What is Cyber Essentials?

Cyber Essentials is a Government-backed scheme aimed at helping organisations protect themselves against common Internet-based cyber attacks. Certification to Cyber Essentials provides reassurance that your security controls will protect against the vast majority of common cyber attacks, and will act as a significant deterrent to cyber criminals.

The process involved in achieving Cyber Essentials Certification is simple and involves your organisation completing an online self-assessment questionnaire.

You will need to assess your organisation against 5 basic security controls and then get a board member from your organisation to sign a declaration to confirm that all the answers are true.

A qualified assessor will verify the information provided. There are no checks on your IT systems at this level, as such the assessment questionnaire can be accessed and answered quickly and easily.

What is Cyber Essentials Plus?

In order to achieve Cyber Essentials Plus, you must already be certified to Cyber Essentials. Gaining the extra qualification will also involve a technical expert conducting an on-site or remote audit on your IT systems, including a representative set of user devices, all Internet gateways and all servers with services accessible to unauthenticated Internet users.

The assessor will test a random sample of these systems, in line with the test specification, and then decide whether further testing is required. Having achieved Cyber Essentials, you have 3 months to apply for Cyber Essentials Plus.

If it is longer than 3 months, you will need to repeat the Cyber Essentials self-assessment questionnaire stage.

What are the benefits attached to gaining
Cyber Essentials certification?

In the process of achieving a Cyber Essentials certificate, your organisation is effectively protecting itself against approximately 80% of the most common cyber attacks.

This provides reassurance to your clients that you take cyber security seriously and have implemented a strong set of relevant controls and measures.

Cyber Essentials certification will also help you attract new business opportunities and will help you satisfy those public sector and Government contracts that require CE to be in place.

A very practical benefit for organisations certifying to Cyber Essentials is the cyber insurance cover that comes with the certificate.

If your organisation is domiciled in the UK with a turnover under £20m, a certification scope covering the whole of your organisation and you opt-in, you are entitled to Cyber Liability Insurance which gives you £25,000 limit of indemnity (terms apply).

Having achieved certification to Cyber Essentials, you will be listed on a directory of certificate organisations which is operated by IASME, the National Cyber Security Centre’s (NCSC’s) Cyber Essentials Partner, responsible for the delivery of the scheme.

How do you achieve Cyber Essentials certification?

In order to achieve Cyber Essentials certification, you will need to complete a self-assessment questionnaire. Certification bodies, such as URM Consulting, can provide you with access to a portal where you are required to answer a number of questions about your IT infrastructure.

If you have any queries, URM can provide you with advice on what is intended by the different questions. Once you have submitted your completed questionnaire, you will be notified through the portal whether you have passed or not.

A number of certification bodies quote that it can take up to 3 working days from the time you submit your assessment to find out whether you have passed.

However, URM strives to assess all applications within 24 hours of it being submitted and if you have a very tight deadline, there is an option for your assessment to be fast-tracked.

How do you apply for Cyber Essential and Cyber Essentials Plus?

You can apply for the Cyber Essentials and Cyber Essentials Plus assessment on the button below

Apply for Cyber Essentials PLUSApply for Cyber Essentials

What happens if you do not pass?

If you do not pass and gaps are identified, you are provided with 2 working days to address any gaps (e.g. change any simple issues with your network and policies).

You can then update your answers and the assessor will review your responses. You will not be charged for this reassessment, but if this subsequent application is unsuccessful, you will need to make a fresh application and pay for the whole assessment fee.

How much does it cost for a basic Level
Cyber Essentials assessment?

As of 24 January 2022, a tiered pricing structure was introduced by the National Cyber Security Centre (NCSC) and their scheme delivery partner, the IASME Consortium, to reflect the additional time involved in assessing the larger, more complex organisations.  

The full pricing from 1 April 2024:

Company Size* Cyber Essentials Assessment Cost
Micro = 0 – 9 employees £320
Small = 10 – 49 employees £440
Medium = 50 – 249 employees £500
Large = 250 or more employees £600

*adopts the internationally recognised definition for micro, small, medium and large enterprises

How to fill out a Cyber Essentials questionnaire?

