Thursday, November 11, 2021

Cyber Essentials Requirements

Cyber Essentials Requirements

According to the Cyber Security Breaches Survey 2021, the average annual cost for micro and small businesses that lost data or assets after cyber security breaches in the UK was £8,170.

In 2020, this figure was £2,340. An increase of 249%.

An alarming change 😬

So, what can you do to protect your business from these attacks?

Today, we’re going to take a look at Cyber Essentials:

What is Cyber Essentials?

Cyber Essentials is a scheme to help companies and organisations protect themselves against cybercrime. It includes a set of basic technical tools and techniques that you can use to guard against the most common cyber-attacks. Businesses who meet the Cyber Essentials standard can gain a certificate to prove their compliance.

Cyber Essentials isn’t just for big business, or those with lots of resources.

Any business, of any size, can get certified and realise its benefits.

Cyber Essentials was created by the UK Government in 2014.

It’s operated by the National Cyber Security Centre (NCSC) and supported by industry bodies including:

They usually offer incentives to businesses to get Cyber Essentials certified.

Even though Cyber Essentials is a UK government scheme, companies outside the UK can still gain certification.

What does Cyber Essentials cover?

The main areas covered by Cyber Essentials are:

  • Guarding against phishing and ransomware attacks by training staff in how to spot scams, choosing good passwords and keeping software updated
  • Combating malware and viruses by installing and configuring anti-malware and anti-virus applications, and making sure you only use applications you can trust
  • Fending off network attacks from outside by setting up and configuring firewalls and routers correctly
  • Controlling access to your data with properly configured accounts, so people only access servers and files they genuinely need to use.

The idea behind Cyber Essentials is that most cyber-attacks are blunt instruments, rather than sophisticated hacks.

The certification defines a focused set of controls with clear guidance on basic cyber security for companies of all sizes.

It offers a sound foundation of cyber security measures that can be implemented with a relatively low cost.

Criminals with fairly basic equipment and skills can launch simple attacks against a lot of businesses.

They are opportunistic in the hope that some of them will get through.

As an example:

It’s a bit like walking down the street and trying every front door in case it’s unlocked.

Don’t be that low-hanging fruit.

Take what precautions you can, to keep safe.

So, what do existing certified companies think of the Cyber Essentials certification?

According to the NCSC, 93% of certified companies surveyed say they are confident they are protected against common, internet-based cyber attacks.

They found that certified companies are more likely than their non-certified counterparts to be:

  • Aware of the risks posed by cyber-attacks (including at a senior level)
  • Confident that they are protected from these attacks
  • Implementing cyber security controls, including taking steps beyond the technical controls required to become certified
  • Positive about the scheme, particularly its impact on customer and investor confidence

Which leads us on nicely to the difference between Cyber Essentials and Cyber Essentials Plus:

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials includes two levels:

Cyber Essentials

Cyber Essentials allows you to assess your own security against cyber threats and learn what you can do to prevent them.

To gain the certification, you complete a Self-Assessment Questionnaire (SAQ) that covers the following areas:

  • Your Company
  • Scope of Assessment
  • Insurance
  • Office Firewalls & Internet Gateways
  • Secure Configuration
  • Security Update Management
  • User Accounts
  • Administrative Accounts
  • Malware Protection

A member of your board must sign the SAQ to affirm that it’s accurate and complete.

Even though you submit the Cyber Essentials questionnaire yourself, we recommend you get expert third-party input to make sure you’ve got everything right.

Some of the questions can be complex, particularly if you manage your own IT and don’t have a technical background. 

So, what about Cyber Essentials Plus?

Cyber Essentials Plus

Cyber Essentials Plus is very similar, but includes a higher level of validation.

It includes a technical audit of the systems involved as well as the SAQ.

You can re-use an SAQ you completed for Cyber Essentials for Cyber Essentials Plus.

You’ll need to apply within three months of completing the SAQ.

Your Cyber Essentials Plus audit will be carried out by a qualified organisation known as a Certification Partner.

The audit will include looking for:

  • External vulnerabilities
  • An internal scan
  • An on-site assessment, for which they’ll have to visit your premises.

During the on-site visit, the auditor will look at a representative sample of your devices to make sure they’re being managed in the right way.

If you pass your audit, your certification body will give you a Cyber Essentials Plus certificate, providing independent confirmation that you meet the standard.

