Cyber Essentials vs Cyber Essentials Plus: Which One Is Right for You?
The Cyber Essentials certification process is a government-backed initiative to improve cyber security and create a basic level of security controls for all businesses to align with.
The Cyber Essentials assessment has been defined as two separate certification levels that verify each of the required security measures have been implemented.
Cyber Essentials
Cyber Essentials consists of a questionnaire that defines how your company has taken steps to protect against common cyber attacks.
Cyber Essentials Plus
Cyber Essentials Plus is a separate technical audit conducted by a qualified assessor to verify your company’s cybersecurity posture, and is conducted after completing Cyber Essentials.
To achieve or maintain your Cyber Essentials Certification, contact our team or review any further information available here.
Choosing Between Cyber Essentials And Cyber Essentials Plus
Both the Cyber Essentials and Cyber Essentials Plus assessments will provide your company a certificate to verify your organisation is implementing fundamental cybersecurity measures to protect your business.
A common question can therefore be, “What’s the difference between the two certificates“.
Cyber Essentials Plus provides an increased level of assurance and can often be a requirement when bidding on specific work and contracts.
The biggest differences between each certification process is the audit method used to verify the information provided and the cost of completing the assessment process.
Cyber Essentials Vs Cyber Essentials Plus
Cyber Essentials
Cyber Essentials involves an assessor reviewing the answers provided on a questionnaire to confirm they align with the assessment requirements, which can be a relatively short and inexpensive process.
Although the information provided must align with the Cyber Essentials requirements, there is no in-depth assessment or verification conducted by the assessor, which is why the questionnaire is typically referred to as a self-assessment.
Cyber Essentials Plus
Cyber Essentials Plus is a set of practical tests to verify that the information provided on the questionnaire is accurate and aligns with the Cyber Essentials controls, which can require dedicated time from a qualified assessor and therefore can be more expensive.
Each assessment is intended to verify your company has implemented the necessary protection methods to prevent the most common cyber attacks, however, as the Cyber Essentials Plus assessment includes practical vulnerability tests, it is seen as a more rigorous assessment.
The increased certification level of Cyber Essentials Plus aims to verify your company treats cyber security seriously through the following:
- Verifying your company manages its information security posture
- Providing assurance your company protects its client data from a range of common cyber threats
- Evidence of protection methods from the latest developing cyber security risks
- Developing trust between your clients and partners through proven information security measures
Which Certification Level Your Company Needs
Some of the key considerations that can determine which accreditation level your company needs to achieve, can include:
- Does your company have a supplier requirement to achieve a specific certification level.
- Is your business bidding on work or contracts that require maintaining Cyber Essentials or Plus certification.
- Does your organisation need to verify its cyber security through practical testing and audits.
- Is your company aiming to achieve certification within a limited or restricted cyber security budget.
- Does your business need to provide a higher level of assurance to your clients or business partners.
While it is always recommended to achieve a higher level of cyber security assurance where possible, if your company doesn’t have an external requirement to achieve certification and has a limited budget, it can be worthwhile to align with the Cyber Essentials requirements as both certification standards aim to verify the same basic level of security controls have been implemented.
Cyber Essentials Plus can then be considered as an additional level of assurance once your requirements change or cyber security budgets increase.
The Cyber Essentials Scope
The scope of the assessment is the same regardless of which certification is being achieved, however, the extent of the review, conducted by a qualified assessor, will change depending on if your company is aiming for Cyber Essentials or Cyber Essentials Plus.
The Cyber Essentials Key Controls
The Cyber Essentials five key controls that need to be implemented within your business are also the same, regardless of the certification level that you pursue.
- Firewalls
- Secure Configuration
- Security Update Management
- User Access Controls
- Malware Protection
Although the scope and requirements remain the same throughout the Cyber Essentials certification process, the method of assessment and verification change depending on which Cyber Essentials certificate your company needs to achieve.
The Cyber Essentials Assessments
Cyber Essentials
For Cyber Essentials a self-assessment questionnaire needs to be completed which is then reviewed and graded by a qualified assessor and certification body.