Completing the Cyber Essentials questionnaire might seem like a daunting exercise, but the key word to focus on is ‘Essentials’. When you are answering the questions, try to think about your infrastructure as a whole, not just thinking in too much detail about specific devices that you may have in mind. Looking at secure configuration, URM often finds questionnaire respondents just focussing on password protection rather than protection of the whole infrastructure, e.g., servers, end-user devices, mobile phones, Cloud environments and so on.

Most of the questions are phrased in such a way that only a high level response is required, so don’t write ‘War and Peace’ if it’s not needed . It might be a question about admin accounts, your on-boarding process or firewalls and, generally, you should be thinking about just writing one or two paragraphs to provide the assessor with an understanding of what your infrastructure looks like. Some organisations find it useful to have a checklist when they are answering the different questions. For example, if there is a question on password protection, your checklist will be reminding you to bear in mind all the different types of environments and whether the scope is correct.

There can, of course, be exceptions if the organisation that is applying for Cyber Essentials is large with a complex infrastructure and the processes are not as straightforward. In most cases, however, in the Cyber Essentials world less is more. If you have any query, URM has a dedicated Cyber Essentials Team to help you. Just email cyberessentials@urmconsulting.com

Has The Cyber Essentials scheme been updated?

Yes, the Cyber Essentials Scheme was updated on 24 January 2022 to reflect the evolving nature of cyber threats (increasing adoption of cloud services) and our changing working practices, (particularly the trend towards home working and hybrid working).

With these changes, Cyber Essentials is placing greater emphasis on certain security controls, such as the use of multi-factor authentication, password management and the need to apply ‘critical’ or ‘high-risk’ software update fixes within 14 days of release.

URM has written a blog on all of the changes that were made to the scheme and addresses questions such as:

  • What Were The Key Changes?
  • What Changes Will I See When Completing The Questionnaire?
  • Were Any Changes Made To Cyber Essentials Plus?

How long do you have to complete and submit
a Cyber Essentials assessment?

You have 6 months to complete your assessment before your account is archived. Unfortunately, a refund cannot be issued, so it is best not to apply until you think you are ready for your assessment.

Can you obtain the self-assessment questions before
you pay your assessment fee?

Yes, you can. Please contact URM at cyberessentials@urmconsulting.com and we can provide you with all the self-assessment questions in PDF or Excel format.

How do you achieve Cyber Essentials Plus Certification?

The first thing you need to do to achieve Cyber Essentials Plus certification is to gain Cyber Essentials certification.

You will then be audited (either remotely or on-site) by a certification body, such as URM Consulting. If the audit reveals no gaps, you will be awarded the Cyber Essentials Plus certification.

If there are gaps identified, you will have 15 days to fix them and go through the assessment again. If you do not pass this time, you will need to make a fresh application and pay for it again.

What Cyber Essentials Plus scope can I choose?

The scope of the Cyber Essentials Plus must be the same as the Cyber Essentials scope.

It is up to you how you want to segregate your infrastructure and which divisions you would like to exclude. The excluded or included parts of the infrastructure must be segregated by some means, e.g. a firewall or a physical boundary.

What is the difference between Cyber Essentials
and Cyber Essentials Plus?

Cyber Essentials Plus is an addendum to Cyber Essentials and is aimed at ensuring that all the controls highlighted in the Cyber Essentials self-assessment questionnaire are in place.

Cyber Essentials Plus does not contain any additional requirements when compared to Cyber Essentials.

How much does a Cyber Essentials Plus assessment cost?

The cost of Cyber Essentials Plus varies according to the size of the scope and the number of devices sampled. As such, each Cyber Essentials Plus assessment has to be quoted for.

In order to obtain a quote, email URM at cyberessentials@urmconsulting.com

For indicative purposes, the costs of conducting a Cyber Essentials Plus assessment for a small, non-complex organisation start at £995 ex. VAT.

