Cyber Essentials is a Government-backed scheme aimed at helping organisations protect themselves against common Internet-based cyber attacks. Certification to Cyber Essentials provides reassurance to stakeholders that your security controls will protect against the vast majority of common cyber attacks, and will act as a significant deterrent to cyber criminals. The scheme was developed by the National Cyber Security Centre (NCSC), a part of GCHQ, and is administered and managed by the IASME Consortium (IASME) on the NCSC’s behalf.
The Cyber Essentials (CE) scheme was developed as a part of the UK Government’s National Cyber Security Strategy. It aims to protect your organisation against a range of the most common Internet-based cyber attacks in 5 basic control areas:
By achieving Cyber Essentials certification, your organisation is effectively protecting itself against approximately 80% of the most common cyber attacks. The scheme’s focus on 5 fundamental security control areas also provides clarity on what measures organisations should have in place to safeguard themselves against common cyber threats.
Compliance with and certification to the Cyber Essentials scheme provides reassurance to your clients that you take cyber security seriously and have implemented a strong set of relevant controls and measures. It will also help you attract new business opportunities, and will allow you to satisfy those public sector and government controls that require Cyber Essentials to be in place.
URM is an accredited Assured Service Provider under the NCSC Cyber Advisor scheme. We are able to provide you with practical, cost effective and reliable advice to improve your cyber security and achieve ‘Cyber Essentials’ and ‘Cyber Essentials Plus’ certifications.
The Cyber Essentials scheme offers two levels of certification, namely ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
Cyber Essentials is the foundation level certification within the Cyber Essentials scheme. The process involved in achieving Cyber Essentials Certification is simple and involves your organisation completing an online self-assessment questionnaire (SAQ).
In the SAQ, you will need to answer a number of questions to assess your organisation against 5 basic security controls. A qualified assessor will verify the information provided. There are no checks on your IT systems at this level, as such the assessment questionnaire can be accessed and answered quickly and easily.
Cyber Essentials Plus is the higher-level qualification of the Cyber Essentials scheme. In order to achieve Cyber Essentials Plus, you must already be certified to Cyber Essentials, and the requirements for both certification levels are the same. Gaining the extra qualification will involve a technical expert conducting an on-site or remote audit on your IT systems. The auditor will look to verify whether you have implemented the technical controls and that these are operating as intended. If they find that this is the case, you will be awarded Cyber Essentials Plus certification.
While Cyber Essentials certification is a significant achievement in itself, the more extensive verification involved in achieving Cyber Essentials Plus provides an extra layer of assurance to both your organsiation and external stakeholders that the security controls have been properly implemented and are functioning effectively.
There are a number of requirements for achieving Cyber Essentials certification, a full breakdown of which can be found on the NCSC website. The following Cyber Essentials checklist outlines some of the key measures you will need to ensure you have in place:
Ensure all your operating systems are still being supported by the manufacturer (including mobile phones, servers, tablets etc.)
Apply all operating systems’ security patches within the 14-day time period.
If you are using the Office suite, it must be on a supported version with all the security patches applied.
Ensure the anti-malware agent is up to date and functional.
Update the web browser to the latest version, or at least apply the latest version with a patch for a high-risk or critical vulnerability.
Disable auto-run and ensure you have a process for new starters and leavers and providing role-based access control.
Disable macros or ensure you are protected from malicious Office documents.
Ensure all default passwords are changed on the firewall, on the systems and ensure they are changed to a secure password.
Ensure all unnecessary applications are removed. This can either be achieved with a ‘gold image’ or manual removal of relevant software.
Ensure all the software you are running is supported and up to date.
In order to achieve Cyber Essentials certification, you will need to complete a self-assessment questionnaire. Certification bodies, such as URM, can provide you with access to a portal where you are required to answer a number of questions about your IT infrastructure. A board member will also need to provide a signed declaration that all answers provided in the SAQ are accurate.
Following submission, the SAQ will be reviewed by your chosen certification body. A number of certification bodies quote that it can take up to 3 working days from the time you submit your assessment to find out whether you have passed. However, URM strives to assess all applications within 24 hours of it being submitted and if you have a very tight deadline, there is an option for your assessment to be fast-tracked.
If you would then like to then work towards Cyber Essentials Plus, you will need to apply for this within 3 months of having achieved Cyber Essentials. If you apply after more than 3 months, you will need to repeat the Cyber Essentials self-assessment questionnaire stage.
