Cyber Essentials Certification—Everything You Need to Know to Meet Compliance

In today’s digital world, cyber threats are a constant concern for businesses of all sizes. According to a 2024 survey by the UK government’s Department for Science, Innovation & Technology (DSIT), 74% of large and 70% of medium businesses reported experiencing a recent cyber attack.

Data breaches, malware attacks, and phishing scams can cripple operations and damage your reputation. But there’s a way to demonstrate your commitment to cyber security and protect your organisation: Achieving Cyber Essentials certification. 

This blog post will provide the guidance and resources you need to understand the Cyber Essentials certification, its benefits, and the steps you need to take to achieve compliance.

NOTE: These guidelines are current for the latest update to the Cyber Essentials scheme (version 3.1, Montpellier)

What is Cyber Essentials?

Cyber Essentials is a UK government backed scheme introduced in 2014 by the National Cyber Security Centre (NCSC).

The framework offers businesses a straightforward and affordable way to tackle the growing cyber threat landscape by adopting critical security controls.

By aligning with the standard’s five critical technical controls, businesses can protect themselves from up to 80% of the most common cyber attacks and demonstrate to clients and prospects that they take data protection and cyber security seriously.

Cyber Essentials vs Cyber Essentials Plus

Both Cyber Essentials and Cyber Essentials Plus follow the same criteria. The key difference is that Cyber Essentials is a self-assessment only, whereas Cyber Essentials Plus goes beyond your assessment to include a third-party security audit.

Since basic Cyber Essentials is an unverified self-assessment option, it provides less of a reputation boost than third-party validation, which comes with Cyber Essentials Plus certification. 

Similarities:

• Both cover the same five core controls: boundary firewalls and network segmentation, patch management, secure configuration, access control, and malware protection.
• Both are suitable for organisations of all sizes who want to protect themselves against the most common cyber attacks

Key Differences

• Verification
  Cyber Essentials is a self-assessment, meaning you answer questions to demonstrate you have the controls in place. Cyber Essentials Plus involves an independent technical audit by a qualified assessor, providing greater assurance of compliance.
• Depth
  Cyber Essentials Plus goes beyond the basic controls. It often includes vulnerability scanning to identify weaknesses and penetration testing to simulate real-world attacks and assess overall security posture.

Choosing the right option:

• Cyber Essentials
  Ideal for a foundational approach to cyber security compliance. It’s a good starting point for demonstrating a commitment to basic security measures.
• Cyber Essentials Plus
  Best suited for organisations that deal with sensitive data, operate in high-risk environments or require a more comprehensive security posture. The independent verification adds credibility and demonstrates a stronger commitment to cyber security.

Who Needs Cyber Essentials Certification?

While not mandatory everywhere, Cyber Essentials is gaining international traction, especially for organisations with global partners.

Cyber Essentials certification demonstrates a strong foundation in cyber security best practices.  This can be valuable for any organisation, regardless of location, but it’s especially relevant for those who want to be eligible for contracts with the UK government and other organisations that require Cyber Essentials certification.

Benefits of Cyber Essentials Certification

Cyber Essentials certification offers a range of benefits for organisations of all sizes. Here are some of the key advantages:

• Government Contracts
  In the UK, Cyber Essentials is now required in many central government contracts and an increasing number of local government contracts. In particular, Cyber Essentials is required for Ministry of Defence suppliers for all of their supply chain that handles defence information. 
• Free Cyber Liability Insurance
  Cyber Essentials Certification is one of the criteria for being eligible for free cyber liability insurance in the UK.
• Enhanced Security
  Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. By implementing the recommended controls, you significantly reduce the risk of falling victim to common cyberattacks such as phishing, malware, and unauthorised access.
• Customer Confidence
  Demonstrating your commitment to cyber security builds trust with clients. Customers are increasingly concerned about data protection, and Cyber Essentials certification shows you take their security seriously.
• Competitive Edge
  In today’s competitive landscape, Cyber Essentials certification can give you an edge when bidding for contracts, especially with organisations that prioritize cyber security.
• Reduced Costs
  Cyberattacks can be incredibly expensive, so proactive measures like Cyber Essentials can help prevent costly downtime, data breaches, and reputational damage.

The Five Controls of Cyber Essentials

This section will briefly explain the five controls of Cyber Essentials; for the most up-to-date and in-depth requirements to becoming Cyber Essentials certified, please see the official guidance from The IASME Consortium, the Cyber Essentials Partner for the NCSC.

Cyber Essentials focuses on implementing five core controls that form the foundation of a basic cyber security posture.

