In this guide to all things Cyber Essentials, we dive into the ins and outs of this Government-backed certification. After reading this guide, you’ll be clear on what Cyber Essentials is, what certification involves, how much it typically costs, and most importantly, if it can help your organisation to turn the tide on the growing cyber security threat.

Launched in 2014, Cyber Essentials is a Government-backed certification scheme operated by the National Cyber Security Centre (NCSC). It’s designed to protect companies, big and small, against the most common cyber attacks, because the truth is that the vast majority of attacks (around 80%) are typically pretty basic in nature. This doesn’t mean that they can’t cause significant damage and interruption, just that they are easy to prevent.

This is where the Cyber Essentials certification scheme comes in. It’s a great starting point when it comes to improving the security posture of your organisation, which is why over 30,000 organisations in the UK have chosen to adopt the scheme.

Does your company need Cyber Essentials?

Most businesses make the decision to become Cyber Essentials certified for a couple of reasons:

1. Helps to protect your business: First and foremost, Cyber Essentials is designed to help your organisation withstand the majority of basic cyber security attacks. With the threat level growing, it can help to make you more resilient to cyber attacks.

2. Helps you win more business: Certification is increasingly a requirement when contracting with public sector organisations. It’s also increasingly well-recognised by other customers and a signal that your business is taking cyber security seriously.

3. Provides a low cost solution: With a range of services and products on the market, Cyber Essentials is a low cost way of strengthening your company’s resilience to cyber threats and clearly demonstrating this to your stakeholders.

There’s also an option to have Cyber Insurance included as part of your Cyber Essentials certification at no extra cost (applicable to organisations with a turnover of £20 million or less).

What does Cyber Essentials involve?

The Cyber Essentials certification process is relatively straightforward. The key steps are as follows:

1. Choose a certification body: You’ll need to choose an IASME accredited certification body to evaluate and award you the Cyber Essentials certification (such as Predatech)
2. Complete the self-assessment questionnaire: Your certification body will provide you with access to an online portal to enable you to complete your questionnaire. Some certification bodies also offer packages that include advice and support. This will help you to understand best practice and fill any gaps.
3. Questionnaire is reviewed: Once submitted, your certification body will review this and feedback. Top tip – make sure to ask your certification body how long you’ll have to wait for their review.
4. Receive a pass, fail or questions: When reviewing your Cyber Essentials questionnaire the  certification body may ask you some clarification questions to help better understand whether you meet the standard required. If you do, you’ll pass! Top tip – look for a certification body that offer a free retest should you not meet the requirements first time around. They should also clearly highlight which questions haven’t met the required standard.
5. Cyber Essentials certified: Once your organisation has passed the assessment, you’ll be issued with a Cyber Essentials certificate as well as a logo which can be used to help promote this achievement across your sales and marketing materials.

What does Cyber Essentials actually help to protect against?

Cyber Essentials emphasises five technical controls as part of the assessment. With these controls in place, your organisation will be better prepared to withstand the majority of cyber threats. These controls are:

1. Office Firewalls and Internet Gateways: E.g. Are internet connections secured with boundary and host-based firewalls?
2. User and Administrative Accounts: E.g. Are admin accounts protected? Is access to data and applications appropriately restricted?
3. Secure Configuration: E.g. What password policy is in place? Is two-factor authentication enabled where applicable?
4. Malware Protection: E.g. Is antivirus software up to date? Is sandboxing in place?
5. Software Patching: E.g. Are devices and software up to date?

How long does the Cyber Essentials process take?

It’s possible to certify an organisation within a couple of days. However, how long it takes will be heavily dependent on how quickly your organisation is able to complete the self-assessment questionnaire and whether any gaps are identified (and how long it takes for these to be filled). Your certification body should be able to provide a range of support and guidance to help you better understand and implement any requirements.

Does Cyber Essentials help with GDPR?

The Information Commissioner’s Office (ICO) which is the UK authority responsible for data protection, has described Cyber Essentials as “a good starting point.” Regulators like the Financial Conduct Authority, the UK’s financial services regulator have also encouraged adoption of the scheme. And while Cyber Essentials is useful for GDRP, it shouldn’t be viewed as a complete solution for an organisations GDPR obligations.

What does Cyber Essentials cost?

Most certification bodies offer a range of Cyber Essentials packages, with pricing from £300 up to £1,650.

Predatech offers a competitive fixed price package to help you achieve Cyber Essentials certification:

Cyber Essentials Certification & Support: £295 + VAT

• Access to the self-assessment questionnaire
• Certification incl. logo use
• 1 free retest
• Cyber Insurance
• Guaranteed 24 hour questionnaire review turnaround
• Expert advice and support throughout

How long does Cyber Essentials last?

Certification lasts for 12 months from the date of issue, which means that you will have to re-certify every 12 months in order to have a valid Cyber Essentials certification.

The recertification process is typically much easier, unless your organisation has had a major change to its IT infrastructure. All companies that hold a valid certification are listed as Cyber Essentials certified on the NCSC website and retain the right to display the Cyber Essentials logo.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

The key difference between Cyber Essentials and Cyber Essentials Plus is that Cyber Essentials Plus is audited and includes an internal and external vulnerability scan. This delivers a more in depth test of an organisation’s security posture as it will validate a number of controls, for example, whether devices are configured correctly and that up to date antivirus software is running.

It’s important to note that before an organisation can achieve Cyber Essentials Plus, it must first achieve Cyber Essentials accreditation.

Want to find out more?

Predatech is a cyber security consultancy that offers a range of services including CREST accredited penetration testing and Cyber Essentials/Cyber Essentials Plus assessments. What makes us different? We combine expert cyber security with great customer service and value for money. Please contact us if you’re interested in a free consultation.