The Cyber Essentials (CE) scheme is a simple, yet effective Government backed framework that will help protect your organisation against a range of the most common Internet-based cyber attacks. It provides a cyber security certification scheme that was developed as a part of the UK Government’s National Cyber Security Strategy. The Cyber Essentials scheme specifies (5) basic control areas (access control, secure configuration, software updates, malware protection and firewall and routers) that all organisations should address in order to mitigate the risk from common cyber threats and demonstrate a clear commitment to improving their approach to cyber security. The scheme offers two levels of certification, namely ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
The scheme is administered and managed by IASME Consortium (IASME) on behalf of the National Cyber Security Centre (NCSC), a part of GCHQ. URM is an accredited certification body which means we have been trained and licensed to certify against the Government’s Cyber Essentials Scheme and we are also available to offer consulting services to help you achieve these certifications.
URM’s Cyber Essentials assessment and support services
Cyber Essentials assessment
In order to achieve Cyber Essentials, your organisation will need to complete a self-assessment questionnaire (SAQ) and a board member will also need to provide a signed declaration. Once you have completed your SAQ, this will be reviewed by one of URM’s qualified assessors to ensure your organisation is conforming with all the requirements associated with the 5 control areas. Once you have submitted your completed questionnaire through the Cyber Essentials portal, you will be notified within 48 hours whether you have passed or not and, if successful, will receive your Cyber Essentials certificate. This certificate is valid for 1 year. To start your Cyber Essentials certification process and access the SAQ, click on the button below.
Cyber Essentials support services
If your organisation has a simple structure and the person completing the SAQ has a strong technical IT background, you should find the Cyber Essentials application process relatively straightforward. However, some of the questions can be difficult to understand if you do not have a technical IT background or if you have a complex company structure. Some organisations need support in understanding the intent of some questions, what the controls mean to them and how to address them. With this in mind, URM can offer a range of support services.
If your organisation is at the very early stages of exploring Cyber Essentials certification and you want to learn what requirements need to be met across the 5 core areas and, more importantly, whether your existing controls meet those requirements, URM’s half-day Gap Analysis is ideally suited to you. The assessor will walk and talk you through each question that comprises the assessment to clarify the level of expected security, whether your current controls/policies meet the requirements and provide options on how to remediate any non-compliant areas. Following the gap analysis, URMs assessor will document the outstanding actions in a summary email which can then be used to develop a project action plan to fill the gaps.
Cyber Essentials Application Review Service
For those organisations which have decided on the scope of their certification, but are looking for reassurance or more detailed interpretation of questions, URM can support you through the process with its Cyber Essentials Application Review Service. This service is also popular with those organisations already certified and are seeking clarification about changes to the SAQ. With this service, you have 2 options. With the first, URM’s assessor (via a remote session) can walk you through each question explaining its intent so you know how to respond, and you can then complete and submit the questionnaire yourself.
Alternatively, you can complete the questionnaire yourself and then get the application checked with URM before you submit it. One of URM’s assessors (via a remote session) will walk through each of your question responses and ensure you have interpreted the question correctly and have provided an accurate and appropriate response which will meet the requirements of the scheme.
Whichever option you choose, you will have the reassurance and peace of mind that you have completed the questionnaire accurately and the service will help to reduce the ‘toing and froing’ time involved in correcting a previous submission.
If you are interested in URM’s Review Service, click the button below.
Cyber Essentials Plus Assessment
If you are looking to provide stakeholders with greater levels of assurance, you may decide to seek Cyber Essentials Plus certification. This involves a URM assessor conducting a technical audit of the systems that are in scope of the assessment. It includes a review of a sample set of user devices, all Internet gateways and all servers accessible to Internet users. You will need to complete your Cyber Essentials Plus audit within 3 months of your last Cyber Essentials basic certification. Just click on this link to register your interest and you will be contacted by URM to discuss your systems and devices in scope and other requirements, following which you will receive a quotation. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network.
stages of assessment
Your Cyber Essentials Plus assessment comprises 2 basic stages. The first is an external vulnerability scan of your Internet-facing IP addresses to ensure that no misconfigurations or vulnerabilities can be identified.
The second stage involves testing of a sample (typically around 10% with a maximum of 5 samples per operating system edition) of end-user devices (workstations and mobile devices including BYOD) to assess if they are configured as per the requirements of the scheme. A vulnerability scan is performed on these devices to confirm that patching and basic configuration is at an acceptable level. A test is also conducted on your default email/Internet browsers to confirm how well they are configured in order to prevent execution of unsigned or malicious files. Screenshots will be taken as evidence that the system is Cyber Essentials Plus compliant.
Once the assessment has been conducted, URM’s assessor will discuss the findings with you ahead of submitting their report to the portal. This is to ensure there has been no misunderstanding and also provide you with the opportunity to address any easily remedied nonconformances.
URM has been providing certification to the Cyber Essentials scheme for a number of years and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.
Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards.
As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. Our large team of assessors also enables us to guarantee a super-fast turnaround.
Should You Start Your ISO 27001 Programme with a Gap Analysis or a Risk Assessment?
The answer depends on your goals and knowledge of your current position. This blog will look at which is best and when.
Annex A of ISO 27001 comprises 114 controls which are grouped into the following 14 control categories. Each of the 14 categories and provide you with a clear explanation of the primary objective...
We are going to explore why the focus on a risk-based approach has helped turn ISO 27001, the International Information Security Management Standard, into such a world-beater.
Our team will contact you shortly.