Frequently Asked Questions
Why Do We Need Cyber Essentials?
We live in a world where cyber-attacks are now a lucrative business model and used by criminals and states. This is partly due to speed of growth and our increasing reliance on connected technologies, both personally and professionally.
The risks keep on growing and each year Cyber-attacks have consistently grown around 40%. With attacks becoming more sophisticated the need for businesses to invest and take cyber security seriously has never been greater, and the repercussion for getting it wrong huge.
It was to help address this situation that the National Cyber Security Centre (NCSC) and leading experts created a security standard that businesses could apply to help protect themselves. The result was ‘Cyber Essentials’ a certification that helps businesses to understand and deliver the right security in the right areas and even helps to protect against 80% of common cyber threats.
Cyber Certification – Areas of Focus
Cyber Essentials certification was designed around 5 key pillars of security
Your Security Configurations and Settings
Patch Management and Updates
Boundary Firewalls and Internet Gateways
Access and Administrative Controls
Protecting the business from Malware
By addressing vulnerabilities in each of these areas, you can reduce your risk to the majority of common security threats.
What Does It Involve?
Cyber Essentials Basic is a series of self-assessment questions that when answered will highlight and provide visibility of areas of cyber risk your business is exposed too. This allows you to make changes and become a Cyber essentials certified business.
You will need to work through all the questions and these will subsequently be assessed by the awarding body and you will pass or fail.
The basic level of Cyber Essentials (CE) does not require any require any vulnerability or third-party testing like the higher Cyber Essentials Plus certification which required an audit of your answers.
Why Bother with Certification?
Being apathetic about security may work for a time, but threats are increasing and the risks to SME businesses (who are now the target for attack) are greater than ever as well as the fines! Cyber Essentials provides this blue print for applying security standards to a business and will become the standard required for all businesses in the future.
We now have the General Data Protection Regulations (GDPR) and being able to demonstrate you take data security and protection seriously is crucial. The Information Commissioners Office (ICO) hold the CE Certification as a solid example of working to secure data.
If you are in healthcare and work in supplying any public-sector contacts or supply chain, you will soon need to have Cyber Essentials to keep working. The government is making it mandatory for anyone working in public contracts to have Cyber Essentials Certification.
What are the Benefits of Cyber Essentials?
Re assure customers that you take security seriously
Attract new business by demonstrating your commitment to security
Marketing materials to promote your certification
Combat up to 80% of common cyber threats
Helps your business to get GDPR ready
Recognised by the ICO as a step to GDPR compliance
Allows working in Government contracts/Supply chain
Provides assurance that your basic cyber security controls have been implemented
Free Cyber Liability Insurance
Reduce business costs as some insurers discount CE certified companies
Secures your business reducing potential downtime and cost
Types of Questions
As mentioned earlier, the certification focuses on five key pillars of security and the questions have been designed around these.
The very strict pass criteria is set by the UK Government, and you will need to get nearly all the questions right (compliant) to pass Cyber Essentials.
When answering some questions, if you find you are not compliant our recommendation would be to change your process/security to meet the requirements and certainly add notes to explain why you are not complaint and what measure you can take to control the risk.
So what's in scope?
This is one of the most common questions and include: Are home user devices included? What about Office365? My company accesses a remote desktop environment so are the PC's and laptops still in scope? What about staff's personal phones?
Basically, any devices used to access (and not necessarily store) company data is in scope. That's a very simple way of describing it and the UK Governments NCSC change the framework from time to time. If you would like to check what's covered in the Cyber Essentials assessment you can download the governments Requirements for IT Infrastructure document here. The NCSC sometimes change the link so if you cant download the document please let us know.
“Do you formally track which users have administrator accounts in your organisation?”
“Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?”
How Do I Complete Cyber Essentials?
We have a few options to suit your needs and these give you a bespoke online portal for you to complete the questions and add notes to confirm compliance.
For each answer you need to add brief notes, this allows us to understand your company and controls better, makes the assessment process faster and makes it more likely we will be able to understand your systems
How Long Does Cyber Essentials Take?
The short answer is how long is a piece of string! The time it takes is dependent on how well you know your systems and how much time you have to complete the answers. For some customers we have completed certifications within a couple of hours and others have taken a few months. It is all about you and the level of effort and resource you can apply. You do however have to complete the certification within 6 months.
What happens if I fail?
If you complete the basic DIY self-certification and fail, you are allowed two working days to examine the feedback from the assessor and change any simple issues with your network and policies.
You can then provide the updated answers to the assessor who will review. If you still fail the certification after these two days, you will have to reapply and pay the assessment fee again.
For customer on our supported options, we will pre-asses you answer so before final submission can ensure everything is in order so you don’t have to pay any additional fees. This also helps to ensure you can pass Cyber Essentials on your first attempt.
Whats the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a security standard outlined by the UK Government which defines a set list of requirements that your organisation will either meet or not meet. Cyber Essentials and Cyber Essentials plus are based off the same list of requirements and, therefore, are the same standard. The difference is how its assessed.
Cyber Essentials Plus is an extension of Cyber Essentials. You cannot become Cyber Essentials Plus certified without first being Cyber Essentials certified. Assessment is based on your answers to Cyber Essentials and is usually carried out on your premises by logging into one or more of your devices. Your Anti-Malware practices are tested by sending E-mails and navigating to URLs containing different types of files, which are then monitored how they are able to be accessed by different users. Furthermore, vulnerability scanning is performed on a sample of devices and entrances to your systems (firewalls). One of our certification bodies will visit your office and perform a test that is in line with the Cyber Essentials requirements. Every certification body will have the same test process, however - the costs may vary.
Why don't you offer fixed price Cyber Essentials Plus?
We believe in offering the best value to our clients. This is why our clients return year after year. Certification bodies who offer fixed price Cyber Essentials Plus usually operate using tiered pricing so their price has to accommodate for the worst scenario.
Our Cyber Essentials PLUS quotations are based on the amount of time it will take an assessor to test your systems.
This is quoted on an individual basis and can vary depending on factors such as:
Complexity of network
Number of employees
Number & configuration of workstations and servers
Number of sites
If you have ISO 27001 certification, do you still need Cyber Essentials?
This depends on your situation. If a client has requested your organisation to be Cyber Essentials certified, a ISO27001 certification will not satisfy this request. ISO27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. So in short, certification in ISO27001 does not guarantee compliance in Cyber Essentials.
How long does certification last?
Your certification lasts for 12 months at which point you will need to reapply for certification. If opting for any of our supported packages your Previous answers will be stored so you will only need to address those that have changed since you were previously certified. Our DIY package uses a different portal which does not save previous years answers.