The Cyber Essentials (CE) scheme is a simple, yet effective Government backed framework that will help protect your organisation against a range of the most common Internet-based cyber attacks.  It provides a cyber security certification scheme that was developed as a part of the UK Government’s National Cyber Security Strategy.  The Cyber Essentials security scheme specifies (5) basic control areas (access control, secure configuration, software updates, malware protection and firewall and routers) that all organisations should address in order to mitigate the risk from common cyber threats and demonstrate a clear commitment to improving their approach to cyber security. The scheme offers two levels of certification, namely ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.

The scheme is administered and managed by IASME Consortium (IASME) on behalf of the National Cyber Security Centre (NCSC), a part of GCHQ.  URM is an accredited certification body which means we have been trained and licensed to certify against the Government’s and IASME Cyber Essentials Scheme and we are also available to offer consulting services to help you achieve these certifications.

URM’s Cyber Essentials assessment and support services

Cyber Essentials assessment

In order to achieve Cyber Essentials, your organisation will need to complete a self-assessment questionnaire (SAQ) and a board member will also need to provide a signed declaration.  Your completed  SAQ will be reviewed by one of URM’s qualified assessors to ensure your organisation is conforming with all the requirements associated with the 5 control areas.  Once you have submitted your completed SAQ through the Cyber Essentials portal, you will be notified within 48 hours whether you have passed or not and, if successful, will receive your Cyber Essentials certificate.  This certificate is valid for 1 year.  To start your Cyber Essentials certification process and access the SAQ, click on the button below.

‍

Cyber Essentials support services

If your organisation has a simple structure and the person completing the SAQ has a strong technical IT background, you should find the Cyber Essentials application process relatively straightforward.  However, some of the questions can be difficult to understand if you do not have a technical IT background or if you have a complex company structure.  Some organisations need support in understanding the intent of some questions, what the controls mean to them and how to address them.  With this in mind, URM can offer a range of support services.

Gap Analysis

If your organisation is at the very early stages of exploring Cyber Essentials certification and you want to learn what requirements need to be met across the 5 core areas and, more importantly, whether your existing controls meet those requirements, URM’s half-day Gap Analysis is ideally suited to you.  The assessor will walk and talk you through each question that comprises the assessment to clarify the level of expected security, whether your current controls/policies meet the requirements and provide options on how to remediate any non-compliant areas.  Following the gap analysis, URM’s assessor will document the outstanding actions in a summary email which can then be used to develop a project action plan to fill the gaps.

Cyber Essentials Application Review Service

For those organisations which have decided on the scope of their certification, but are looking for reassurance or more detailed interpretation of questions, URM can support you through the process with its Cyber Essentials Application Review Service. This service is also popular with those organisations already certified and are seeking clarification about changes to the SAQ. With this service, you have 2 options. With the first, URM’s assessor (via a remote session) can walk you through a Cyber Essentials Checklist explaining the intent of different questions so you understand how to respond, and you can then complete and submit the questionnaire yourself.

Alternatively, you can complete the questionnaire yourself and then have the application checked with URM before you submit it.  One of URM’s assessors (via a remote session) will walk through each of your question responses and ensure you have interpreted the question correctly and have provided an accurate and appropriate response which will meet the requirements of the Scheme.

Whichever option you choose, you will have the reassurance and peace of mind that you have completed the questionnaire accurately and the service will help to reduce the ‘back and forth’ time involved in correcting a previous submission.

If you are interested in URM’s Review Service, click the button below.

‍

Cyber Essentials Plus Assessment

If you are looking to provide stakeholders with greater levels of assurance, you may decide to seek Cyber Essentials Plus certification.  This involves a URM assessor conducting a technical audit of the systems that are in scope of the assessment.  It includes a review of all Internet gateways and all servers accessible to Internet users, as well as a sample of user devices and internal servers accessible to employees.  You will need to complete your Cyber Essentials Plus audit within 3 months of your last Cyber Essentials basic certification.  Just click on this link to register your interest and you will be contacted by URM to discuss your systems and devices in scope and other requirements, following which you will receive a quotation. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network.

‍

‍stages of assessment
‍

Your Cyber Essentials Plus assessment comprises 2 basic stages.  The first is an external vulnerability scan of your Internet-facing IP addresses to ensure that no misconfigurations or vulnerabilities can be identified.

The second stage involves testing of a sample (up to a maximum of 5 samples per operating system edition) of end-user devices (workstations and mobile devices including BYOD) and servers to assess if they are configured as per the requirements of the Scheme.  A vulnerability scan is performed on these devices to confirm that patching and basic configuration is at an acceptable level.  A test is also conducted on your email client and Internet browsers to confirm how well they are configured in order to prevent execution of unsigned or malicious files.

Once the assessment has been conducted, URM’s assessor will discuss the findings with you ahead of submitting their report to the portal to ensure there has been no misunderstanding.

Cyber ESSENTIALS PLUS PRE-ASSESSMENT SERVICE

A Cyber Essentials Plus (CE+) assessment involves a technical assessment by a URM assessor of your organisation’s external infrastructure as well as end-user devices and servers.  There are several issues that can cause a CE+ assessment to result in a ‘fail’ such as a service on the external infrastructure that exposes non-public data, the presence of an unsupported software installed on a server or user workstation, the lack of multi-factor authentication (MFA) to access a cloud service or the use of administrative users as a day-to-day user account.  

If an organisation fails the CE+ assessment, it has up to 30 days* to purchase another CE+ assessment and pass, before it must repeat both the basic CE and the CE+ assessment in order to obtain the CE+  certification.

The Cyber Essentials Plus Pre-Assessment service from URM allows your organisation to perform a technical pre-assessment on a smaller, but still significant set of systems.  This will enable you to identify any issues that may cause a ‘fail’ for the CE+ certification, without triggering the 30 days’ time limit and, typically, at a lower cost than a full assessment.  Following the pre-assessment, you will receive recommendations to close any gaps with the CE+ requirements, significantly increasing the chances to successfully obtain the CE+ certification.  URM is so confident of the value of the pre-assessment service that, if for any reason you don’t pass the official CE+ assessment at the first attempt, we will provide you with a free re-attempt to get certified!
‍

_{* It may be less if the 30 days go beyond the 3 months period that an organisation has to pass the CE+ certification after obtaining the basic CE certification.}

‍

Why URM?

URM has been providing certification to the Cyber Essentials scheme for a number of years and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.

Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards.

As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. Our large team of assessors also enables us to guarantee a super-fast turnaround.

‍