Your Guide on How to Get Cyber Essentials Certification Successfully

Recommendations For The Cyber Essentials Certification Process

The Cyber Essentials scheme is a UK government-backed certification standard, which is intended to provide a set of achievable basic security controls for all businesses of all sizes to adhere to.

Each of the security measures aims to protect businesses from the most common cyber threats and requires cyber security experts to review your company information and systems to ensure adherence to the Cyber Essentials key controls.

Cyber Essentials is split into two separate assessment types, Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials involves the completion and review of a questionnaire and is considered to be a more base-level security certification.

However, Cyber Essentials Plus involves a Cyber Essentials partner conducting several practical security tests, each designed to address different cyber security risks, including:

• An external vulnerability scan, including your internet gateways
• Multiple internal vulnerability scans, including your user devices
• Tests of your Anti-Malware Software, using test samples of malicious software
• Testing of your user access controls and administrator accounts
• Checks conducted against your Multi-Factor Authentication solutions for Cloud Services

The following steps and guidance can hopefully provide some practical support and help you with achieving Cyber Essentials and improving your company’s security posture.

Complete The Cyber Essentials Readiness Tool

If you are unsure of how the Cyber Essentials requirements apply to your business, it can be useful to use the readiness tool provided by IASME and the National Cyber Security Centre (NCSC).

This tool consists of some high-level questions to provide an overview of where your company may need to make some improvements to cyber security, for compliance with the required standards and to protect your organisation from the most common cyber attacks.

The readiness tool will also provide some ‘actions’ or recommendations to address the areas of your business that may currently be considered non-compliant.

Review The Cyber Essentials Requirements for IT Infrastructure

To provide more in-depth guidance on each of the specific requirements that need to be applied to your devices, services, and user accounts, it can be useful to review the Requirements for IT Infrastructure document.

This document details what devices will be included within the assessment and provides a breakdown of each of the five basic security controls required to achieve Cyber Essentials certification, which are:

• Firewalls
• Secure Configuration
• Security Update Management
• User Access Control
• Malware Protection

Any specific gaps in your cyber security that are highlighted by the requirements document can then be addressed within your business before proceeding with your cyber essentials accreditation.

Define Your Cyber Essentials Scope Of Assessment

The Cyber Essentials certification applies to your organisations devices, services, and user accounts. However, there can be some specific exclusions to this scope, and some companies may choose to only certify part of their organisation rather than the organisation as a whole.

Using the Requirements for IT infrastructure document and the provided article on defining your Cyber Essentials scope, your business can accurately define your Scope of Assessment.

Your ‘Scope’ can then be assessed by a qualified assessor to ensure it aligns with the Cyber Essentials scheme, when working with a cyber advisor or when submitting your questionnaire directly to IASME.

Complete The Cyber Essentials Self-Assessment Questionnaire

When you have implemented any necessary policies and technical controls within your business to align with the Cyber Essentials certification scheme’s requirements, the self-assessment questionnaire can then be completed.

The questionnaire consists of around 80 questions that covers details regarding your organisation, the devices and software you make use of, and how your business has addressed each of the Cyber Essentials five basic security controls.

When completing the questionnaire, it can be a common occurance that it may highlight additional adjustments that need to be made to your policies or technical controls to achieve compliance.

It is therefore always recommended to initially complete the questionnaire via the provided Excel or PDF documents, before purchasing access to the certification portal.

Conduct A Cyber Essentials Check List

Where you are managing Cyber Essentials and Cyber Security for the first time, it can be helpful to run through a checklist of tasks and information, to ensure you have covered all of the necessary requirements.

This process can provide some assurance that when your questionnaire is reviewed by a qualified assessor, there will be minimal or no issues that need to be addressed.

The following article, Preparing for Cyber Essentials, provides some guidance and considerations to check on, before proceeding to purchase your Cyber Essentials assessment.

Pay The Required Certification Costs

Whether your organisation chooses to purchase a Cyber Essentials assessment directly through the IASME portal or via a cyber security consultancy company, an independent assessor will always review and grade your self-assessment questionnaire.

When purchasing directly through IASME it can sometimes be difficult to receive any additional support or consultancy regarding areas of improvement that may be needed to achieve Cyber Essentials certification.

If purchasing through a consultancy company, you can receive this type of support and guidance when progressing through the certification process, however, it can often be more expensive, as the time for consultancy and guidance will typically be added on top of the certification costs.

Submit Your Self-Assessment Questionnaire For Review

After purchasing the Cyber Essentials assessment, you will gain login information and access to the IASME Cyber Essentials platform.

This will allow you to submit your completed self-assessment questionnaire, for an assessor to review.

When submitting the questionnaire it is necessary to provide the information of an individual who can authorise that the supplied information is up to date and accurate.

If this individual is different from the person completing the questionnaire they will typically receive an email to verify and authorise the information before it can be seen and reviewed by an assessor.

Once the assessor receives the questionnaire, it may take a few days for the information to be evaluated and the questionnaire to be returned.

Make Necessary Amendments To Your Submitted Questionnaire

When submitting a questionnaire, especially if new to the Cyber Essentials process or when working without a consultant or cyber advisor, it can be common that several questions will need further clarification.

When this occurs the questionnaire will be returned, with specific sections highlighted that need to be addressed and resolved.

