Cyber Essentials Certification
The Cyber Essentials (CE) scheme is a simple, yet effective Government backed framework that will help protect your organisation against a range of the most common Internet-based cyber attacks. It provides a cyber security certification scheme that was developed as a part of the UK Government’s National Cyber Security Strategy. The Cyber Essentials security scheme specifies (5) basic control areas (firewalls, secure configuration, security update management, user access control, and malware protection) that all organisations should address in order to mitigate the risk from common cyber threats and demonstrate a clear commitment to improving their approach to cyber security. The scheme offers two levels of certification, namely ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
The scheme is administered and managed by IASME Consortium (IASME) on behalf of the National Cyber Security Centre (NCSC), a part of GCHQ. URM is an accredited certification body which means we have been trained and licensed to certify against the Government’s and IASME Cyber Essentials Scheme. At the same time, URM is an accredited Assured Service Provider under the NCSC Cyber Advisor scheme, meaning that our team of Cyber Advisors (Cyber Essentials) is able to provide you with practical, cost effective and reliable advice to improve your cyber security and achieve ‘Cyber Essentials’ and ‘Cyber Essentials Plus’ certifications.
URM’s Cyber Essentials assessment and support services
Cyber Essentials assessment
In order to achieve Cyber Essentials, your organisation will need to complete a self-assessment questionnaire (SAQ) and a board member will also need to provide a signed declaration. Your completed SAQ will be reviewed by one of URM’s qualified assessors to ensure your organisation is conforming with all the requirements associated with the 5 control areas. Once you have submitted your completed SAQ through the Cyber Essentials portal, you will be notified within 48 hours whether you have passed or not and, if successful, will receive your Cyber Essentials certificate. This certificate is valid for 1 year. To start your Cyber Essentials certification process and access the SAQ, click on the button below.
Cyber Essentials support services
If your organisation has a simple structure and the person completing the SAQ has a strong technical IT background, you should find the Cyber Essentials application process relatively straightforward. However, some of the questions can be difficult to understand if you do not have a technical IT background or if you have a complex company structure. Some organisations need support in understanding the intent of some questions, what the controls mean to them and how to address them. With this in mind, URM can offer a range of support services and is accredited as an Assured Service Provider under the Cyber Advisor Scheme. This Cyber Advisor Scheme is an initiative from the National Cyber Security Centre (NCSC) delivered in partnership with IASME, which provides small and medium sized organisations with practical, cost effective and valuable support and advice in cyber security. These support services are also suitable for small organisations with limited IT knowledge or technical support who don’t need to obtain the Cyber Essentials certification but would like to gain an equivalent level of security for their organisation.
URM is also an Assured Service Provider under the National Cyber Security Centre (NCSC) Cyber Incident Exercising (CIE) scheme which is administered by IASME. Cyber incident exercising is vital to your organisation’s preparedness as it simulates real-world cyber threats, allowing you to assess, practice and improve your response capabilities. As an Assured Service Provider URM is ideally and uniquely placed to assist you create and facilitate bespoke and structured table top and live play cyber incident exercises.
If your organisation is at the very early stages of exploring Cyber Essentials certification and you want to learn what requirements need to be met across the 5 core areas and, more importantly, whether your existing controls meet those requirements, URM’s Gap Analysis is ideally suited to you. As an Assured Service Provider, one of URM’s Cyber Advisors (Cyber Essentials) will walk and talk you through each question that comprises the assessment to clarify the level of expected cyber security, whether your current controls/policies meet the requirements and provide options on how to remediate any non-compliant areas. Following the gap analysis, URM’s Cyber Advisor (Cyber Essentials) will provide you with a formal report documenting the outstanding actions which can then be used to develop a project action plan to address any gaps.
Cyber Essentials Application Review Service
For those organisations which have decided on the scope of their certification, but are looking for reassurance or more detailed interpretation of questions, URM can support you through the process with its Cyber Essentials Application Review Service. This service is also popular with those organisations already certified and are seeking clarification about changes to the SAQ. With this service, you have 2 options. With the first, URM’s assessor (via a remote session) can walk you through a Cyber Essentials Checklist explaining the intent of different questions so you understand how to respond, and you can then complete and submit the questionnaire yourself.