The questionnaire, which can be found here, queries how your company manages the five key controls, which protect your business from the most common cyber threats:
Cyber Essentials Plus
For Cyber Essentials Plus a set of five practical tests are conducted to review your organization’s cyber defenses, which are defined here, and verify the information provided within the self-assessment questionnaire.
- A remote vulnerability scan of your internet-facing systems
- An authenticated vulnerability scan of your end user IT Devices, such as laptops and desktops
- A review of your Malware Protection system and its functionality
- An assessment of your Multi-Factor Authentication systems
- A confirmation of your user access controls and separation of administrator permissions
The Cyber Essentials Timeframe
When your business is pursuing Cyber Essentials certification, a common consideration can be how long is the certification process.
Cyber Essentials
For Cyber Essentials, after your company has submitted the questionnaire, you can expect to receive a response to your submission within a couple of days.
Although there can sometimes be a request for further information, or some corrections to make with your submission, assuming your company is compliant with the Cyber Essentials controls, you can expect to receive your certificate within the same week when submitting your questionnaire answers.
Cyber Essentials Plus
Cyber Essentials Plus first requires the self-assessment questionnaire to be completed and then requires dedicated time for an assessor to work with your company and assess your devices against the Cyber Essentials scheme.
The Cyber Essentials Plus process must be completed within three months of achieving Cyber Essentials, otherwise, the self-assessment questionnaire must be resubmitted and recertified before continuing with Cyber Essentials Plus.
The time for an assessor to review your devices can vary depending on your assessment scope and the size of your organisation, but should be completed, for most companies, within a few days, with a Cyber Essentials Plus certificate provided shortly after completing and passing each of the practical audits.
The Cost of Cyber Essentials
One of the differences which can often have an impact on the decision making process when choosing between Cyber Essentials and Cyber Essentials Plus, is the cost of assessment.
Cyber Essentials
For Cyber Essentials, the assessment involves completing the self-assessment questionnaire which can be done directly through the IASME website or by working with a cyber security consultant and qualified certification body.
Cyber Essentials certification cost, for the submission of the questionnaire, can vary from £320-£600 depending on the size of your business, but may also include some consultancy costs depending on whether the necessary security measures are already in place within your company.
Cyber Essentials Plus
Cyber Essentials Plus, requires a valid Cyber Essentials certificate to first be in place, and also requires a variable consultancy fee which can change depending on the size of your business and the number of devices that need to be tested.
Cyber Essentials Plus costs can begin in the range of around £1500-£2000, depending on the business and the number of devices to be assessed.
The Requirements Of Cyber Essentials
Cyber Essentials requires your business to implement a set of policies and technical controls to align with the cybersecurity assurance schemes and achieve certification, such as:
- Managing each of the devices and accounts that can access your business and sensitive data
- Defining and implementing a password policy for your accounts
- Ensuring account security through the separation of administrator permissions
- Updating your devices and software on a regular basis
- Maintaining a secure configuration for your devices with changes only made after approval
- Configuring Firewall protection for each of your devices
A detailed description of the Cyber Essentials requirements is provided in the following article, but the requirements remain the same for both certification levels and only the method of assessment changes between certificates.
There are multiple requirements for each of the five key controls, but each is designed to be achievable for small and medium enterprises and provide protection from cyber criminals.
Conclusion
Although the Cyber Essentials scheme and requirements remain the same for both certification levels, the method of verification, cost of assessment, and level of assurance provided to clients, partners and suppliers are the major differences between the assessments.
For any company aiming to improve its cybersecurity posture, Cyber Essentials certification is a recommended method to implement security standards and provide evidence that your business has taken the necessary measures to protect itself from the cyber threat landscape.
Your company can benefit from achieving certification in several ways:
- Improved Cyber Security controls throughout your business
- Cyber Insurance is provided to companies that align with the certification standards and meet the necessary business requirements
- The option to bid on additional work and contracts where Cyber Essentials is a supplier requirement
- Protection from the latest and most common cyber attacks
- Increased trust and information security assurance with your clients and partners
For further information on the Cyber Essentials assessment or where you have questions regarding different cybersecurity solutions, our consultants and cyber advisors are available to address any concerns you may have.