There are 4 stages involved in achieving Cyber Essentials Plus certification. Your assessor will test a random but representative sample of user devices, all Internet gateways and all servers with services accessible to unauthenticated Internet users in line with the test specification, and then decide whether further testing is required.
The first stage involves an external vulnerability scan which is conducted remotely and aims to detect any potential vulnerabilities present on external-facing devices (firewalls, routers, servers etc.). The second stage, which can also be carried out remotely, is the internal vulnerability scan. Here, a vulnerability scanner is connected to the internal network and searches for potential vulnerabilities in the system on sampled devices.
In the third stage, the assessor sends an email to your organisation containing malicious signatures (as well as 2 emails preceding this to confirm your organisation can receive attachments) that should be picked up by anti-malware software. The fourth and final stage is a ‘Malware delivered over web’ test. Here, the tester will use a link to open a page with multiple links and attempt to download malicious files, macros and run remote scripts.
These attempts should get blocked either by the operating system or the anti-malware software.
If the audit reveals no gaps, you will be awarded the Cyber Essentials Plus certification. If gaps are identified, you will have 15 days to fix them and go through the assessment again.
As an accredited certification body, URM has extensive experience both supporting and facilitating successful Cyber Essentials and Cyber Essentials Plus certifications, for organisations of all sizes and from a wide range of industries. We are also an Assured Service Provider under the NCSC Cyber Advisor scheme, enabling us to provide Cyber Essentials advice and guidance that you can be assured is aligned with the NCSC’s high standards. Our large team of Cyber Essentials experts can offer you a range of services to help ensure your Cyber Essentials and Cyber Essentials Plus assessments are as smooth and straightforward as possible, and that your application is successful.
Our Cyber Essentials gap analysis is perfect if your organisation is new to exploring the Cyber Essentials certification. Our Cyber Advisors will walk and talk you through the assessment, clarifying requirements and evaluating your current controls. You'll receive a detailed report outlining any necessary actions to achieve compliance, helping you create a targeted action plan to address any gaps in your controls.
If you are looking for reassurance that your application for Cyber Essentials certification is complete and ready to go, URM’s expert team is here for you. We can deliver a detailed review and an interpretation of your application, whether you're seeking clarification or adjusting to SAQ changes, our assessors ensure accuracy and compliance.
Our assessors will perform an offline review of your answers to identify any answers that are missing, incomplete or that may have been misunderstood and that, as a consequence, does not fully satisfy the Cyber Essentials requirements. Following the offline review, the URM assessor will (via a remote session) walk you through each of the identified non-compliant responses and ensure you have interpreted the question correctly and have provided an accurate and appropriate response which will meet the requirements of the Scheme.
URM is an accredited Assured Service Provider under the NCSC Cyber Advisor scheme. We are able to provide you with practical, cost effective and reliable advice to improve your cyber security and achieve ‘Cyber Essentials’ and ‘Cyber Essentials Plus’ certifications.
Speak to one of our experts for more information on how we can help you certify. Simply call 0118 206 5410
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
In this webinar, our consultants guide you through all the key changes to Cyber Essentials Scheme which came into force on 24 April 2023.
In this interactive webinar, URM will be providing its partners with insights and guidance on the latest Cyber Essentials (CE) Montpellier question set.
In this webinar, our consultants will guide you through all the key changes to Cyber Essentials Scheme which come into force on 24 April 2023.
Once you have applied, you will have 6 months to complete your assessment before your account is archived. Unfortunately, a refund cannot be issued, so it is best not to apply until you think you are ready for your assessment.
The scope of the Cyber Essentials Plus must be the same as the Cyber Essentials scope. It is up to you how you want to segregate your infrastructure and which divisions you would like to exclude. The excluded or included parts of the infrastructure must be segregated by some means, e.g. a firewall or a physical boundary.
As of 24 January 2022, a tiered pricing structure was introduced by the National Cyber Security Centre (NCSC) and their scheme delivery partner, the IASME Consortium, to reflect the additional time involved in assessing the larger, more complex organisations. The full pricing from 1 April 2024:
Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months and will need to be renewed. If you don’t renew, your organisation will be removed from the NCSC’s ‘certified organisations’ list.
URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.
URM’s blog discusses the best next steps your organisation can take following Cyber Essentials certification to further enhance its security posture.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes
URM’s blog answers key technical questions about Cyber Essentials and Cyber Essentials Plus, what’s in scope, CE compliant use of BYOD, and more.
