What is Cyber Essentials?
Cyber Essentials is a government-backed framework designed to mitigate the risk of common, avoidable vulnerabilities and help improve the security posture of your business. It is mapped against five technical control themes: Access Control, Firewalls, Secure Configuration, Malware protection, and Security update management.
Benefits of certification
Protect your organisation from 80% of common cyber-threats
Certification will give you peace of mind that your IT security is ready to defend your business against a vast majority of common, easy to exploit cyber-attacks that are aimed at targets that do not have the five controls in place
Bid for Government, public sector and supply-chain contacts
Cyber Essentials is the minimum certification you will need to bid for many new public sector contracts.
Free Cyber Insurance or reduced premiums
Some organisations may qualify for free cyber insurance with a liability cap of £25,000, while others who are not eligible may receive lower premiums from some insurance providers upon reaching Cyber Essentials Status
Increased credibility and marketing strategy
Some organisations prefer to collaborate with those who take cyber security seriously. With Cyber Essentials, you can demonstrate that you have met the standard and a badge is available to display on your website and in your documentation
Ready? How to get certified
Our process for gaining certification has been created to ensure your journey to better security hygiene is simple and stress-free:
Speak to one of our trained consultants
Complete the self-assessment
We review your submission and support you were required
Gain certification within 30 days
To avoid an opportunist attack, Cyber Essentials examines your basic security hygiene.
Best practice setup of devices are designed to prevent unauthorised access to, or from, private networks.
Cyber Essentials 5 technical control themes
User Access Control
Ensures that user accounts are only assigned to authorised users and that only the applications, computers, and networks necessary for the user to accomplish their task are accessible
Ensures that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.
To ensure that the execution of known malware and untrusted software and to prevent harmful code from causing damage to accessing sensitive data.
Security Update Management
Ensuring you have a process to deploy the latest supported versions of operating systems and applications that contain security fixes for known vulnerabilities.
Cyber Essentials or Cyber Essentials Plus?
Cyber Essentials is a self-assessed questionnaire centred on the implementation and management of five technical controls.
Self-Assessment offers the minimum amount of IT Security all UK businesses should be meeting that will defend you against the most common cyber threats. To complete the questionnaire, you must review these controls, ensure they are implemented and configured correctly. This is reviewed and marked by a Claranet Cyber Essentials Assessor.
Cyber Essentials Plus is a physical verification of the controls you declared within the self-assessment and includes an additional vulnerability assessment.
Claranet will run up to 7 tests against a sample of end-user devices to check that controls are in place and working effectively. Vulnerability assessments offer peace of mind that external attack surfaces meet compliance.
What are the benefits of upgrading to Cyber Essentials Plus?
Cyber Essentials Plus offers additional peace of mind that the controls you have in place are working. An Assessor will simulate a range of common threats against your end-user devices and external attack surface to see how they withstand. This is close to a real attack within a controlled environment
For some supply chains and Government tenders, full certification is a prerequisite. So gaining Cyber Essentials Plus now will help you get ready if this might impact your organisation.
When you gain Cyber Essentials PLUS, you get the badge to promote your achievement. This can improve your credibility and offers a point of differentiation.
Demonstrate your commitment to cybersecurity
- Access support from a qualified assessor
- Expert guidance and advice from experienced penetration testers
- Fully online service, delivered remotely
- We review questionnaire responses with you to ensure they meet the standards set by Cyber Essentials
- Receive your results and certification on the consultancy day (Provided all client tasks are complete)
Cyber Essentials Plus
- 3 main elements – Cyber Essentials Basic, Technical Audits, Reporting
- Technical audits delivered remotely or onsite
- Includes external vulnerability scan
- Progress tracked, updates and results provided through online portal
- Expert guidance and advice from experienced penetration testers
Why should we get Cyber Essentials?
With common, easy to exploit cyber-attacks on the rise there isn’t a better time to start looking at the fundamentals of your IT security posture.
Cyber Essentials helps protect organisations against 80% of the most common cyber threats and starts your journey to better IT security and awareness.
Achieving either Cyber Essentials demonstrates that you take the security of IT assets and data seriously. This can attract new business from others that think the same way about their IT security.
Cyber Essentials is a stepping stone to advanced frameworks such as ISO27001 that focus on some of the same security controls.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is an online self-assessment questionnaire that will be completed by your organisation, your assessment is marked by an official Cyber Essentials assessor where it’s deemed as either a FAIL or PASS. Cyber Essentials highlights five key technical controls that, if implemented correctly, can boost your IT security. Once all questions have been declared the assessment must be signed off by a board member of your organisation.
Cyber Essentials Plus is a physical verification of the controls declared on your self-assessment. This includes an external vulnerability assessment and an assessor will conduct seven tests on your internal network, end-user devices and external infrastructure to confirm controls are implemented correctly. This gives you the peace of mind that your IT security is implemented and working correctly.
We only require Cyber Essentials right now, can we come back for Plus?
That’s fine, you have three months from passing the self-assessment to complete a Plus audit without the need of re-sitting the self-assessment, after the three months your must complete and pass the self-assessment before doing Plus.
Is Cyber Essentials a “one-off”?
It’s a yearly renewal to keep your certificate and listing on the official NCSC website as Cyber Essentials certified.
We passed last year does this guarantee a pass on our renewal?
Unfortunately, not, Cyber Essentials changes year on year so you must stay up to date with the changes and implement them throughout the year to ensure your renewal runs as smooth as possible. To help we can deliver gap analysis and requirements overviews throughout the year where required.
Service Delivery Questions:
What is the process for getting certified?
For the Cyber Essentials Self-Assessment, you will be given access to an online portal where you will complete a series of questions. Once done you will submit these for Claranet to review. If you’re failing in any of the areas, we will offer guidance and time to remediate these issues before we re-mark your assessment. Once ready to pass you will receive a Certificate and listing on the NCSC website as certified.
Once you have passed the Self-Assessment, you can opt for a higher level of assurance with Cyber Essentials Plus. This is a technical audit and is typically carried out remotely. A point of contact must be nominated at your organisation, and they will work with the Claranet Assessor to give them access to the devices that require testing.
What are some common failure points for both assessments?
- Unsupported computing hardware that is EOL for firmware updates
- Unsupported operating systems
- Unsupported applications
- Not being able to meet compliance in multiple areas
- Unmanaged personal devices
Cyber Essentials Plus:
- Multiple critical or high vulnerabilities during the external or internal scan that can’t be remediated within 30 days
- MFA not being applied to cloud service admin accounts
- End-users being able to execute privileged tasks
- Information found that contradicts the self-assessment
I can’t achieve compliance with certain areas of my organisation, what can we do?
You can sometimes achieve compliance with un-supported devices or non-compliant locations via network segregation using boundary firewall or VLAN rules, in Cyber Essentials this is known as “de-scoping”.
De-scoping offers less protection than including your whole organisation and you must declare this on your certificate.