.

If you’re bidding for a government contract that involves handling certain sensitive and personal information, you’ll need Cyber Essentials certification.

What’s the cost of Cyber Essentials?

In terms of cost, expert guidance on basic Cyber Essentials certification is usually covered by a flat fee for scoping work.

Any remedial work would be an additional cost.

Cyber Essentials Plus is more complex and depends on the size of your company.

You’ll need to contact your provider to get a tailored quote.