Frequently Asked Questions
Why Do We Need Cyber Essentials?
We live in a world where cyber-attacks are now a lucrative business model and used by criminals and states. This is partly due to speed of growth and our increasing reliance on connected technologies, both personally and professionally.
The risks keep on growing and each year Cyber-attacks have consistently grown around 40%. With attacks becoming more sophisticated the need for businesses to invest and take cyber security seriously has never been greater, and the repercussion for getting it wrong huge.
It was to help address this situation that the National Cyber Security Centre (NCSC) and leading experts created a security standard that businesses could apply to help protect themselves. The result was ‘Cyber Essentials’ a certification that helps businesses to understand and deliver the right security in the right areas and even helps to protect against 80% of common cyber threats.
Cyber Certification – Areas of Focus
Cyber Essentials certification was designed around 5 key pillars of security
Your Security Configurations and Settings
Patch Management and Updates
Boundary Firewalls and Internet Gateways
Access and Administrative Controls
Protecting the business from Malware
By addressing vulnerabilities in each of these areas, you can reduce your risk to the majority of common security threats.
What Does It Involve?
Cyber Essentials Basic is a series of self-assessment questions that when answered will highlight and provide visibility of areas of cyber risk your business is exposed too. This allows you to make changes and become a Cyber essentials certified business.
You will need to work through all the questions and these will subsequently be assessed by the awarding body and you will pass or fail.
The basic level of Cyber Essentials (CE) does not require any vulnerability or third-party testing like the higher Cyber Essentials Plus certification which required an audit of your answers.
Why Bother with Certification?
Being apathetic about security may work for a time, but threats are increasing and the risks to SME businesses (who are now the target for attack) are greater than ever as well as the fines! Cyber Essentials provides this blue print for applying security standards to a business and will become the standard required for all businesses in the future.
We now have the General Data Protection Regulations (GDPR) and being able to demonstrate you take data security and protection seriously is crucial. The Information Commissioners Office (ICO) hold the CE Certification as a solid example of working to secure data.
If you are in healthcare and work in supplying any public-sector contacts or supply chain, you need to have Cyber Essentials to keep working. The government has made it mandatory for anyone working in public contracts to have Cyber Essentials Certification to tender for contracts.
What are the Benefits of Cyber Essentials?
Re assure customers that you take security seriously
Attract new business by demonstrating your commitment to security
Marketing materials to promote your certification
Combat up to 80% of common cyber threats
Recognised by the ICO as a step to GDPR compliance
Allows working in Government contracts/Supply chain
Provides assurance that your basic cyber security controls have been implemented
Free Cyber Liability Insurance
Reduce business costs as some insurers discount CE certified companies
Secures your business reducing potential downtime and cost
Types of Questions
As mentioned earlier, the certification focuses on five key pillars of security and the questions have been designed around these.
The very strict pass criteria is set by the UK Government, and you will need to get nearly all the questions right (compliant) to pass Cyber Essentials.
When answering some questions, if you find you are not compliant our recommendation would be to change your process/security to meet the requirements and certainly add notes to explain why you are not complaint and what measure you can take to control the risk.
So what's in scope?
This is one of the most common questions and include: Are home user devices included? What about Microsoft 365? My company accesses a remote desktop environment so are the PC's and laptops still in scope? What about staff's personal phones?
Basically, any devices used to access (and not necessarily store) company data is in scope. That's a very simple way of describing it and the UK Governments NCSC change the framework from time to time. If you would like to check what's covered in the Cyber Essentials assessment you can download the governments Requirements for IT Infrastructure document here. The NCSC sometimes change the link so if you cant download the document please let us know.
“How do you formally track which users have administrator accounts in your organisation?”
“Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?”
How Do I Complete Cyber Essentials?
We have a few options to suit your needs and these give you a bespoke online portal for you to complete the questions and add notes to confirm compliance.
You complete each answer and then an assessor will check to see if your answer is compliant. Depending on the service you have subscribed to, the assessor could then offer granular feedback on what you need to do to pass or in the case of the DIY (portal only) service will outline the non compliance.
How Long Does Cyber Essentials Take?
The short answer is how long is a piece of string! The time it takes is dependent on how well you know your systems and how much time you have to complete the answers. For some customers we have completed certifications within a couple of hours and others have taken a few months. It is all about you and the level of effort and resource you can apply. You do however have to complete the certification within 6 months.
I'm on a budget, which is the best service to take?
Although lower priced, the DIY marking only service comes with the risk of failing your assesment. Feedback is also minimal as this is a marking only service and if you fail you will need to pay to take the assesment again. If you choose one of the supported services you will get come multiple retries and feedback on any non compliances to outline what you need to do in order to pass.
What happens if I fail?
If you complete the basic DIY (portal only) self-certification and fail, you are allowed two working days to examine the feedback from the assessor and change any simple issues with your network and policies.
You can then provide the updated answers to the assessor who will review. If you still fail the certification after these two days, you will have to reapply and pay the assessment fee again.
How do i ensure that i pass Cyber Essentials?
For customer on our supported options, we will pre-asses your answers before final submission so can ensure everything is in order so you don’t have to pay any additional fees. This also helps to ensure you can pass Cyber Essentials on your first attempt. Click here for a full breakdown of how this works.
I'm recertifying. Will i need to answer all of the questions again?
Yes, IASME design the questionnaire that way to ensure that your answers are always current. For clients with a supported service we can supply a copy of your previous answers should you require them which will allow you to see what you entered last year. Some of the questions might have changed slightly or IASME may have added or removed questions, so we recommend you have a look through before submitting just to make sure your answers from last year still make sense and apply to your organisation.
