What is the Cyber Essentials scheme?
Cyber Essentials is a UK government assurance scheme, based on its "10 Steps to Cyber Security" and administered by the NCSC (National Cyber Security Centre).
It has two functions:
- To set out the five basic cyber security controls that organisations should implement to protect themselves from “around 80% of common cyber attacks”; and
- To provide a simple and affordable mechanism – through the Assurance Framework's two levels of independent certification, Cyber Essentials and Cyber Essentials Plus – for organisations to demonstrate that they have implemented essential cyber security measures.
IT Governance is a CREST-accredited certification body for the Cyber Essentials scheme. Our fixed-price packages can help your organisation achieve certification quickly and easy, whatever your budget or level of technical expertise.
Cyber Essentials Assurance Framework
There are two levels of certification under the Assurance Framework: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials includes an SAQ (self-assessment questionnaire) and an external vulnerability scan. The certification process has been designed to be lightweight and easy to follow.
Cyber Essentials is right for you if:
- You’re looking for base-level security certification to demonstrate that you have key controls in place.
- Your employees are primarily office-based and their IT equipment is under your administration and typically does not leave your premises.
- You have physical and technical controls for restricting access for third parties, such as clients and suppliers visiting your offices.
Cyber Essentials Plus certification continues to offer a simple approach to cyber security. The protections you need to have in place are the same, but it includes an additional internal scan and an on-site assessment.
Cyber Essentials Plus is right for you if:
- A client has specifically requested you achieve Cyber Essentials Plus.
- Your employees work from remote locations, such as home or client sites, and your IT equipment is often outside of your premises.
- Multiple third parties have access to your premises or IT as visitors, partners, or in a shared office environment.
Why is Cyber Essentials so useful?
There are significant advantages to becoming Cyber Essentials certified.
The government's Cyber Security Breaches Survey 2018 found that 56% of businesses hold personal data electronically. Of these, 47% experienced breaches or attacks in the last 12 months.
Since the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018 came into effect, all organisations that process personal data must implement appropriate technical and organisational measures to ensure its security or risk administrative fines of up to €20 million or 4% of annual global turnover – whichever is greater.
Implementing the Cyber Essentials controls is recognised by the ICO (Information Commissioner’s Office) as one of many ways of demonstrating that organisations are taking action to mitigate the risks they face, especially if those risks are of a low level.
Larger organisations, those with more complex environments or lower risk appetites or those that face a higher level of risks, including targeted attacks, would do well to adopt a more mature level of cyber security, such as an ISMS (information security management system) that complies with the international standard ISO 27001.
Find out more about the relationship between Cyber Essentials and ISO 27001 >>
Certification to the scheme isn’t just useful for legal compliance. A Cyber Essentials badge helps win and maintain contracts – Zurich’s SME Risk Index found that a quarter (25%) of medium-sized organisations reported having being asked by prospective customers about the cyber security measures they had in place.
Read more about the benefits of Cyber Essentials >>
Cyber Essentials adoption
Industries, especially public bodies or those organisations wishing to connect to public networks, are increasingly adopting Cyber Essentials to verify that basic cyber security controls are in place and functioning properly.
All suppliers bidding for government contracts that involve the handling of sensitive and personal information and provision of certain technical products and services are required to be compliant with the scheme’s controls.
- In healthcare, Cyber Essentials Plus certification satisfies multiple conditions of the DSP (Data Security and Protection) Toolkit, which NHS industry partners have been required to comply with& since April 2018. Cyber Essentials Plus can help speed up the connectivity and supply process by fulfilling and prepopulating compliance statements within the DSP Toolkit portal.
- For all MoD (Ministry of Defence) advertised requirements, suppliers are required to have a Cyber Essentials certificate that must be renewed annually. This requirement must be flowed down the supply chain.
Free guide: Cyber Essentials: A guide to the scheme
For further information about the business benefits of achieving certification and to find out how Cyber Essentials can help guard you against cyber threats, download our free Cyber Essentials guide.
- Learn about the five controls and the specific requirements of the scheme.
- Discover what is and is not in scope.
- Learn how to become CREST-certified.
- Find solutions that meet your requirements.
Shop our bestselling Cyber Essentials solutions
We have all the tools and resources needed to achieve CREST-accredited certification at both levels of the Cyber Essentials scheme.