Alternatively, you can complete the questionnaire yourself and then have the application checked with URM before you submit it. One of URM’s assessors (via a remote session) will walk through each of your question responses and ensure you have interpreted the question correctly and have provided an accurate and appropriate response which will meet the requirements of the Scheme.
Whichever option you choose, you will have the reassurance and peace of mind that you have completed the questionnaire accurately and the service will help to reduce the ‘back and forth’ time involved in correcting a previous submission.
If you are interested in URM’s Review Service, click the button below.
Cyber Essentials Plus Assessment
If you are looking to provide stakeholders with greater levels of assurance, you may decide to seek Cyber Essentials Plus certification. This involves a URM assessor conducting a technical audit of the systems that are in scope of the assessment. It includes a review of all Internet gateways and all servers accessible to Internet users, as well as a sample of user devices and internal servers accessible to employees. You will need to complete your Cyber Essentials Plus audit within 3 months of your last Cyber Essentials basic certification. Just click on this link to register your interest and you will be contacted by URM to discuss your systems and devices in scope and other requirements, following which you will receive a quotation. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network.
stages of assessment
Your Cyber Essentials Plus assessment comprises 2 basic stages. The first is an external vulnerability scan of your Internet-facing IP addresses to ensure that no misconfigurations or vulnerabilities can be identified.
The second stage involves testing of a sample (up to a maximum of 5 samples per operating system edition) of end-user devices (workstations and mobile devices including BYOD) and servers to assess if they are configured as per the requirements of the Scheme. A vulnerability scan is performed on these devices to confirm that patching and basic configuration is at an acceptable level. A test is also conducted on your email client and Internet browsers to confirm how well they are configured in order to prevent execution of unsigned or malicious files.
Once the assessment has been conducted, URM’s assessor will discuss the findings with you ahead of submitting their report to the portal to ensure there has been no misunderstanding.
Cyber ESSENTIALS PLUS PRE-ASSESSMENT SERVICE
A Cyber Essentials Plus (CE+) assessment involves a technical assessment by a URM assessor of your organisation’s external infrastructure as well as end-user devices and servers. There are several issues that can cause a CE+ assessment to result in a ‘fail’ such as a service on the external infrastructure that exposes non-public data, the presence of an unsupported software installed on a server or user workstation, the lack of multi-factor authentication (MFA) to access a cloud service or the use of administrative users as a day-to-day user account.
If an organisation fails the CE+ assessment, it has up to 30 days* to purchase another CE+ assessment and pass, before it must repeat both the basic CE and the CE+ assessment in order to obtain the CE+ certification.
The Cyber Essentials Plus Pre-Assessment service from URM allows your organisation to perform a technical pre-assessment on a smaller, but still significant set of systems. This will enable you to identify any issues that may cause a ‘fail’ for the CE+ certification, without triggering the 30 days’ time limit and, typically, at a lower cost than a full assessment. Following the pre-assessment, you will receive recommendations to close any gaps with the CE+ requirements, significantly increasing the chances to successfully obtain the CE+ certification. URM is so confident of the value of the pre-assessment service that, if for any reason you don’t pass the official CE+ assessment at the first attempt, we will provide you with a free re-attempt to get certified!
* It may be less if the 30 days go beyond the 3 months period that an organisation has to pass the CE+ certification after obtaining the basic CE certification.
As an accredited certification body, URM has an unrivalled record in assisting organisations of all sizes achieve certification to Cyber Essentials and Cyber Essentials Plus. URM is also an accredited Assured Service Provider under the NCSC Cyber Advisor scheme and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.
Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards.
As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. Our large team of assessors also enables us to guarantee a super-fast turnaround.
URM’s blog discusses the changes to the requirements around threat intelligence in ISO 27001:2022 and what certified organisations will need to do differently.
URM’s blog explains how the principles of confidentiality, integrity and availability (CIA) can help align your information security controls with best practice
Our team will contact you shortly.