Cyber Essentials Certification

Cyber Essentials

We provide expert cyber security consultancy and guidance to help your business achieve Cyber Essentials certification.

Cyber Essentials Scheme

Cyber Essentials is a UK government-backed scheme that aims to protect organisations from potential vulnerabilities and the most common cyber attacks.

The Cyber Essentials scheme allows your company to demonstrate its commitment to maintaining and continually improving its security and reducing its cyber security risks from common cyber threats.

Achieving your Cyber Essentials certification can also help to increase your trust and reputation with clients, partners, and suppliers while allowing your company to bid and conduct work on certain UK government contracts.

Cyber Essentials Certification Process

The Cyber Essentials certificate consists of a self-assessment questionnaire that evaluates your company’s policies, processes, and technical security controls.

Each completed questionnaire is reviewed by our cyber advisors to ensure your organisation meets each of the requirements defined within the Cyber Essentials five technical control areas.

Where updates or changes to your current setup are required, our expert advisors work alongside your team to ensure your company adheres to each of the requirements and is ready to achieve cyber essentials accreditation.

Cyber Essentials Requirements

Cyber Essentials certification consists of a range of requirements for your business, its policies, processes, and technical controls.

The Requirements for IT Infrastructure document, published by the National Cyber Security Centre (NCSC) provides a detailed description of controls that should be in place to achieve Cyber Essentials certification.

The Cyber Essentials technical controls consist of the following categories:

The assessment outlines the requirements for protecting your internet gateways, which includes managing a secure configuration, defining secure passwords, and ensuring the protection of your internet-facing services.

Cyber Essentials outlines the requirements for managing all of your business devices to a secure standard, including securing your user accounts and protecting against unauthorized access.

Cyber Essentials covers the requirements to ensure your devices remain protected from known vulnerabilities and cyber-attacks by ensuring regular updates for all of your devices.

The assessment outlines a set of basic security controls to protect your user accounts by applying Cyber Essentials controls to manage your account permissions, remove default passwords, and configure secure credentials.

The Cyber Essentials scheme ensures protection from the vast majority of cyber-attacks and requires your it systems to implement a method to protect from potential malware attacks.

Each of these controls needs to be applied to your organisations assets such as desktops, laptops, mobiles, servers, firewalls, cloud infrastructure, and services.

Maintaining Cyber Essentials Certification

Cyber Essentials is an annual certification process requiring a qualified assessor to audit your organisations self-assessment questionnaire and ensure your company continues to adhere to the technical requirements defined by the Cyber Essentials controls.

Our trained consultants are always available to provide advice, guidance and ensure you maintain your Cyber Essentials certified status.

Popular questions

If you have any concerns over cyber security and the risks posed by cyber criminals and malicious software, Cyber Essentials can form a secure framework for your company to maintain, providing protection from the most common cyber attacks which are prevalent.

The process of refining and implementing a cyber security framework within your organisation can help provide assurance and trust to your clients, partners and suppliers that your business and information security standards have been assessed by a recognised certification body and your business can be considered a trusted partner.

Cyber Essentials is a UK Government backed scheme, and companies which hold a valid Cyber Essentials certificate can bid on a range of government contracts which involve handling of sensitive or personal data.

Cyber Essentials evaluates your organisation based around the following security controls:

Firewalls
Secure Configuration
Security Update Management
User Access Control
Malware Protection

These five control categories assess how your business manages its policies and technical controls when implementing the Cyber Essentials requirements.

There are multiple questions which are covered within the Cyber Essentials self assessment questionnaire to cover each of these technical controls, such as:

How your organisation maintains and manages the services accessible through your Firewall.
How your company defines and implements a secure password policy.
How often your devices have security updates applied.
How your business limits the number of administrator accounts in use.
How your business has implemented a Malware protection solution.

Cyber Essentials certification includes the self assessment questionnaire which is reviewed by a qualified assessor and is a prerequisite before progressing towards Cyber Essentials Plus certification.

Cyber Essentials Plus is a technical audit of the systems and solutions defined within your Cyber Essentials self assessment questionnaire, and consists of multiple practical tests of your systems, such as:

An External vulnerability scan of your companies internet facing assets.
An Authenticated vulnerability scan of the laptops, desktops and servers, defined within the Cyber Essentials Questionnaire.
A review of the secure configuration standards in place within your user desktop environments.
An assessment of the User Access Controls and authentication measures in place for your accounts.
A review of the Malware Protection solution defined within the Cyber Essentials Questionnaire.

The Cyber Essentials scheme has some fixed costs for submitting the self assessment questionnaire to the IASME portal, listed here, ranging from £320-£600 excluding VAT.

These prices can change and are designed around a tiered pricing structure based upon the size of an organisation.

In addition to the submission costs, Cyber Essentials certification bodies will typically have consultancy costs for their time, advice and guidance working through the certification process.

This cost can be variable between companies and can also depend on the size of your organisation, and whether you have already achieved cyber essentials certification before.

The time for certification can be dependent on how long it can take a company to collate all the information needed to fill in the Cyber Essentials self assessment questionnaire.

This may only take a few hours or may take a few days, depending on the organisation, their size and complexity.

Once the information is submitted, it should only take a few days for an assessor to review the cyber security measures in place for your organisation, and either provide feedback on where to improve or provide a certification.

The aim of working alongside a Cyber Essentials consultant is to avoid this scenario, and to ensure you have all of the necessary cyber security controls in place to achieve certification.

Where a questionnaire is submitted which requires a business to implement some changes, feedback and advice will be provided on how to address these issues, and each company receives a two day period to review and implement the recommended changes before resubmitting the questionnaire for further review.

If more significant changes are needed that cannot be completed in two days, or the questionnaire is still a fail after resubmission, each of the issues will still need to be addressed and the company will need to reapply and pay an additional assessment charge.

There are multiple options available for your company to prepare for Cyber Essentials in advance of paying any certification or consultancy costs.

IASME have developed a short set of questions which can help provide advice on whether you are ready to begin the certification process.
The technical requirements for your systems to meet Cyber Essentials basic certification standards are outlined in the Requirements for IT Infrastructure document published by the National Cyber Security Centre (NCSC).
The questions for the self assessment questionnaire are available to download as an excel or pdf document from IASME at the following location.
A detailed description of the Cyber Essentials Requirements is also outlined in the following article to help your organisation prepare for assessment.