Is there a register of organisations certified to Cyber Essentials?

Yes, the NCSC maintains a register of those organisations which are certified to Cyber Essentials and anyone can search by name to find organisations holding a Cyber Essentials Certificate issued in the last 12 months.

How long do the Cyber Essentials and Cyber Essentials
Plus certifications last before you need to renew them?

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months and will need to be renewed. If you don’t renew, your organisation will be removed from the NCSC’s ‘certified organisations’ list.

What is the recertification process?

URM will contact you with a reminder approximately a month before you have to recertify. You will then be required to pay an application fee again and complete a new application form.

This is due to the questions being periodically updated and so may be different from the previous year.

It is a good idea to keep a copy of your answers when you submit, to enable you to cut and paste the relevant parts from your previous submission.

What tests are carried out in the Cyber Essentials Plus process?

There are 4 stages involved in achieving CE+ certification.

The first stage involves an external vulnerability scan which is conducted remotely and aims to detect any potential vulnerabilities present on external-facing devices (firewalls, routers, servers etc.).

As an added-value service, URM will often run the external scan ahead of the assessment date and provide feedback to its clients to ensure there will be no unforeseen outcomes during the assessment and enable any remediations to be made.

The second stage, which can also be carried out remotely, is the internal vulnerability scan. Here, a vulnerability scanner is connected to the internal network and searches for potential vulnerabilities in the system on sampled devices.

A ‘Malware delivered over email’ test represents the third stage. This test involves URM (or another assessor) sending 3 emails to the audited organisation that go through the same filter as everyday emails would.

The first email is an email with a link, the second email is an email with a notepad document. The goal here is to confirm that your organisation can receive attachments. The third email contains an EICAR file and is designed to test the response of computer antivirus (AV) programs.

The file has malicious signatures, but the file itself is not malicious. As such, it should get picked up by anti-malware without causing any damage to machines. This test is again conducted on the sampled devices.

The fourth and final stage is a ‘Malware delivered over web’ test. This test uses the link from the previous stage (first email) to open a page with multiple links and there is an attempt to try and download malicious files, macros and run remote scripts.

All of these attempts should get blocked either by the operating system or the anti-malware software. Again, this test is carried out on the sampled devices.

What is the purpose of a Cyber Essentials Plus vulnerability scan?

The vulnerability scan is utilised on two steps of the Cyber Essentials Plus certification process (scans are not used as part of the Cyber Essentials certification process, which relies on a self-assessment questionnaire).

Initially, vulnerability scans are used to assess all the external-facing devices used in the infrastructure (firewalls, routers, servers, services etc.) and then later on the internal vulnerability scan to assess the sampled endpoints.

Is there a Cyber Essentials checklist?

The following checklist applies to both Cyber Essentials and Cyber Essentials Plus requirements, the difference being that with the latter a technical expert conducts a vulnerability scan and remote audit of your IT systems, including a representative set of user devices, all Internet gateways and all servers with services accessible to unauthenticated Internet users.

The questions that will need to be answered include:

  • Are all of your operating systems supported including phones, tablets, servers, workstations etc…?
  • Have all the security patches been applied to the operating systems?
  • Is your Office suite up to date? Is your anti-malware up to date?
  • Are your browsers up to date with security patches?
  • Have you disabled auto-run?
  • Are macros disabled in Office?
  • Have you disabled remote scripts from being run?
  • Are all of your applications up to date with security patches?
  • Are all the applications used in the organisation supported?

What 10 steps should you follow to prepare for
Cyber Essentials certification?

The following checklist applies to both Cyber Essentials and Cyber Essentials Plus requirements, the difference being that with the latter a technical expert conducts a vulnerability scan and remote audit of your IT systems, including a representative set of user devices, all Internet gateways and all servers with services accessible to unauthenticated Internet users.