This may be due to minor issues, such as providing a little more of a detailed description of a process or policy, however, it can also be due to more significant issues, such as operating systems and software being listed in the questionnaire which are outdated or no longer supported.

Where issues are highlighted, they should be quickly resolved within your business and the answers should be updated within the self-assessment questionnaire.

There is a two-day time limit to make any necessary changes and resubmit the questions before you need to repay the certification costs.

The updated information will also need to be re-approved by a suitably authorized individual, and this should be accounted for when resubmitting your answers within the two-day time limit.

Email Notification Regarding Your Cyber Essentials Certification

Ideally, with any necessary amendments made to your submitted questions, you should receive an email from IASME informing your organisation that you have passed the assessment and your company is now one of the Cyber Essentials certified organisations.

If you receive unfortunate news that your resubmitted information has still not met the required Cyber Essentials standards, this does not mean you cannot become certified, however, to continue with the process it will require further amendments to your organisation, the submitted questions, and to repay the certification costs.

Manage Your Issued Certification Through The Blockmark Platform

If you have passed the Cyber Essentials scheme, you should receive information directing you towards BlockMark Registry.

This platform allows you to manage the public visibility of your Cyber Essentials certification and provides instructions to embed the Cyber Essentials logo into your website to advertise your new certification.

Additionally, when you achieve Cyber Essentials certification, your company should be searchable within the following certificate search database, although it may take a few days to update and display your company information.

Continuing With Cyber Essentials Plus Certification

For any companies aiming to achieve Cyber Essentials Plus certification, the additional assessment can provide additional security and assurance for your business but does require additional steps and testing of your organisation.

Progressing From Cyber Essentials To Cyber Essentials Plus

As your company progresses from Cyber Essentials to Cyber Essentials Plus, it is necessary to work with one of the independent certification bodies to conduct a series of practical tests against your systems, to ensure they align with the defined Cyber Essentials standards and also align with the information submitted within your self-assessment questionnaire.

To ensure there are no significant changes to the devices and systems defined in the questionnaire, it is necessary to conduct the Cyber Essentials Plus assessment within three months of becoming certified to the Cyber Essentials scheme.

The Cyber Essentials Plus assessment will typically be significantly more expensive than the initial Cyber Essentials certification process due to the time required to conduct and evaluate each of the practical security tests.

However, it can sometimes be beneficial, and a little cheaper overall, to work with a certification body for both Cyber Essentials and Cyber Essentials Plus.

Conducting The Cyber Essentials Plus Practical Tests

A set of practical security tests are conducted by a qualified assessor as part of the Cyber Essentials Plus certification process, which includes the tests outlined in the Test Specification document:

• Test Case 1: Remote Vulnerability Assessment
• Test Case 2: Check Patch Management via Authenticated Vulnerability Scan
• Test Case 3: Check Malware Protection
• Test Case 4: Check Multi-Factor Authentication
• Test Case 5: Check Account Separation

Each of the defined tests needs to be passed to achieve Cyber Essentials Plus certification, and the test specification document outlines what is involved in each test and what is considered a Pass or Fail.

The following article can also help your organisation prepare for the Cyber Essentials Plus assessment, by conducting a large amount of the tests yourself and providing assurance that your organisation is ready for assessment.

Depending on the size of your organisation, the practical tests are typically conducted on a random selection of your devices and user accounts, although for some smaller companies, or with a diverse range of different device types, it may be necessary to test all of your devices.

Make Necessary Updates To Your Organisation Systems

After the Cyber Essentials Plus tests have been completed by a qualified assessor, a report will be written and prepared by the assessor which summarises each of the conducted tests and highlights any potential areas of your business which may have failed the assessment.

Similar to the self-assessment questionnaire, your organisation will then have time to address any of the issues which may have failed the Cyber Essentials Plus assessment.

Updates or changes to your systems will then need to be reassessed, within one month of the initial assessment, to ensure that your organisation can pass the certification standard.

Where it is not possible to pass Cyber Essentials Plus within this timeframe, it is still possible to certify to the standard, however, the certification costs will need to be repaid, and each of the practical security tests will be conducted again.

Receiving The Cyber Essentials Plus Certification

After completing and passing each of the practical tests for Cyber Essentials Plus, you should receive an email from IASME that informs you of your company’s certification status.

Similar to Cyber Essentials, your certificate can then be managed via BlockMark Registry, and the certification logo can also be incorporated into your website using the instructions provided.

Your information will also be updated in the certificate search database to reflect your Cyber Essentials Plus status.

Conclusion

Achieving Cyber Essentials certification is only the first part of the assessment process.

Through the course of the year, it is necessary to maintain your organisation’s adherence to the certification standards and to reassess once a year to renew your Cyber Essentials Certificate.

This ensures your company stays protected from the latest attacks and threats from cyber criminals, and also ensures that any new systems or changes to existing devices are reassessed, and your business remains compliant.

To maintain cyber security and compliance throughout the year, it can be helpful to implement some security controls and best practices to improve your company’s overall security posture, such as:

• Conducting a Security Risk Assessment of your Business
• Setting up a regular Vulnerability Scan of your systems
• Implementing a Vulnerability Management program
• Prioritising Any Vulnerabilities You Identify

Alternatively, a managed service can be provided through various security testing companies and consultants to help manage your compliance status throughout the year and ensure adherence to the Cyber Essentials standard with each subsequent assessment.

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials certification program, our consultants are available to address any concerns you may have.