Your Guide to Understanding Cyber Essentials

December 06, 2022
Cyber Crime, Password Phishing Concept. Hacker Attack, Hackers Bulgar Steal Personal Data. Internet Security, Tiny Character Insert Password on Website at Huge Pc. Cartoon People Vector Illustration

Cyberattacks on large corporations may make the news, but studies have found that a high volume of hacking incidents are reported by smaller businesses. To combat this problem, the UK government came up with Cyber Essentials – a simple, cost-effective cybersecurity framework that can easily be adopted by smaller businesses to protect themselves against common attacks. 

If you have just started your Cyber Essentials journey, you need an in-depth understanding of how it can protect you against a range of cyberattacks and ensure you do not fail your certification. 

What is Cyber Essentials?  

Cyber Essentials is a low-cost cybersecurity scheme backed by the UK government and supported by the National Cyber Security Centre (NCSC). It lists five basic security controls that can shield any organization, big or small, against 80% of common cyberattacks.  

When was Cyber Essentials launched?  

The Cyber Essentials framework was launched on June 5th, 2014, by the Department for Business, Innovation and Skills (BIS). The scheme was developed in collaboration with the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI).  

What is the purpose of Cyber Essentials? 

Cyber Essentials’ main purpose is to guide businesses on how to implement the first steps to manage cyber risk. Since most cyberattacks are carried out by unskilled hackers, this scheme protects organizations against most common cyberattacks. It helps organizations implement a minimum level security standard that can protect them from common cyberthieves.  

Is Cyber Essentials mandatory?  

Unlike the General Data Protection Regulation (GDPR), Cyber Essentials is not mandatory. It is referred to as a scheme or framework that lists guidelines to secure your organization against 80% of cyberattacks. However, if you want to bid for certain government or defense contracts in the UK, you need to have a Cyber Essentials certification. 

Even though it is not covered by a binding regulation, it is considered a best practice that offers businesses a means to demonstrate their commitment to cybersecurity by achieving a Cyber Essentials certification. 

What does it mean to be Cyber Essentials certified?  

Whether you are a large organization or a small or midsize business (SMB), Cyber Essentials is an important certification. While not mandatory, it can help you demonstrate to your customers that you take the security of their data seriously.

Cyber Essentials Certification  

Whether you plan to do it on your own or hire an experienced MSP, Cyber Essentials is a smart first step for any organization. You can begin with a basic Cyber Essentials certification via a simple self-assessment to identify your vulnerabilities. Next, you implement the Cyber Essentials controls, allowing you to protect your organization against most cyberattacks. 

Cyber Essentials Plus Certification  

For larger organizations, a Cyber Essentials Plus certification should be your first choice. You will have to complete the online Cyber Essentials assessment before attempting the Cyber Essentials Plus assessment. If you already have a Cyber Essentials certification and want to upgrade to Cyber Essentials Plus, it must be done within three months of certification. The certification process involves a technical audit of your systems, an internal scan, an external vulnerability assessment and an on-site assessment. 

What is the difference between Cyber Essentials and ISO 27001? 

Many mistakenly assume that having an ISO 27001 certification is enough and that they do not need Cyber Essentials. If you are a business located in the UK or if you want to work with the UK government, you must consider a Cyber Essentials certification. Also, small businesses can benefit from the Cyber Essentials scheme since it is both cost-effective and easy to implement. 

Here are some of the key differences between the two: 

  • ISO 27001 focuses on the information, regardless of how it is stored, while Cyber Essentials focuses on information located within computers and IT networks.
  • ISO 27001 is more expensive and time-consuming than Cyber Essentials.
  • ISO 27001 is an internationally recognized standard. Although Cyber Essentials is recognized only in the UK, it is a good first step towards getting started with GDPR compliance.

How much does Cyber Essentials certification cost?  

The cost of Cyber Essentials certification follows a tiered pricing structure. It could range from £300 + VAT to £500 + VAT depending on the size of your organization. The Cyber Essentials Plus certification is more expensive and also varies depending on the size and complexity of your organization. The certification cost typically runs between £1,900 and £4,000 + VAT. 

How long does Cyber Essentials certification last?  