The questions that will need to be answered include:

  1. Ensure all your operating systems are still being supported by the manufacturer (including mobile phones, servers, tablets etc.)
  2. Apply all operating systems’ security patches within the 14-day time period.
  3. If you are using the Office suite, it must be on a supported version with all the security patches applied.
  4. Ensure the anti-malware agent is up to date and functional.
  5. Update the web browser to the latest version, or at least apply the latest version with a patch for a high-risk or critical vulnerability.
  6. Disable auto-run and ensure you have a process for new starters and leavers and providing role-based access control.
  7. Disable macros or ensure you are protected from malicious Office documents.
  8. Ensure all default passwords are changed on the firewall, on the systems and ensure they are changed to a secure password.
  9. Ensure all unnecessary applications are removed. This can either be achieved with a ‘gold image’ or manual removal of relevant software.
  10. Ensure all the software you are running is supported and up to date.

What are the Cyber Essentials Plus patching requirements?

As of 24 January 2022, software updates need to be applied within 14 days of release, where the update fixes address vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ or where no level of vulnerabilities is provided by the vendor, or where the fixes address vulnerabilities with a CVSS v3 score of 7 or above.

What is the required Cyber Essentials password policy?

For password-based authentication in Internet-facing services, you must:

  • Protect against brute-force password guessing by using at least one of the following methods:
    – Lock accounts after no more than 10 unsuccessful attempts
    – Limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
  • Set a minimum password length of at least 8 characters
  • Not set a maximum password length
  • Change passwords promptly when you know or suspect that you have been compromised
  • Implement a password policy that tells users:
    – How to avoid choosing obvious passwords (such as those based on easily discoverable information like the name of a favourite pet)
    – Not to choose common passwords — this could be implemented by technical means, using a password deny list
    – Not to use the same password anywhere else, at work or at home
    – Where and how they may record passwords to store and retrieve them securely, for example, in a sealed envelope in a secure cupboardIf they may use password management software, which software and how to use it
    – Which passwords they must memorise.

You are NOT required to:

  • Enforce regular password expiry for any account (we actually advise against this)
  • Enforce password complexity requirements.

Who is the Cyber Essentials accreditation body?

On 1 April 2020, IASME became the sole Cyber Essentials Partner of the NCSC and became responsible for the delivery of the scheme.

How does Cyber Essentials differ from ISO 27001?

ISO 27001 adopts a more holistic approach and is focused on the development, implementation and continual improvement of an information security management system (ISMS).

Adopting a risk-based approach, ISO 27001 considers threats to all of its information assets in whatever form, i.e. paper, information systems or digital media.

When certifying to ISO 27001, you need to provide the assessor with evidence that you are meeting all the mandatory elements of the management system e.g. understanding the organisation, demonstrating leadership commitment, conducting risk assessments and treatment, evaluating performance and continually improving.

The controls you implement are dictated by your risk assessment. Cyber Essentials on the other hand is a ‘snapshot in time’ assessment, where the focus is on protecting data and programs on networks, computers, servers and other elements of IT infrastructure, from cyber threats.

There is no risk assessment involved and all the security measures set out by the NCSC must be in place at the time of the certification assessment. The same applies to Cyber Essentials Plus.

Get Your Cyber Essentials CertificateGet Your Cyber Essentials PLUS Certificate
Get Your Cyber Essentials CertificateGet Your Cyber Essentials PLUS Certificate

ISO 27001 vs SOC 2 - Part 1

Latest update:
3 Jun

URM delivered a question and answer session where it compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
ISO 27001 vs SOC 2 - Part 2

2nd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
ISO 27001 vs SOC 2 - Part 3

3rd part of question and answer session where URM compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2.

Read more
Thumbnail of the Blog Illustration
Information Security
Transitioning to ISO 27001:2022

If your organisation is looking to transition to ISO 27001:2022, URM’s blog provides practical and invaluable guidance on meeting the new requirements.

Read more
URM consulting were fantastic to work with. Their expert support and friendly efficiency made achieving our Cyber Essentials Plus accreditation smooth and stress-free. It's reassuring to know that we have a reliable local consultancy that we can count on for ongoing support.
IT Services and IT Consulting
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.