1. Firewalls
   This control ensures that you have a software or hardware firewall to protect your internal network from the public Internet.
2. Patch Management
   This control emphasises the importance of keeping your software applications and operating systems up-to-date with the latest security patches. These patches address vulnerabilities attackers can exploit, so timely patching is crucial.
3. Secure Configuration
   This control focuses on configuring your devices and systems securely. This includes using strong passwords, disabling unnecessary services, and adhering to best practices for secure configuration based on the specific system.
4. Access Control
   This control ensures that only authorised users can access your systems and data. This involves implementing measures like user authentication, access control lists, and role-based access control to restrict access based on user privileges.
5. Malware Protection
   This control requires implementing anti-malware software on all devices connected to your network. This software helps detect and prevent malware infections that can steal data, disrupt operations, or launch further attacks.

How to Achieve Cyber Essentials Compliance

While the basic Cyber Essentials certification process can be handled in-house, you may want to consider seeking guidance from a cyber security professional or managed service provider (MSP) to assist with the process.

1. Understand the Requirements:

• Familiarise yourself with the five core controls of Cyber Essentials (covered in the previous section).
• Decide whether to pursue Cyber Essentials or Cyber Essentials Plus (consider your risk profile and desired verification level).
• Review resources from the National Cyber Security Centre (NCSC) for the UK: https://www.ncsc.gov.uk/cyberessentials

2. Conduct a Gap Analysis:

• Assess your existing cyber security posture against the five core controls.
• Identify areas where your controls need improvement.

3. Implement the Controls:

• Develop a plan to address the gaps identified in your gap analysis.
• This might involve acquiring new security tools, updating policies, or implementing new procedures.

4. Self-Assessment (Cyber Essentials) or Certification Body Engagement (Cyber Essentials Plus):

• For Cyber Essentials, complete the online self-assessment questionnaire here to demonstrate you have the controls in place.
• For Cyber Essentials Plus, engage a qualified certification body approved by IASME (for the UK) to conduct an on-site assessment and technical verification.

NOTE: You must complete the online Cyber Essentials assessment before the Cyber Essentials Plus assessment. Alternatively, you can complete your Cyber Essentials Plus assessment within three months of your last Cyber Essentials certification.

5. Maintain Cyber Essentials Compliance:

• cyber security is an ongoing process. Regularly review and update your controls to adapt to evolving threats.
• Maintain a program for patching vulnerabilities, updating software, and refreshing security awareness training for your employees.
• The Cyber Essentials certification must be renewed annually; the standard is subject to change to address the evolving cyber security landscape

Cyber Essentials vs ISO 27001

Cyber Essentials and ISO 27001 are both valuable tools for improving cyber security, but they cater to different needs. Here’s a breakdown to help you decide which path is best for your organisation:

Focus and Scope:

• Cyber Essentials
  Focuses on five core technical controls to establish a basic level of cyber security hygiene. It’s ideal for organisations of all sizes looking for a foundational approach.
• ISO 27001
  Provides a broader framework for an Information Security Management System (ISMS). It covers people, processes, and technology, offering a more comprehensive approach to information security.

Implementation and Certification:

• Cyber Essentials
  Relatively simpler to implement. Achieved through a self-assessment or a light-touch technical audit (Cyber Essentials Plus).
• ISO 27001
  More complex to implement, requiring the development of an ISMS and documentation. Achieved through a formal certification audit by an accredited body.

Recognition and Cost:

• Cyber Essentials
  Government-backed in the UK, but gaining recognition globally. Relatively low cost for certification.
• ISO 27001
  Internationally recognised standard. Certification costs can be significantly higher than Cyber Essentials.

Choosing the Right Path:

• Cyber Essentials
  Ideal for a foundational approach to cyber security, for organisations of all sizes, or for those working towards ISO 27001 certification.
• ISO 27001
  Suited for organisations that require a more comprehensive information security framework, handle sensitive data, or operate in high-risk environments.

Resources and Next Steps

• CurrentWare’s Security Controls for Cyber Essentials Compliance
  Seeking to become certified to the Cyber Essentials standard? CurrentWare’s solutions help you safeguard your business with advanced awareness and control over computer activity.
• Cyber Essentials: Requirements for IT Infrastructure v3.1 (Montpellier)
  The official requirements for Cyber Essentials certification from the National Cyber Security Centre (NCSC)
• Cyber Essentials Plus Checklist
  Follow this checklist to guide your Cyber Essentials Plus certification project
• 10 Steps to Cyber Security
  Detailed guidance from the NCSC on how larger organisations can protect themselves in cyberspace.
• Cyber Assessment Framework
  The Cyber Assessment Framework (CAF) provides guidance for organisations responsible for vitally important services and activities. 
• NCSC’s Incident Management Guidance
  Guidance on how to effectively detect, respond to and resolve cyber incidents
• Cyber Essentials Self-Assessment Preparation Booklet
  The booklet is intended to help you to understand the questions and take notes on the current setup in your organisation.