The Cyber Essentials scheme consistently updates its guidelines to keep up with the ever-evolving threat landscape. Since Cyber Essentials is reviewed every year, the UK government recommends renewing certification annually. Those who fail to renew their certification within a year are removed from the list of certified organizations. Usually, the accreditation body will send an email a month before the expiry of your certification, which should give you ample time to prepare for your assessment. The recertification process is the same as the certification process, and you would ideally be issued a renewed certificate within three days. 

However, overburdened IT professionals who are managing compliance with the expanding list of UK government and industry standards can take advantage of IT compliance management software. It can dramatically reduce the time and effort it takes for recertification and ensures you never fail an audit, saving you from a costly re-audit. 

How is Cyber Essentials assessed?  

Whether you have applied for Cyber Essentials or Cyber Essentials Plus, you will need detailed planning to complete the assessment. Once you enroll in the certification, you will receive login details to enter the site where you will complete the self-assessment questionnaire. You have three months to complete the assessment, after which you will have to reapply and pay the fee again to restart the process. 

The Cyber Essentials certification process requires you to strengthen the five technical controls of your IT infrastructure: Firewalls, Secure configuration, User Access Controls, Patch Management and Malware management. You must complete and submit a self-assessment questionnaire for evaluation to prove that all five controls are covered and there are no gaps. 

For Cyber Essentials Plus certification, you have to clear the basic Cyber Essentials certification process and then you will have to pass a remote or on-site audit performed by the Certification body. If the audits find gaps, you will be notified and have 15 days (about two weeks) to fix them. You can then, once again, go through the assessment. If you fail again, you start the entire process all over again.  

Why are the five Cyber Essentials controls critical for your security?  

The Cyber Essentials assessment and certification scope covers the entire IT infrastructure of the applicant’s business, including the devices and software. BYODs (Bring Your Own Device) with access to organizational data or services also fall within the scope of Cyber Essentials.  

Whether you are applying for a Cyber Essentials or Cyber Essential Plus certification, you are expected to implement the five main technical controls mentioned earlier across your entire organization since they are critical for the security of your organization and can defend you against 80% of cyberattacks. 

The five controls are: 

Firewalls and internet gateways – You need to ensure all your internet-connected devices are protected by a security system. It is your first line of defense against cyberattacks. 

Secure configuration – You need to ensure your organization is using only software, accounts and applications that are necessary for routine workflows. You also need to ensure every device and software platform has the appropriate security setting. Securing devices and software with touch ids, PINs and two-factor authentication is highly encouraged. 

Access control – You should implement user access control by only allowing users to access what they need and blocking access to everything else. This will help you minimize damage in the event of an attack. 

Malware protection – The Cyber Essentials scheme requires you to implement at least one of three techniques to protect your organization against malware and viruses — antimalware solutions, sandboxing or whitelisting. 

Patch management – Cybercriminals can easily exploit existing vulnerabilities in devices and software if they have not been properly patched or updated. Keep your devices, software and applications up to date to show compliance with Cyber Essentials. 

Who is in charge of Cyber Essentials accreditation?  

Until 2019, there were five accreditation bodies. Since April 2020, IASME has been appointed as the sole Cyber Essentials Scheme Accreditation body by NCSC. 

What happens if you fail the Cyber Essentials assessment?  

To successfully clear the assessment, you have to ensure compliance at all levels. If you fail the assessment and certification process, you will receive input from IASME highlighting the areas that need improvement. You will be given ample time to fix the gaps and reapply. However, if you fail again, you will have to go through the entire process all over again. 

Save yourself time and money by opting for IT compliance software like Compliance Manager GRC. It reduces the likelihood of an audit failure, and costly re-audit, by allowing you to perform your own full assessment against the Cyber Essentials requirements and automatically generating an Auditor’s Checklist and associated evidence of compliance. 

Manage your Cyber Essentials Certification with Compliance Manager GRC

Compliance Manager GRC, is the most efficient way to ensure ALL your IT requirements are being met, regardless of source. With Compliance Manager, you can easily prepare for the self-assessment attestation for the annual Cyber Essentials certification. Then, you can turn on the GDPR templates for both the UK and EU, and quickly see how far along you are toward compliance and what specific steps you need to take to achieve full compliance. 

Compliance Manager GRC allows you to use your current IT security tools, software and systems to meet all your IT security and privacy requirements, starting with the Cyber Essentials framework. Request a demo.