Cyber Essentials FAQs

Cyber Essentials is a UK government scheme designed to help organisations of all sizes guard themselves against the most common Internet-based cyber security threats and to demonstrate their commitment to cyber security. From 1 April 2020, the IASME Consortium (IASME) became the Cyber Essentials partner with the NCSC (National Cyber Security Centre).

The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives.

Benefits of the Cyber Essentials scheme include reassuring customers that you take cyber security seriously as well as attracting new business with the assurance that you have cyber security measures in place.

Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security – all while keeping the approach simple and the costs low.

If you supply – or want to supply – larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain.

If you want to apply for government contracts, you will need Cyber Essentials certification.

The Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains.

Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).

Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.

Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.

Only certification bodies that have been trained and are currently licensed by IASME to certify against the government’s Cyber Essentials scheme can undertake assessments and issue certificates. IT Governance assessors are IASME trained and IT Governance is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.

For Cyber Essentials, it is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment. This will be longer for Cyber Essentials Plus clients, which also need to arrange the on-site visit for the internal security assessment and successfully complete the external scan.

The following describes the Cyber Essentials certification process using the IT Governance branded Cyber Essentials portal.

• Purchase one of our Cyber Essentials certification packages.
• You will be required to provide the email address and mobile phone number for the person responsible for completing and submitting the SAQ.
• Receive an email and SMS message with details needed to log in to the portal.
• Complete the scope and SAQ.
• Contact us before your first submission to undertake a precheck of your responses to the SAQ to determine whether you are likely to pass on that basis.
• Confirm all answers provided in the assessment have been approved at board level or equivalent. Signed confirmation will be required.
• The assessment is marked by one of our Cyber Essentials assessors, who will provide feedback with the result.

If the result is a ‘pass’:

• A Cyber Essentials certificate will be issued for you to download from the portal along with a copy of your assessment.
• IASME will contact you to provide your branding pack and insurance details (as applicable).
• The Cyber Essentials certification process is complete.

If the result is a ‘fail’:

• Review the feedback provided by your assessor. If you have purchased a Cyber Essentials package that includes consultancy support and you have support time remaining, one of our cyber security experts can help you understand how to address any non-compliant areas.
• You have two working days to resubmit. If you do not resubmit your application within this time, our certification guarantee is invalidated.

You have six months from purchase to complete your application, after which it will be archived automatically by IASME and you will need to purchase a new package to continue.

For Cyber Essentials Plus, there are additional steps for the internal assessment, including internal and external vulnerability scans. You will need to complete these steps within three months of achieving your last ‘basic level’ Cyber Essentials certification from an IASME-licensed certification body.

On successfully passing all components of the Cyber Essentials application, your certificate will be available for download from the IT Governance branded Cyber Essentials portal. You will also receive a branding pack directly from IASME. The pack will include a Cyber Essentials certification mark that can only be displayed by organisations that have passed the relevant assessment within the last 12 months.

The badge can be displayed by authorised organisations on:

• Websites;
• Promotional material;
• Letterheads; and
• Email signatures.

All new certificates issued under the IASME scheme from 1 April 2020 have a 12-month expiry date.

Recertifying is like having an annual MOT for your cyber security controls. It gives your IT an essential annual check to protect against a wide variety of the most common cyber attacks.

Cyber Essentials and Cyber Essentials Plus certification are annual subscription products and auto-renew in line with our terms and conditions. If you do not have an annual subscription, purchase your package here to get started.

If you do not recertify, you will no longer be certified under the Cyber Essentials scheme and will not be able to apply for contracts that require you to hold a valid Cyber Essentials certificate. You will be automatically removed from the directory of organisations awarded Cyber Essentials certification on the NCSC website after 12 months.

What is included: Self-assessment and certification for Cyber Essentials

Who is it for: Organisations comfortable with preparing for certification without outside support. This service is for organisations with a good knowledge of all five security controls and that are comfortable carrying out all the preparations for certification. This knowledge is necessary to complete the SAQ. It is also suitable for organisations renewing a certificate when nothing has changed.

What is the precheck: A review of your self-assessment answers by one of our cyber security experts before your first submission. The precheck will assess your responses to the SAQ and determine whether you are likely to pass on that basis.

How many times can I request a precheck: Once, unless you have purchased consultancy time and have time remaining.

What if an application is submitted without a precheck: The application will be formally reviewed by an assessor, who will award a pass or fail along with your feedback. If you submit your application without a precheck before your first submission, our certification guarantee is invalidated.

