Protection against common cyberthreats
Cyber Essentials is a UK Government scheme that helps organisations protect themselves against the most common threats from the internet. It covers five main technical controls including securing connections, protection against viruses and other malware, and controlling access to data and services.
There are two variants of Cyber Essentials. The ‘basic’ Cyber Essentials is the most popular. This contains 70 self-assessment questions which are independently verified. Cyber Essentials Plus also includes an independent technical audit for additional peace of mind.
Benefits of Cyber Essentials
Withstand 80% of the most common cyberattacks
Raise awareness of cyber risks amongst staff
Reassure stakeholders
Shortcut supply chain questionnaires and tender for Government contracts
Help you to demonstrate to the Information Commissioner’s Office (ICO) that you have adopted technical measures as required by the UK Data Protection Act (DPA)
Join the list of certified organisations on the National Cyber Security Centre website
Enjoy free cyber insurance (if your turnover is below £20m)
How we can help you achieve Cyber Essentials certification
Our Cyber Essentials experts guide our clients through the certification process to make it as painless as possible.
Our step-by-step approach and ability to communicate technical concepts without jargon have contributed to our 100% success rate, so you can be sure that you’ll be in safe hands.
If you don’t know your firewalls from your routers, don’t worry. If you have outsourced your IT to a 3rd party, we’ll ask them questions on your behalf.
Are you confused by the recent changes to Cyber Essentials? Give us a call or find out more in our short ‘What’s Changed in Cyber Essentials’ webinar on May 27th. Register now to secure your free place.
Are you interested in Cyber Essentials?
The Cyber Essentials Self-Assessment Preparation Booklet will help you understand the questions you must complete in order to submit your Cyber Essentials application for certification. Your download includes a printable PDF with notes fields and a handy Excel spreadsheet for your answers.
Getting started with certification
Approaching audits with confidence
How we can help you maintain Cyber Essentials compliance
You’ll need to be recertified to Cyber Essentials every 12 months. As of April 26th 2021, the requirements are changing. You can find out more in our blog or by registering for our ‘What’s Changed in Cyber Essentials’ webinar on May 27th. Sign up now to reserve your place.
We’ll tell you what you need to do to be re-certified, so you can ensure that your business is protected against the most common risks. We’ll be on hand to help and we have a network of experienced managed service partners who can provide more technical support, if needed.
You can also enjoy all-year-round access to one of our cyber security experts as part of our Compliance as a Service.
Beyond Cyber Essentials
Cyber Essentials represents an organisation’s first step on the ladder of data security certifications. IASME Governance includes Cyber Essentials and introduces an information security management system to an organisation. It also includes an assessment against the requirements of the UK GDPR and UK Data Protection Act. It’s a cost-effective way to reassure clients, employees and other stakeholders that you take good care of their personal data.
Alternatively, if you operate an ISO management system, you could implement ISO27001. This is the internationally recognised Information Security Management Standard designed to integrate with ISO9001 (Quality), ISO14001 (Environmental) and/or ISO45001 (Health & Safety). We would always recommend that you implement Cyber Essentials alongside ISO27001 as a complementary certification.
Getting started
Prevention is always better than cure.
You protect your buildings through alarms, CCTV and smoke detectors, so why not give the same level of protection to your valuable data assets?
Contact us today to explore how we can help safeguard your company’s future.
FAQs
Cyber Essentials is a Government backed certification scheme that encourages organisations to adopt good principles in information security. It helps organisations avoid the most common online risks, reducing the chances of becoming a victim of a cyberattack by at least 80%.
Absolutely. The National Cyber Security Centre (NCSC) researched why UK businesses were targeted by cybercriminals and formed the Cyber Essentials scheme in conjunction with UK businesses to ensure that it met their needs. Each year, the scheme is reviewed to ensure that it reflects the changing cyber security risks.
Cyber Essentials is recommended by the Information Commissioner’s Office (ICO). The ICO guide to IT security for the smaller business explains some of the technical measures that an organisation can take to demonstrate compliance with the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act (DPA).
Find out more in our blog, ‘Are self-assessed certifications credible?’.
Cyber Essentials requirements fall into five control themes:
- Securing your Internet connection (firewalls and routers)
- Securing your devices and software (secure configuration)
- Control access to your data and services (access control)
- Protection against viruses and other malware (malware protection)
- Keeping your devices and software up to date (software updates)
The scope of the certification can be the whole IT infrastructure or just a sub-set of it (e.g. just one office or a single department).
