Cyber Essentials FAQs

Cyber Essentials is a UK government scheme designed to help organisations of all sizes guard themselves against the most common Internet-based cyber security threats and to demonstrate their commitment to cyber security. From 1 April 2020, the IASME Consortium (IASME) became the Cyber Essentials partner with the NCSC (National Cyber Security Centre). On January 24th 2022, some of the technical control requirements changed in line with recommended security updates to reflect the changing cyber threats in today’s digital environment

The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives.

Benefits of the Cyber Essentials scheme include reassuring customers that you take cyber security seriously as well as attracting new business with the assurance that you have cyber security measures in place.

Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security – all while keeping the approach simple and the costs low.

If you supply – or want to supply – larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain.

If you want to apply for government contracts, you will need Cyber Essentials certification.

The Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains.

Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).

Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.

Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site or remote assessment, internal vulnerability scans, plus an external vulnerability scan conducted by the certification body.

Only certification bodies that have been trained and are currently licensed by IASME to certify against the government’s Cyber Essentials scheme can undertake assessments and issue certificates. IT Governance assessors are IASME trained and IT Governance is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.

For Cyber Essentials, it is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment. This will be longer for Cyber Essentials Plus clients, which also need to undertake the internal security assessment and successfully complete the external scan.

The following describes the Cyber Essentials certification process.

• Your Cyber Essentials package will be automatically fulfilled on your account on our IT Governance Cyber Security Portal (CS Portal).
• Log in to our CS Portal and confirm your details. You will be required to provide the email address for the person responsible for completing and submitting the SAQ.
• We send you access details for the IASME Cyber Essentials portal via email.
• We contact you to arrange any consultancy support you may have.
• You define your scope and complete the SAQ.
• Confirm all answers provided in the assessment have been approved at board level or equivalent.
• The assessment is marked by one of our Cyber Essentials assessors, who will provide feedback with the result.

If the result is a ‘pass’:

• A Cyber Essentials certificate will be issued for you to download from the IASME portal, along with a copy of your assessment and branding information on how you can display your certification mark. If you opted for free cyber insurance and qualify, this will also be included.
• The Cyber Essentials certification process is complete, and your certificate is valid for 12 months.

If the result is a ‘fail’ or ‘more information’:

• Review the feedback provided by your assessor. If you have purchased a Cyber Essentials package that includes consultancy support and you have support time remaining, one of our cyber security experts can help you understand how to address any non-compliant areas.
• You have two working days to resubmit your updated SAQ along with a newly signed declaration approved at board level or equivalent.
• If you receive a second fail or do not resubmit within two working days, you will need to buy a new package and complete the process again.
• You have six months from purchase date to complete your application. IASME manages the archiving of applications and you will need to purchase a new package to continue.

For Cyber Essentials Plus, there are additional steps for the internal assessment, including internal and external vulnerability scans. You will need to complete these steps within three months of achieving your ‘basic level’ Cyber Essentials certification.

On successfully passing all components of the Cyber Essentials application, your certificate will be sent to you alongside your feedback report and insurance (where applicable). You will be able to access branding guidance for your Cyber Essentials certification mark on the IASME portal, which can only be displayed by organisations that have passed the relevant assessment within the last 12 months.

The badge can be displayed by authorised organisations on:

• Websites;
• Promotional material;
• Letterheads; and
• Email signatures.

All new certificates issued under the IASME scheme from 1 April 2020 have a 12-month expiry date.

Recertifying is like having an annual MOT for your cyber security controls. It gives your IT an essential annual check to protect against a wide variety of the most common cyber attacks.

Cyber Essentials and Cyber Essentials Plus certification are annual subscription products and auto-renew in line with our terms and conditions. If you do not have an annual subscription, purchase your package here to get started.

If you do not recertify, you will no longer be certified under the Cyber Essentials scheme and will not be able to apply for contracts that require you to hold a valid Cyber Essentials certificate. You will be automatically removed from the directory of organisations awarded Cyber Essentials certification on the NCSC website after 12 months.

What is included? Self-assessment and certification for Cyber Essentials

Who is it for? Organisations comfortable with preparing for certification without one-to-one consultancy support. This service is for organisations with good knowledge of all five security controls and that are comfortable carrying out all the preparations for certification. This knowledge is necessary to complete the SAQ. It might also be suitable for organisations renewing a certificate when nothing has changed, although IASME does make regular changes to the Cyber Essentials scheme.