If you fail, you’ll need to fix the outstanding issues before you re-apply.

Is Cyber Essentials certification worth it?

In short, yes.

Basic Cyber Essentials is a good option if you just want to demonstrate that you have essential controls in place.

If your business is based at a single location, and your network is only accessed by team members when they physically come into work, then basic Cyber Essentials is probably enough for you.

The more access points there are to your network, the more likely you’ll need Cyber Essentials Plus.

For example:

If you have multiple networked sites, people working remotely or third parties who visit your premises or access your network, Cyber Essentials Plus will give you the reassurance that your data is still safe.

Why become Cyber Essentials certified?

The main reason to gain Cyber Essentials certification is to get a clear picture of the cyber threats you’re facing, and protect your business against them.

Cybercrime is a real and growing danger.

According to the UK Government, four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months.

What’s more, these aren’t one-offs or occasional hiccups – out of the businesses who were targeted, 27% experienced some sort of attack at least once a week.

With phishing attacks (83%) by far the most common.

Just by having Cyber Essentials, you make yourself a less attractive target for cyber criminals.

Think about it:

The group without protection is a much easier target than the one with.

If you aren’t certified, you mark yourself out as potentially vulnerable.

This could act as encouragement for hackers to try more subtle and powerful attacks.

Cyber Essentials also shows customers, suppliers and partners that you take digital security seriously.

It shows that they can trust you with their confidential data.

Every certified business is listed on the NCSC’s website.

You can search for a certified company on the IASME website.

If you’re bidding for a government contract that involves handling certain sensitive and personal information, you’ll need Cyber Essentials certification.

How do I get Cyber Essentials certified?

Well, let’s take a look at the process below:

#1 Sign Up

The first stage is to sign up for Cyber Essentials.

We recommend you get advice from a certified body to guide you through the whole process of gaining your Cyber Essentials aCyber Essentials Plus certification.

Before you start, you’ll need to:

  • Define the scope of the project
  • Establish an idea of costs and timescales

As a rough guide, the more users, sites and network access points you have, the more complex the project is likely to be.

#2 SAQ

The next step is to complete the Self-Assessment Questionnaire (SAQ).

Even though you submit the SAQ yourself, we recommend you get expert input prior to submission.

This is to ensure it meets the scheme’s requirements.

#3 Cyber Essentials Certification

If your application is successful, you will be issued your Cyber Essentials certificate.

Well done you 👏😁

#4 Onsite Assessment

If you are planning to obtain the Cyber Essentials Plus certification, you will need to go through a technical audit.

This includes a collection of internal vulnerability scans and tests.

You’ll need to prepare for your audit by reviewing the security arrangements you currently have and with suggested improvements.

If you need help with the technical side, you may need an IT engineer to help you make the necessary changes.

A lot of this type of support can be delivered remotely, particularly if your data is hosted on external servers.

If you don’t have a Cyber Essentials SAQ from the last 30 days, you’ll need to complete one.

An IT engineer will need to visit you to make a series of checks on your network and some of your work machines.

They’ll also make sure that all the answers you put in your SAQ are correct and complete.

#5 External Scan

For the final step, you will need to have an external vulnerability scan.

This is a scan of your Internet-facing networks and applications.

It is used to verify that there are no obvious vulnerabilities.

As the tests are external, they are performed off-site.

With help at stage #3, you are very unlikely to fail the audit.

However, if you do, you can get feedback on what you need to change.

Then you can decide whether you want to re-apply.

#6 Cyber Essentials Plus Certification

If your application is successful, you will be issued your Cyber Essentials Plus certificate.

Once you have acquired either Cyber Essentials or Cyber Essentials Plus, you can then display it at your premises or on your website.


What’s the cost of Cyber Essentials?

In terms of cost, expert guidance on basic Cyber Essentials certification is usually covered by a flat fee for scoping work.

Any remedial work would be an additional cost.

Cyber Essentials Plus is more complex and depends on the size of your company.

You’ll need to contact your provider to get a tailored quote.


We hope you’ve enjoyed reading this article.

Now we would like to hear from you.

Are you considering Cyber Essentials certification?

If you’re interested in Cyber Essentials or Cyber Essentials Plus certification, we can take care of the whole process for you, helping you to gain certification quickly and easily; without getting tied up in red tape.

Get in touch today to get started.


Back to the blog.

Sign up to our newsletter

The latest insights, articles, and resources direct to your inbox.