Getting Cyber Essentials will have many benefits for your organisation, it:
- Reduces vulnerability to cyberattacks
- Helps you stand out from your competitors
- Ticks the box for many public sector tenders
- Gives your employees confidence that they are doing the right things
As well as protecting your business, Cyber Essentials also reassures customers, employees and other stakeholders that you have taken a proactive approach to securing your network and their data.
Some public sector and Government contracts already require Cyber Essentials. Our clients report that it’s frequently a requirement listed in other tenders too. Once you’ve achieved Cyber Essentials, your organisation will be listed on the NCSC website.
Finally, for organisations with a turnover of less than £20m, £25,000 of free cyber insurance is available on successful certification.
Cyber Essentials requires annual self-assessment against a number of qualifying requirements. These are changed to reflect the evolving cyber threat, so by participating in Cyber Essentials you can be sure that you are following recommendations by industry experts.
The assessment must be reviewed and a declaration completed by a member of the board. Your answers will be checked by a qualified assessor who will decide if you meet the requirements or if further work is needed. We’ll never encourage you to submit your assessment unless we’re confident that you will pass. This means you have no risk of having to pay twice.
The question set is changing on the 26th April. Please contact us for a copy of the new question set. If you’d like an overview of the changes, join our free webinar on ‘What’s Changed in Cyber Essentials‘, to be held on May 27th.
Don’t worry if you don’t immediately have the answers you need to hand. We’ll help you gather the information needed from in-house and outsourced IT teams and implement any changes necessary to achieve compliance.
Yes, we have the experience to know exactly what’s required and often receive compliments from assessors on the level of care that we take. Rather than use ‘stock answers’, pull down menus or tick boxes, we write detailed responses which will provide you with a record of what has been done. You can reuse this information in tenders and in future re-certification assessments.
Yes, lots! It’s really important that we share information with you throughout the process. At the start, we’ll help you understand the five controls which underpin Cyber Essentials. When we’ve conducted a gap analysis, we’ll share the reasoning behind our suggested improvements. As we coordinate changes with in-house and outsourced IT teams, we’ll keep you informed on progress. Finally, we’ll ensure that you review, understand and agree with our draft assessment answers. Only then, will we ask you to complete the required declaration that your submission is an accurate reflection of what’s happening in your business.
Whereas Cyber Essentials requires self-assessment, Cyber Essentials Plus is verified by a technical expert. This third-party assessment offers even more reassurance to you and your stakeholders.
You must achieve Cyber Essentials first and apply for Cyber Essentials Plus within 12 weeks of achieving your Cyber Essentials certification.
Our step-by-step approach makes Cyber Essentials simple. We’re proud of our 100% success rate – all our clients have passed at the first attempt with our help!
Firstly, we’ll help you understand the requirements without overwhelming you with jargon. We’ll also liaise with your IT team – whether in-house or outsourced – to secure the information required to benchmark your existing measures against the scheme. Then, we’ll develop an action plan which addresses any areas of weakness and provide the support you need to implement changes. Finally, we’ll provide you with a full draft of your Cyber Essentials submission (please note, a Director of your organisation must submit this).
If you’ve already failed your Cyber Essentials certification, don’t worry. We’ve helped many companies achieve Cyber Essentials at their second attempt. Simply contact us to explore how we can help.
The cost of our Cyber Essentials support depends upon the complexity of your network. As a guide, our fixed price consultancy service starts at £1,295. Renewal is normally less, depending on changes in the question set and in your organisation. The cost of the Cyber Essentials assessment itself is £300+VAT.
The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your IT structure, but prices start at £1,995.
Please contact us to discuss our payment plans.
This will depend on the size of your organisation, the number of devices and how well maintained your current environment is. However, for the majority of clients, we can achieve Cyber Essentials within four to six weeks of the project commencing.
We don’t promise same day certification as we want to allow adequate time to prepare for your certification. This will allow you to thoroughly embed your new procedures, processes and measures. Doing so will improve your protection in the long-term.
Once you have submitted your Cyber Essentials assessment via the online portal, you should receive results within three working days. It may be possible for us to get this speeded up for you if you have a tight deadline.
A Cyber Essentials Plus assessment will take a little longer as it will have to be arranged with the external auditor. However, this can normally be completed within a few days.
Yes. You will receive both. We will also provide you with a Promotion Power Pack to help you promote your achievement. You will also be added to the NCSC’s register of companies who have achieved Cyber Essentials and be entitled to free insurance, if your turnover is under £20m (terms apply).