Is there any support? Our Cyber Essentials packages include the cost of your Cyber Essentials certification, as set out by IASME. Additional charges are for additional services delivered. Please ensure you select the correct package for your organisation size. Prices quoted are available for purchase online through the website only. Any purchases processed offline through our sales teams will be subject to a £50 administration fee.

If you need more help with any aspect of the application process, such as understanding the scope of your assessment, answering the self-assessment questions, implementing the controls or understanding any non-compliant areas identified, we recommend purchasing one of the following products:

• Get A Little Help: includes two hours’ remote consultancy/technical support with one of our cyber security experts to help you through the application process.
• Get A Lot Of Help: includes one full day of on-site or remote consultancy with one of our cyber security experts to provide guidance on completing the SAQ and how to implement the five security controls.
• Remote Consultancy Support: support via our CS Portal, email, or Microsoft Teams with one of our cyber security experts, available to purchase by the hour.

The scope should be clearly defined in terms of the organisation or business unit managing it, the network boundary and the physical location(s). Regardless of whether the whole or a part of the organisation is subject to certification, the name on the certificate must be consistent with the scope.

If you need advice about how to define the scope, purchase our Remote Consultancy Support for help from one of our cyber security experts.

Organisations applying for Cyber Essentials Plus will also need to test all their in-scope public-facing IPs (Internet protocols). An IP address is a unique number assigned to a device when it connects to the Internet.

If you need advice about how many IP addresses to test, purchase our Remote Consultancy Support for help from one of our cyber security experts.

All of our Cyber Essentials Plus packages include an external vulnerability scan that covers up to 16 IP addresses. If you need to test more than 16 IP addresses, you can purchase Cyber Essentials Plus Vulnerability Scan Additional IPs.

Cyber Essentials Plus involves a technical audit of the systems that are in scope for Cyber Essentials. This internal testing applies to all computing devices within the boundary of the scope and includes:

• end user devices (EUDs) such as desktops, tablets, laptops, and smartphones which can connect to internal resources
• servers on which standard (that is, non-administrator) users can obtain an interactive desktop environment

The IT Governance Cyber Essentials Plus assessor will randomly sample from the devices for internal testing. These devices must be end-user devices and cannot be built for the purpose of testing.

The number of builds required for testing is defined by the number of configurations of operating system and software suites installed. Examples of relevant software include:

• Oracle Java
• Adobe Acrobat
• Microsoft Office
• Adobe Flash
• Mozilla Firefox
• Google Chrome
• Opera
• Microsoft Internet Explorer
• Antivirus solution

If more than one browser or Office suite is used, each variant will need to be tested. If they are installed on the same build, this is acceptable. The table below can be used to determine the representative sample size for each build type:

Example:

If you need advice understanding different build types or how many sample devices we need to test, purchase our Cyber Essentials Remote Consultancy Support.

IT Governance’s Cyber Essential Plus provides on-site testing at one location, of one type of user account, on up to ten sample devices.

If we need to test more than ten sample devices, you can purchase our Cyber Essentials Plus Certification - Additional Device Testing.

The scans are conducted to a common standard, as mandated by IASME for Cyber Essentials Plus certification.. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, only IASME-licensed certification bodies can conduct vulnerability scans as part of the Cyber Essentials Plus certification work.

Yes. Although ISO 27001 is seen as offering a more comprehensive level of assurance, a Cyber Essentials badge can be seen as a core indicator of cyber security. Some clients will also specifically require a Cyber Essentials certificate.

No. We recommend that Cyber Essentials is adopted in addition to ISO 27001. ISO 27001 offers various additional benefits, such as its international recognition and comprehensive approach. Because ISO 27001 includes controls focusing on information security continuity, it also provides an excellent foundation for a more comprehensive cyber resilience posture.

“You can use Cyber Essentials to try to stop low-level attacks from succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.” – – Alan Calder, Founder and Executive Chairman, IT Governance

It will be more efficient to start both at the same time – IT Governance can help you with an integrated approach. However, depending on your resources, time commitments and budget, you could start with the Cyber Essentials scheme, which will give you an introduction to the world of certification, and then continue to ISO 27001 when you are ready.