What is the Cyber Essentials scheme?
The Cyber Essentials scheme aims to help organisations implement basic levels of protection against cyber attack, demonstrating to their customers that they take cyber security seriously. The two certification options give organisations a choice over the level of assurance they wish to gain and the cost of doing so.
The five key controls
The two levels of certification
There are two levels of Cyber Essentials certification available to your organisation: Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan that independently verifies your security status.
Cyber Essentials is right for you if you meet all the criteria below:
- You’re looking for base-level security certification to demonstrate that you have key controls in place.
- Your employees are primarily office-based and their IT equipment is under your administration and typically does not leave your premises.
- You have physical and technical controls for restricting access for third parties, such as clients and suppliers visiting your offices.
Cyber Essentials Plus
Cyber Essentials Plus certification includes all the assessments for the Cyber Essentials certification but includes an additional internal scan and an on-site assessment.
Cyber Essentials Plus is right for you if you meet any of the criteria below:
- A client has specifically requested you achieve Cyber Essentials Plus.
- Your employees work from remote locations, such as home or client sites, and your IT equipment is often outside of your premises.
- Your business has multiple third parties with access to your premises or IT as visitors, partners or in a shared office environment.
The benefits of achieving Cyber Essentials certification
The Cyber Essentials scheme provides five security controls that, according to the UK government, could prevent “around 80% of cyber attacks”.
Whether or not you achieve certification to the Cyber Essentials scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.
Properly implemented cyber security has the additional advantage of driving business efficiency throughout the organisation, saving money and improving productivity.
Achieving certification will also help you to address other compliance requirements such as the EU General Data Protection Regulation.
Protect your organisation from approximately 80% of cyber attacks
Implementing the five controls correctly will help protect your organisation.
Drive business efficiency
Focus on your core business objectives knowing that you are protected from the majority of cyber attacks.
Demonstrate security and help secure the supply chain
Demonstrate your commitment to protecting your own data and that of your customers and suppliers.
Work with the UK government and the MOD
Cyber Essentials will permit you to work with the UK government and Cyber Essentials Plus will give you the opportunity to work with the MOD.
Increase your chances of securing business
Boost your reputation and have a greater chance of winning contracts.
Reduce cyber insurance premiums
Cyber insurance agencies often look more favourably on organisations that have achieved Cyber Essentials certification.
For more benefits of Cyber Essentials, go to our Cyber Essentials benefits page >>
Background of the Cyber Essentials scheme
In 2012 the UK government launched its ‘10 Steps to Cyber Security’ and then in 2013 published Small businesses: What you need to know about cyber security, which encouraged organisations to consider whether they were managing their cyber risks. The government emphasised the need for company boards and senior executives to take ownership of these risks and enshrine them within their overall corporate risk management regime.
These initiatives continued to gain traction. However, government analysis of continuing attacks and feedback from industry vulnerability testers identified that a number of security controls were not being applied, leaving organisations vulnerable to threat actors with low levels of technical capability.
The government viewed the adoption of an organisational standard for cyber security as the next stage after the ‘10 Steps to Cyber Security’ guidance. This was in order to allow organisations, and their customers and partners, to have greater confidence in their ability to reduce the risk posed by threat actors with low technical capability.
Following the call for evidence on a preferred organisational standard in cyber security by the government and industry, the Cyber Essentials scheme was formalised in November 2013.
Since 1 October 2014, Cyber Essentials became a minimum requirement for bidding for some government contracts. Details can be seen here.
As an IASME Gold Certified company we were there to help small companies get through this process.
There are numerous standards associated with governance and risk management of cyber security but the government found that many common cyber attacks were succeeding due to simple technical controls not being managed. This even occurred in companies with governance standards in place. For this reason, the government is keen that all companies, including those who already have standards such as ISO27001, gain certification to the Cyber Essentials.
You can see more details about the Cyber Essentials and download the requirements from the NCSC website. Organisations that undertake certification are encouraged to re-certify at least once a year and, where appropriate, progress their security.
Speak to an expert
Please contact our team for advice and guidance on our products and services