It lasts for 12 months. We’ll contact you before your renewal to help you through re-certification.
Yes, Cyber Essentials will cost your business much less than a successful cyberattack. According to the Cyber Security Breaches Survey (2020), almost half of all businesses (45%) reported having a cyber security breach or attack in the previous 12 months. The average (mean) cost of all cyber security breaches with material outcomes is estimated to be £3,230. For medium and large firms, this rises to £5,220.
It’s worth noting that businesses are at increased risk of cybercrime and can suffer multiple attacks and breaches, making costs rocket. Of these businesses reporting a breach or attack, 32% reported experiencing issues at least once a week and one in five (19%) lost money and/or data as a result of cybercrime. Even more worryingly, two in five (39%) were negatively impacted in other ways, such as having staff time diverted, having to implement new measures or experiencing wider business disruption.
We believe that Cyber Essentials is a cost-effective way to protect all organisations against the obvious and hidden costs of cyber threats. By eliminating your weaknesses once, you could save money many times over.
Cyber Essentials is not mandatory. However, it’s often a requirement of public sector tenders and is becoming increasingly popular.
Some clients proceed to Cyber Essentials Plus. Others opt for the IASME Governance scheme, which expands on Cyber Essentials to meet the many of the fundamental requirements of ISO27001 and drives compliance with the EU GDPR and the UK Data Protection Act.
Some organisations also opt to implement ISO27001, the Information Management Standard, especially if they already have ISO9001 (Quality). The two can work in harmony as part of an Integrated Management System (IMS).
Cyber Essentials covers the basics of protecting your IT systems. ISO27001 is an advanced information management system which offers even more protection and a host of other benefits. But it’s not a question of either Cyber Essentials or ISO27001. Like Risk Evolves, you should have both.
You can find out more in our blog about the differences between Cyber Essentials and ISO27001 or our case studies on our IASME and Cyber Essentials and ISO27001 certifications.
Since becoming Cyber Essentials certified ourselves in 2015, we’ve helped our clients pass over 200 Cyber Essentials assessments.
Anonymous
ISO9001 was an achievement, an even bigger deal was to raise the health and safety culture of the organisation.
Anonymous
GDPR compliance will increase our value to clients.
Anonymous
Customer feedback gained as part of our ISO9001 certification has led to the development of popular new services including GDPR Critical Friend.
Anonymous
Very quietly thrilled to bits to get our accreditation under the new standard without any issues. Helps the business with proposals to blue chip clients.
- Transcription City
- Sam Wood
- Director
It made a massive difference to have ISO explained in layman’s terms. It’s very easy to ask questions and you aren’t left understanding less! You just call or email and it’s in a way that’s simple to understand.
Anonymous
Friendly and informative.
Anonymous
Our clients appreciate that we practice what we preach and can share real-life experience of running an ISO certified business. We’re certified to ISO9001 and were the first UK client of NQA to certify to both ISO27001 and ISO27701.
Anonymous
The internal audit and IASME application has been a positive experience for The Changing Education Group… made possible by the high quality support and guidance offered by the Risk Evolves team.
Anonymous
Helen represents the small business community effectively and with vigour as the Cyber Crime Ambassador for FSB Coventry and Warwickshire, working alongside local and national government to ensure small businesses have a voice.
Anonymous
Cyber security is scary! Helen gave me the confidence to know we could… minimise these types of risks. She has given me peace of mind.
Anonymous
We are in a safer place now than we were 12 months ago. Starting with two factor authentication. The culture of the organisation is in a better place and we were in a better place for lockdown too.
- SIS Systems (UK) Ltd
- Adam Middleton
- Managing Director
We do recommend Risk Evolves. Not only do they offer great service and value for money they have also imparted valuable knowledge, understanding and belief across the organisation. The net result is more business.
- Jay's Logistics (South West) Ltd
Anonymous
Our ISO9001 certification has enabled us to deliver logistics services to Hinckley Point and to its suppliers as well as operating at a more efficient and safe level. The power station isn’t due for completion until 2025 so this contract has provided stability at a time of great for the logistics industry.
- Transcription City
- Sam Wood
- Director
It was more work than I’d expected. I soon realised I needed help to fully understand the requirements and embed the standards so they would work for my business. I approached British Assessment Bureau for help. They recommended Risk Evolves. Twelve weeks later, we passed our remote audit and achieved certification.