Other Frequently Asked Questions About Cyber Essentials Certification

Is Cyber Essentials Only For UK Organisations?

While Cyber Essentials originated in the UK and is backed by the UK’s National Cyber Security Centre (NCSC), it has growing global recognition. Here’s a breakdown of its applicability:

• Developed in the UK: Yes, the scheme was created by the UK government.
• Universally Relevant: The core principles of secure IT practices outlined in Cyber Essentials are universally applicable for organisations of all sizes, regardless of location.
• Increasing Popularity: While not mandatory everywhere, Cyber Essentials is gaining traction internationally, especially for organisations working with global partners.
• Not Universally Required: Unlike some international standards, it might not be explicitly required for compliance in all countries.

Benefits for International Organisations:

• Protection Against Common Cyber Attacks: The cyber security measures required by Cyber Essentials will protect your organisation against the most common cyber threats
• Demonstrates Strong Cyber Security: Cyber Essentials certification demonstrates a commitment to cyber security best practices, which can be valuable for any organisation, regardless of location. This is especially relevant for those working in a globalised environment where data security is paramount.
• Internationally Recognized (But Not Universal): It’s gaining recognition, potentially enhancing your reputation and credibility with international partners and clients.

Alternatives for Non-UK Organisations:

If you’re located outside the UK, consider exploring similar cyber security standards like:

• ISO 27001: An internationally recognised standard for information security management systems.
• NIST SP 800-171: A US framework that provides a high-level structure for improving cyber security posture.

How Much Does Cyber Essentials Cost?

The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network. 

Cyber Essentials adopted a tiered pricing structure for Cyber Essentials assessments, with pricing changing based on employee count.

Outside of the direct cost for the Cyber Essentials assessment, you will also need to factor in related costs such as the cost of employee time, ongoing management of new tools, and the procurement process.

Additionally, Cyber Essentials certificates are valid for 12 months, so you are required to review your practices and renew your certification annually.

Please contact IASME with any questions, they will provide advice and guidance.

How Long Does It Take To Get Cyber Essentials?

The timeframe for achieving Cyber Essentials certification depends on a few factors:

• Type of Certification:
  • Cyber Essentials: Achieved through a self-assessment and can be completed in a shorter timeframe.
  • Cyber Essentials Plus: Involves an external assessment and typically takes longer.
• Your Organisation’s Cyber Security Level:
  • If you already have strong cyber security controls in place, the process can be faster.
  • If you need to implement new controls or address gaps, it will take longer.

Here’s a general breakdown:

• Cyber Essentials:
  • Self-Assessment: Many organisations complete the self-assessment questionnaire in a few hours to a few days.
  • Review and Feedback: The certification body typically takes 1-3 working days to review your submission and provide feedback.
  • Total Time: On average, achieving Cyber Essentials through self-assessment can be completed within a few weeks.
• Cyber Essentials Plus:
  • Preparation: May involve a pre-assessment to identify gaps and can take a few days.
  • External Assessment: The on-site assessment itself usually takes 1-2 days.
  • Remediation: If your organisation needs to address any findings, this can add additional time.
  • Total Time: The overall process for Cyber Essentials Plus can take several weeks to complete, depending on your readiness and any remediation required.

Here are some additional points to consider:

• Complexity of your organisation: Larger organisations might require more time to implement controls and complete the process.
• Availability of the certification body: Scheduling the external assessment for Cyber Essentials Plus can impact the overall timeframe.

How Do I Check If An Organisation Holds A Valid Cyber Essentials Certificate?

The Cyber Essentials Certificate search on the IASME consortium’s website can be queried by name to find organisations holding a Cyber Essentials certificate issued in the last 12 months. 

How Can I Get Free Cyber Liability Insurance With Cyber Essentials Certification?

Free cyber liability insurance is currently a UK-specific benefit. Organisations outside the UK won’t have access to this specific offer, but achieving Cyber Essentials certification still offers numerous advantages for cyber security and may make you more attractive for separate cyber liability insurance options.

You must fit the following criteria to be eligible for free Cyber Insurance:

• Your organisation must be certified with an IASME certification body
• Your organisation must turnover under £20,000,000
• Your organisation must be domiciled in the UK
• Your organisation must have Cyber Essentials Certification at either the basic or plus level

How to Get It:

1. Achieve Cyber Essentials Certification: Follow the steps outlined previously to achieve Cyber Essentials certification through a self-assessment or with an accredited certification body like IASME.
2. Review Insurance Details: After achieving certification, the certification body (like IASME) should provide information on the free cyber liability insurance and its specifics.
3. Activate Your Coverage (if applicable): The specific process for activating your coverage might vary depending on the provider, so follow the instructions provided by the certification body.