.png)
If you want to know more about certifying to Cyber Essentials (CE) and/or Cyber Essentials Plus (CE+), then look no further - this is the blog for you!
We will answer the most asked questions from what exactly Cyber Essentials is, to the process involved and what the exact benefits are.
Firstly, what is Cyber Essentials?
CE and CE+ are UK Government backed schemes that helps protect organisations, whatever their size or technical expertise, against a whole range of the most common cyber-attacks.
Those cyber-attacks come in many shapes and sizes, but the vast majority are very basic and carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. CE is designed to prevent these low complexity high-likelihood attacks.
Why do you need Cyber Essentials?
There are a huge number of benefits to achieving Cyber Essentials.
Achieving Cyber Essentials certification signifies to your customers that you are committed to safeguarding against prevalent cyber threat. It’s not just important for your customers to trust you, your partners, suppliers, and investors need to have confidence in your ability to operate safely, too. Having a recognised certification helps validates your processes and means they know you operate with security at the forefront of your business.
Many government contracts require you to have CE certification, therefore achieving CE will offer a huge opportunity to work on large-scale projects with public sector organisations.
Cyber Essentials will also help you gain a clear picture of your organisation's cybersecurity level. The UK governments states that by implementing the 5 areas of security controls you should prevent around 80% of cyber- attacks on your business.
What's tested in the certification process?
The CE certification process involves assessing five key technical control areas:
- Firewalls
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
It will check that you have turned on and are using the security controls that are available to you on your devices and systems – and that you are maintaining security ongoing. For example, Windows and Macs have software firewalls – are they turned on? Have you separated administrator and standard user accounts? Do your accounts and devices have sufficient passwords, pin codes or biometrics?
One of the areas that many organisations fall down on, is – are you regularly updating your operating system software and third party applications? Vulnerabilities in software are found every day. All you need to do is click that update button to protect against criminals exploiting these holes.
What level should I go for?
CE is a self-assessment of 89 questions that takes 1-2 hours to complete before submitting it to an accredited Certification Body (such as Toro) to assess the answers and decide whether to award certification. The CE question set is split into the following categories and sub-categories:
- Organisational details
- Scope of assessment
- Boundary firewalls and internet gateways
- Secure configuration
- Device locking
- Security update management
- User access control
- Admin accounts
- Password-based authentication
- Malware protection
In January 2022, IASME broadened the assessment areas to incorporate:
- Home Working requirement
- Cloud services
- Multi-factor authentication in relation to Cloud services
- Password-based authentication
If you have answered your CE questionnaire honestly and accurately, CE+ is just an auditor checking your answers and providing third-party assurance that your security has been tested.
CE+ certification uses the same completed questionnaire as CE but involves additional vulnerability scans, system and device audits. This includes an assessor testing a random sample of company systems, devices, and servers for their security. The assessment follows these steps:
- Internal vulnerability assessment
- External vulnerability assessment
- User access controls test
- Browser download test
- Email test
The CE+ assessment provides clients with a full report highlighting findings and improvements that need to be made before certification is awarded.
How long is the Cyber Essentials Certification valid for?
Certification is valid for 1 year and you will need to be re-certified every year to keep the status.
The certification process will be same again and if you are keeping up with technical controls that were put in place it should be a lot quicker to complete.
What happens if you fail?
If you fail the Cyber Essentials certification you will have 30 days to fix the issues and re-submit your application. For Cyber Essentials Plus certification, you will have 15 days to rectify the issues and re-submit.
We would recommend that you work with a CE certification body like Toro, who will make sure you have everything in place, so you don’t have any issues.
What do you get once you have your certification?
Once you’ve passed your Cyber Essentials, you will receive a confirmation from the certification body along with a unique reference number. You will also get Cyber Essentials badges for your website and marketing collateral, and you will be included on the NCSC's database of CE-certified organisations.
What changed in the April 2023 updates?
- Inclusion of Third-Party Devices - the NCSC clarified exactly which devices are ‘in scope’ (i.e. covered by the certification) and which are not. They’ve updated the guidelines with a table for quick reference.
- Malware Protection Approaches - the NCSC has added a couple of different options for how organisations approach malware protection for their in-scope devices.
- Device Unlocking Rules - the new specification requires that organisations set the device to lock after the minimum number of attempts allowable by that device.
- Clarification around firmware requirements – the NCSC now only require the firmware details for the organisation's router and firewall.
How much does Cyber Essentials certification cost?
The pricing for Cyber Essentials (verified self-assessment) operates on a tiered structure, aligning with globally recognised classifications for micro, small, medium, and large enterprises.
Is it expensive?
No. Cyber Essentials is designed to be an affordable standard for organisations of all levels to achieve. There is a sliding scale of cost dependent on the size of your organisation. Please get in touch with Toro today for your quote.
Definitions of company size
- Micro = up to 10 staff
- Small = up to 50 staff
- Medium = up to 250 staff
- Large = 250-1000 staff (if bigger, subject to scoping for CE+)
Is Cyber Essentials a legal requirement?
It is not a legal requirement, but some government contracts require it as a minimum security standard.
Final Thoughts
A recent study suggests that cybercrime could cost the world an estimated $10.5 trillion in losses by 2025. Given the escalating incidents of data breaches and cyber crimes across various sectors, incorporating cyber security measures such as Cyber Essentials into your business strategy is crucial.
The cost-effectiveness and straightforward implementation of Cyber Essentials make it a highly advantageous choice for businesses to put in place.
To find out more about how Toro can help you achieve Cyber Essentials please get in touch.