Do i need to complete in a set time period?
Yes, this varies depending on your assesment. All Cyber Essentials certificates should be completed within 6 months. After 6 months the IASME certification portal will automatically archive your question set. The other limits are for Cyber Essentials Plus and Cyber Assurance which must be completed within three months of the Cyber Essentials certificate date. For example, if you are taking Cyber Essentials Plus or Cyber Assurance, we're unable to issue you a pass certificate any longer than three months after the Cyber Essentials certificate date. This rule applies to all certification bodies. This is especially important for Cyber Essentials Plus which can take time to arrange testing of multiple devices. If the three months' time limit is exceeded, then we need to start again on your Cyber Essentials certificate which will involve additional time and cost.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a security standard outlined by the UK Government which defines a set list of requirements that your organisation will either meet or not meet. Cyber Essentials and Cyber Essentials plus are based off the same list of requirements and, therefore, are the same standard. The difference is how its assessed.
Cyber Essentials Plus is an extension of Cyber Essentials. You cannot become Cyber Essentials Plus certified without first being Cyber Essentials certified. Assessment is based on your answers to Cyber Essentials and is usually carried out on your premises by logging into one or more of your devices. Your Anti-Malware practices are tested by sending E-mails and navigating to URLs containing different types of files, which are then monitored how they are able to be accessed by different users. Furthermore, vulnerability scanning is performed on a sample of devices and entrances to your systems (firewalls). One of our certification bodies will remote into office and perform a test that is in line with the Cyber Essentials requirements. The involves installing agents onto a selection of your devices. The Cyber Essentials Plus must be certified within three months of your Cyber Essentials certification. Every certification body will have the same test process and time frame since this is imposed by the governing body, IASME, however - the costs may vary.
How do you price Cyber Essentials Plus?
We believe in offering the best value to our clients. We offer a tiered fixed price system for our Cyber Essentials Plus which is based on the number of devices included in scope. This includes all devices, phones, PC's laptops, routers, servers etc and assumes that your system is a standard network consisting of:
Less than 15 cloud based services
You have less than 10 branches/sites
You do not run a web farm or hosting service
You do not have more than 5 servers on premise or in cloud
You have no more than 5 different desktop Operating System versions in use on in Scope Devices (i.e. Windows 10 Pro 19044, Windows 10 Pro 19045, Windows 10 Home 19044, are all different versions).
If you fall outside the scope of a standard network then we prepare a bespoke quote specifically designed around your organisations requirements. This offers the best value and is why our clients return year after year.
Our Cyber Essentials PLUS quotations are based on the amount of time it will take an assessor to test your systems.
This is quoted on an individual basis and can vary depending on factors such as:
Complexity of network
Number of employees
Number & configuration of workstations and servers
Number of sites
Who will perform my Cyber Essentials Plus assesment?
We're Cyber Essentials specialists so use a pool of several Cyber Essentials Plus consultants and organisations who we bring in to perform the Cyber Essentials Plus certifications. If you are taking your Cyber Essentials certificate with us, we'll hand over to the Cyber Essentials Plus team at the point that we issue your Cyber Essentials certificate and report. If you already have Cyber Essentials and are using us for the Cyber Essentials plus only, you'll be contacted by your Cyber Essentials Plus assessor after we receive your Cyber Essentials report and certificate. Please send this to firstname.lastname@example.org.
If we have ISO 27001 certification, do we still need Cyber Essentials?
This depends on your situation. If a client has requested your organisation to be Cyber Essentials certified, a ISO27001 certification will not satisfy this request. ISO27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. So in short, certification in ISO27001 does not guarantee compliance in Cyber Essentials.
What's the difference in Certification Bodies and IASME?
IASME are the governing body who have been appointed by the National Cyber Security Centre (NCSC) to overlook the UK Government's Cyber Essentials Scheme. The Certification Bodies are companies licenced to IASME who perform the assessments. Its a great set up and means that you get to choose to work with any of the many certification bodies to achieve the IASME Cyber Essentials certification. Its important to choose a certification body who are a good fit for your organisation and who provide service to suit your needs. Our bespoke supported certification portal offers line by line help and guidance, multiple choice answers and functionality to save your answers from previous years. If you have multiple companies you can see them all under a single login or if you prefer our highly trained security assessors will work with you to complete the answers (under your direction) on your behalf. We can work during office hours or evenings to suit and have been known to certify a client in just a few hours from start to finish. Our service works so well that we haven't had a single client who hasn't passed one of our supported packages.
How long does certification last?
Your Cyber Essentials certification lasts for 12 months at which point you will need to reapply for certification.
I need a VAT invoice. Can you send one over?
No problem, please click here to contact our accounts department who will send you over an invoice.
Upgrades and Refunds
We're unable to upgrade after marking commences so if you'd like to upgrade from the portal only DIY service to supported please do so before starting the assesment. Upgrades incur a one off £50 administration fee in addition to the differential between the monies recieved (minus any credit card processing fee's) and the price of the package upgraded to. We want all clients to be happy so in the unlikely event that you request a refund please bear the following in mind. Refunds are subject to circumstance and approval and are issued minus the portal costs incurred from IASME (who provide the portal) and labour spent on the assesment charged at £110/st hour then £90 per hour. Minimum time period is 1 hour for assesment and administration work. Refunds cannot be given after a pass/fail has been issued. Advice and consultancy is charged at £1400/day and £800/half day. Any refunds offered which includes any consultancy work or work outside of marking an assesment is minus the consultancy day or half day rate. Minimum time period half day. This can include email help and advice and/or telephone communications as well as onsite work.