What is Cyber Essentials?
The Cyber Essentials scheme is a world-leading, cost-effective assurance mechanism for companies of all sizes to help demonstrate to customers and other stakeholders that the most important basic cyber security controls have been implemented.
The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs to be light-touch and achievable at low cost. The two certification options give organisations a choice over the level of assurance they wish to gain and the cost of doing so.
The five key controls
The two levels of certification
There are two levels of Cyber Essentials certification available to your organisation: Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan that independently verifies your security status.
Cyber Essentials is right for you if you meet all the criteria below:
You’re looking for base-level security certification to demonstrate that you have key controls in place.
Your employees are primarily office-based and their IT equipment is under your administration and typically does not leave your premises.
You have physical and technical controls for restricting access for third parties, such as clients and suppliers visiting your offices.
Cyber Essentials Plus
Cyber Essentials Plus certification includes all the assessments for the Cyber Essentials certification but includes an additional internal scan and an on-site assessment.
Cyber Essentials Plus is right for you if you meet any of the criteria below:
A client has specifically requested you achieve Cyber Essentials Plus.
Your employees work from remote locations, such as home or client sites, and your IT equipment is often outside of your premises.
Your business has multiple third parties with access to your premises or IT as visitors, partners or in a shared office environment.
The benefits of achieving Cyber Essentials certification
The Cyber Essentials scheme provides five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”.
Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.
Properly implemented cyber security has the additional advantage of driving business efficiency throughout the organisation, saving money and improving productivity.
Achieving certification will also help you to address other compliance requirements such as the EU General Data Protection Regulation.
Protect your organisation from approximately 80% of cyber attacks
Implementing the five controls correctly will help protect your organisation.
Drive business efficiency
Focus on your core business objectives knowing that you are protected from the majority of cyber attacks.
Demonstrate security and help secure the supply chain
Demonstrate your commitment to protecting your own data and that of your customers and suppliers.
Work with the UK government and the MOD
Cyber Essentials will permit you to work with the UK government and Cyber Essentials Plus will give you the opportunity to work with the MOD.
Increase your chances of securing business
Boost your reputation and have a greater chance of winning contracts.
Reduce cyber insurance premiums
Cyber insurance agencies often look more favourably on organisations that have achieved Cyber Essentials certification.
For more benefits of Cyber Essentials, go to our Cyber Essentials benefits page >>
Why choose IT Governance for Cyber Essentials certification?
IT Governance is the leading CREST-accredited certification body, and has awarded hundreds of certifications, with many more companies achieving certification every day. Our Cyber Essentials clients include Vodafone, Airbus Defence and Space Ltd, Action for Children, NHS Professionals and Lockheed Martin. See the full list of organisation’s we’ve certified to the Cyber Essentials scheme >>
Background of the Cyber Essentials scheme
In 2012 the UK government launched its ‘10 Steps to Cyber Security’ and then in 2013 published Small businesses: What you need to know about cyber security, which encouraged organisations to consider whether they were managing their cyber risks. The government emphasised the need for company boards and senior executives to take ownership of these risks and enshrine them within their overall corporate risk management regime.
These initiatives continued to gain traction. However, government analysis of continuing attacks and feedback from industry vulnerability testers identified that a number of security controls were not being applied, leaving organisations vulnerable to threat actors with low levels of technical capability.
The government viewed the adoption of an organisational standard for cyber security as the next stage after the ‘10 Steps to Cyber Security’ guidance. This was in order to allow organisations, and their customers and partners, to have greater confidence in their ability to reduce the risk posed by threat actors with low technical capability.
Following the call for evidence on a preferred organisational standard in cyber security by the government and industry, the Cyber Essentials scheme was formalised in November 2013.