Our certification guarantee is based on your organisation implementing all the required controls and providing us with your application to check before your first submission.

If you submit your application without a precheck before your first submission, our certification guarantee is invalidated.

The precheck will assess your responses to the SAQ and determine whether you are likely to pass on that basis. If your organisation is awarded a fail at the first submission despite our precheck, we will then explain what you need to do in order to pass. If the correct amendments are made and submitted within two days and you are still not successful, we will cover the cost of repeating the Cyber Essentials basic certification.

This guarantee does not apply if the correct changes are not made, or the application is not resubmitted within the two-day window.

If you need help with any aspect of the application process, such as understanding the scope of your assessment, answering the self-assessment questions, implementing the controls or understanding the non-compliant areas identified in the precheck, we recommend purchasing one of the following products:

• Get A Little Help: includes two hours’ remote consultancy/technical support with one of our cyber security experts to help you through the application process, as well as the Cyber Essentials documentation toolkit, which provides all the policies and procedures you need.
• Get A Lot Of Help: includes one full day of on-site or remote consultancy with one of our cyber security experts to provide guidance on completing the SAQ and how to implement the five security controls, as well as the Cyber Essentials documentation toolkit, which provides all the policies and procedures you need.
• Remote Consultancy Support: support via email, telephone or Microsoft Teams with one of our cyber security experts, available to purchase by the hour.

The scope should be clearly defined in terms of the organisation or business unit managing it, the network boundary and the physical location(s). Regardless of whether the whole or a part of the organisation is subject to certification, the name on the certificate must be consistent with the scope.

If you need advice about how to define the scope, purchase our Remote Consultancy Support for help from one of our cyber security experts.

Organisations applying for Cyber Essentials Plus will also need to test all their in-scope public-facing IPs (Internet protocols). An IP address is a unique number assigned to a device when it connects to the Internet.

If you need advice about how many IP addresses to test, purchase our Remote Consultancy Support for help from one of our cyber security experts.

All of our Cyber Essentials Plus packages include an external vulnerability scan that covers up to 16 IP addresses. If you need to test more than 16 IP addresses, you can purchase Cyber Essentials Plus Vulnerability Scan Additional IPs.

Cyber Essentials Plus involves a technical audit of the systems that are in scope for Cyber Essentials. This includes a representative set of workstations, mobile devices and build types used by the organisation with access to corporate data.

The IT Governance Cyber Essentials Plus assessor will randomly sample from the devices for internal testing. These devices must be end-user devices and cannot be built for the purpose of testing.

The number of builds is defined by the number of configurations of operating system and software suites installed. Examples of relevant software include:

• Oracle Java
• Adobe Acrobat
• Microsoft Office
• Adobe Flash
• Mozilla Firefox
• Google Chrome
• Opera
• Microsoft Internet Explorer
• Antivirus solution

If more than one browser or Office suite is used, each variant will need to be tested. If they are installed on the same build, this is acceptable. The table below can be used to determine the representative sample size for each build type:

Example:

If you need advice understanding different build types or how many sample devices we need to test, purchase our Cyber Essentials Plus Vulnerability Scan Additional IPs.

IT Governance’s Cyber Essential Plus provides on-site testing at one location, of one type of user account, on up to ten sample devices.

If we need to test more than ten sample devices, you can purchase our Cyber Essentials Plus Certification - Additional Device Testing.

The scans are conducted to a common standard, as mandated by IASME for Cyber Essentials Plus certification.. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, only IASME-licensed certification bodies can conduct vulnerability scans as part of the Cyber Essentials Plus certification work.

Yes. Although ISO 27001 is seen as offering a more comprehensive level of assurance, a Cyber Essentials badge can be seen as a core indicator of cyber security. Some clients will also specifically require a Cyber Essentials certificate.

No. We recommend that Cyber Essentials is adopted in addition to ISO 27001. ISO 27001 offers various additional benefits, such as its international recognition and comprehensive approach. Because ISO 27001 includes controls focusing on information security continuity, it also provides an excellent foundation for a more comprehensive cyber resilience posture.

“You can use Cyber Essentials to try to stop low-level attacks from succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.” – – Alan Calder, Founder and Executive Chairman, IT Governance

It will be more efficient to start both at the same time – IT Governance can help you with an integrated approach. However, depending on your resources, time commitments and budget, you could start with the Cyber Essentials scheme, which will give you an introduction to the world of certification, and then continue to ISO 27001 when you are ready.