Cyber Essentials

Cyber Essentials is a Government backed certification scheme that encourages organisations to adopt good principles in information security. It helps organisations avoid the most common online risks, reducing the chances of becoming a victim of a cyberattack by at least 80%.

Absolutely. The National Cyber Security Centre (NCSC) researched why UK businesses were targeted by cybercriminals and formed the Cyber Essentials scheme in conjunction with UK businesses to ensure that it met their needs. Each year, the scheme is reviewed to ensure that it reflects the changing cyber security risks.

Cyber Essentials is recommended by the Information Commissioner’s Office (ICO). The ICO guide to IT security for the smaller business explains some of the technical measures that an organisation can take to demonstrate compliance with the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act (DPA).

Find out more in our blog, ‘Are self-assessed certifications credible?’.

Cyber Essentials requirements fall into five control themes:

• Securing your Internet connection (firewalls and routers)
• Securing your devices and software (secure configuration)
• Control access to your data and services (access control)
• Protection against viruses and other malware (malware protection)
• Keeping your devices and software up to date (software updates)

The scope of the certification can be the whole IT infrastructure or just a sub-set of it (e.g. just one office or a single department).

Getting Cyber Essentials will have many benefits for your organisation, it:

• Reduces vulnerability to cyberattacks
• Helps you stand out from your competitors
• Ticks the box for many public sector tenders
• Gives your employees confidence that they are doing the right things

As well as protecting your business, Cyber Essentials also reassures customers, employees and other stakeholders that you have taken a proactive approach to securing your network and their data.

Some public sector and Government contracts already require Cyber Essentials. Our clients report that it’s frequently a requirement listed in other tenders too. Once you’ve achieved Cyber Essentials, your organisation will be listed on the NCSC website.

Finally, for organisations with a turnover of less than £20m, £25,000 of free cyber insurance is available on successful certification.

Cyber Essentials requires annual self-assessment against a number of qualifying requirements. These are changed to reflect the evolving cyber threat, so by participating in Cyber Essentials you can be sure that you are following recommendations by industry experts.

The assessment must be reviewed and a declaration completed by a member of the board. Your answers will be checked by a qualified assessor who will decide if you meet the requirements or if further work is needed. We’ll never encourage you to submit your assessment unless we’re confident that you will pass. This means you have no risk of having to pay twice.

The question set is changing on the 26th April. Please contact us for a copy of the new question set. If you’d like an overview of the changes, join our free webinar on ‘What’s Changed in Cyber Essentials‘, to be held on May 27th. 

Don’t worry if you don’t immediately have the answers you need to hand. We’ll help you gather the information needed from in-house and outsourced IT teams and implement any changes necessary to achieve compliance.

Yes, we have the experience to know exactly what’s required and often receive compliments from assessors on the level of care that we take. Rather than use ‘stock answers’, pull down menus or tick boxes, we write detailed responses which will provide you with a record of what has been done. You can reuse this information in tenders and in future re-certification assessments.

Yes, lots! It’s really important that we share information with you throughout the process. At the start, we’ll help you understand the five controls which underpin Cyber Essentials. When we’ve conducted a gap analysis, we’ll share the reasoning behind our suggested improvements. As we coordinate changes with in-house and outsourced IT teams, we’ll keep you informed on progress. Finally, we’ll ensure that you review, understand and agree with our draft assessment answers. Only then, will we ask you to complete the required declaration that your submission is an accurate reflection of what’s happening in your business.

Whereas Cyber Essentials requires self-assessment, Cyber Essentials Plus is verified by a technical expert. This third-party assessment offers even more reassurance to you and your stakeholders.

You must achieve Cyber Essentials first and apply for Cyber Essentials Plus within 12 weeks of achieving your Cyber Essentials certification.

Our step-by-step approach makes Cyber Essentials simple. We’re proud of our 100% success rate – all our clients have passed at the first attempt with our help!

Firstly, we’ll help you understand the requirements without overwhelming you with jargon. We’ll also liaise with your IT team – whether in-house or outsourced – to secure the information required to benchmark your existing measures against the scheme. Then, we’ll develop an action plan which addresses any areas of weakness and provide the support you need to implement changes. Finally, we’ll provide you with a full draft of your Cyber Essentials submission (please note, a Director of your organisation must submit this).

If you’ve already failed your Cyber Essentials certification, don’t worry. We’ve helped many companies achieve Cyber Essentials at their second attempt. Simply contact us to explore how we can help. 

The cost of our Cyber Essentials support depends upon the complexity of your network. As a guide, our fixed price consultancy service starts at £1,295. Renewal is normally less, depending on changes in the question set and in your organisation. The cost of the Cyber Essentials assessment itself is £300+VAT.

The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your IT structure, but prices start at £1,995.

Please contact us to discuss our payment plans.

This will depend on the size of your organisation, the number of devices and how well maintained your current environment is. However, for the majority of clients, we can achieve Cyber Essentials within four to six weeks of the project commencing.

We don’t promise same day certification as we want to allow adequate time to prepare for your certification. This will allow you to thoroughly embed your new procedures, processes and measures. Doing so will improve your protection in the long-term.

Once you have submitted your Cyber Essentials assessment via the online portal, you should receive results within three working days. It may be possible for us to get this speeded up for you if you have a tight deadline.

A Cyber Essentials Plus assessment will take a little longer as it will have to be arranged with the external auditor. However, this can normally be completed within a few days.

Yes. You will receive both. We will also provide you with a Promotion Power Pack to help you promote your achievement. You will also be added to the NCSC’s register of companies who have achieved Cyber Essentials and be entitled to free insurance, if your turnover is under £20m (terms apply).

It lasts for 12 months. We’ll contact you before your renewal to help you through re-certification.

Yes, Cyber Essentials will cost your business much less than a successful cyberattack. According to the Cyber Security Breaches Survey (2020), almost half of all businesses (45%) reported having a cyber security breach or attack in the previous 12 months. The average (mean) cost of all cyber security breaches with material outcomes is estimated to be £3,230. For medium and large firms, this rises to £5,220.

It’s worth noting that businesses are at increased risk of cybercrime and can suffer multiple attacks and breaches, making costs rocket. Of these businesses reporting a breach or attack, 32% reported experiencing issues at least once a week and one in five (19%) lost money and/or data as a result of cybercrime. Even more worryingly, two in five (39%) were negatively impacted in other ways, such as having staff time diverted, having to implement new measures or experiencing wider business disruption.

We believe that Cyber Essentials is a cost-effective way to protect all organisations against the obvious and hidden costs of cyber threats. By eliminating your weaknesses once, you could save money many times over.

Cyber Essentials is not mandatory.  However, it’s often a requirement of public sector tenders and is becoming increasingly popular.

Some clients proceed to Cyber Essentials Plus. Others opt for the IASME Governance scheme, which expands on Cyber Essentials to meet the many of the fundamental requirements of ISO27001 and drives compliance with the EU GDPR and the UK Data Protection Act.

Some organisations also opt to implement ISO27001, the Information Management Standard, especially if they already have ISO9001 (Quality). The two can work in harmony as part of an Integrated Management System (IMS). 

Cyber Essentials covers the basics of protecting your IT systems. ISO27001 is an advanced information management system which offers even more protection and a host of other benefits. But it’s not a question of either Cyber Essentials or ISO27001. Like Risk Evolves, you should have both.

You can find out more in our blog about the differences between Cyber Essentials and ISO27001 or our case studies on our IASME and Cyber Essentials and ISO27001 certifications. 

Since becoming Cyber Essentials certified ourselves in 2015, we’ve helped our clients pass over 200 Cyber Essentials assessments.