Fellow business owners! You have likely hit this page because you are in need of Cyber Essentials / Cyber Essentials Plus certification. Let us put your minds at ease right now – we can help you through this process from start to finish. So buckle up and tune in – we will prime you with all of the key information you need to know with the entire process of achieving certification. Everything you need to know is on this page (and not across several websites, making the entire thing difficult to understand).
Firstly, what is Cyber Essentials?
Cyber Essentials is a UK-based government-backed scheme/certification to help you guard against the most common cyber threats, and demonstrate your commitment to cyber security within your business/organisation. It has been developed in conjunction with the NCSC (National Cyber Security Centre), a department of the government agency GCHQ. And it is delivered by IASME – IASME is a NCSC Strategic Delivery Partner, responsible for operating the Cyber Essentials scheme, amongst other cybersecurity schemes.
There are two tiers to this certification/accreditation.
Cyber Essentials Self Assessment:
This is the first and most basic option and gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to basic attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals.
This initial level of certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. You can address these basics and prevent the most common attacks via this level of certification.
Cyber Essentials Plus (commonly referred to as CE+):
Cyber Essentials Plus contains all of the Cyber Essentials Self Assessment level of certification, and the protection mechanisms you need to have in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out. More commonly referred to as an audit, of which you will either pass or fail. This is where we come into the equation. We ensure you’re equipped to pass.
“Why should I get Cyber Essentials / Cyber Essentials Plus?”
- There is a likely chance that you have arrived here because you have been instructed to seek CE+ either from a government/council contract or a requirement from a large organisation that you are going to work with. And you have searched the term online and arrived here because you need to get the certification imminently to proceed with business.
- You may simply want reassurance that your business/organisation is in good secure standing to mitigate cyber attacks, and this is a government-backed scheme that’s equipped to do so.
- Reassurance may need to be provided to your stakeholders/shareholders/investors – because cyber breaches can potentially cost thousands upon thousands of pounds in lost revenue (even millions or worse – bankruptcy).
- Insurance – you may have an insurance requirement to attain Cyber Essentials / Cyber Essentials Plus within your business sector or one of your B2B clients may require it for their insurance, and for your working contract with each other.
- Attracting new business with a promise of cyber-security within your business/organisation, and there is no better way to demonstrate this than to achieve the CE+ certification – it is government-recognised and year on year keep you up to date.
- Gain a clear picture of your organisation’s cyber security level and see what you can do to improve it to a recognised standard.
These are some of the main reasons – but leaving requirements and motivations aside, we are in a very connected world now. The cybercrime climate is violent, persistent, and ever-changing. There is no better reason than to ensure your business/organisation is as secure as it can be.
“I need this. It’s as simple as that. What is the technical information I need to know on this scheme/certification?”
Firstly, it’s important to know that you need to achieve these certifications in order – you can’t get Cyber Essentials Plus, without getting through the Cyber Essentials Self Assessment. You need to get through the Cyber Essentials Self-Assessment first.
After you have submitted the Cyber Essentials Self Assessment, you will have 90 days to achieve Cyber Essentials Plus certification. This is an important fact.
Many organisations can facilitate the assessment – they are what is termed a Certifying Body, certified by IASME to do so. We ourselves are not a certifying body – we partner with a local organisation that is equipped to sign off the Self-Assessment, and perform the audit required for the Plus level also. They have the power to certify you.
“Why don’t I just contact the certifying body directly?”
This is an important question. Most small businesses and organisations will not be equipped to communicate with a certifying body on their I.T. systems. The Self Assessment form is a very technical form to fill in and the problem is that you will struggle to convey your I.T. system’s inner workings to them effectively, and they will in turn struggle to fill the assessment in – because they do not send a technician/engineer to your site to survey your I.T.
And you will find that your I.T. systems will not pass many of these assessment questions because specific cyber security mechanisms aren’t in place. Hence the main point of the assessment and the certification – to indicate the weaknesses and the shortfalls and put measures and mechanisms in place.
This is where we come in!
We can facilitate the entire process for you as we are equipped to do what the certifying bodies are not able to. We can visit your place of business, survey your entire I.T. system, bring it up to a standing (via both software and hardware) whereby you will pass the Cyber Essentials Self Assessment on the first pass. In simple essence, we will be answering ‘yes’ in rudimentary terms to everything in the assessment followed by more precise details. And then we will fill the form in for you so you can submit it to the certifying body that we partner with.
We have already been asked several times now by businesses that required the Cyber Essentials certification, started the process with a certifying body, received the form, and were simply unable to understand it to fill it in. The certifying bodies do provide a secondary paid service to assist you to fill the form in, but this can still be troublesome as they don’t visit you, and nothing beats a hands on visit to dissect an I.T. system. They also don’t make the necessary changes to bring your systems upto scratch for the assessment so where you may achieve filling the form in to some degree, you’re not proactively getting your I.T. system upto scratch.
By having us facilitate the process for you, you achieve 2 key things:
- Your I.T. system gets a close look, and we will bring it upto a standing whereby it will pass the Cyber Essentials Self Assessment first time and all necessary mechanisms will be in place.
- We will fill the very form in on your behalf so you can absolve yourselves of any I.T. and cyber security lingo. However we will do our best to explain and educate you on key things through the process so you can adapt your office workflow with cyber security awareness in mind.
And after the Self Assessment has passed, we then move promptly onto the essence of this certification – the Cyber Essentials Plus audit, of which with just a few more tweaks and mechanisms in place from us, you will pass. We will be on-site whilst the certifying body conduct the audit on your client computers at the office, taking the process out of your hands so you can simply await the ‘PASS’ at the end.
“I think I understand the process better now. What do I pay and to whom?”
Let’s talk money. So basically, the certifying bodies all follow the same transparent pricing structure that has been recommended/promoted to them by IASME. You will pay these fees directly to the certifying body.
The fees are tiered depending on organisation size. There are 4 tiers of pricing with the certifying bodies:
- 0 to 9 Employees
- 10 to 49 Employees
- 50 – 249 Employees
- 250+ Employees
You will pay a fee for the Cyber Essentials Self Assessment questionnaire, depending on your business size above.
You will also pay a fee for the Cyber Essentials Plus technical audit.
And for our services in facilitating the entire process with you, you will pay us a fee that we will have quoted you depending on your business size and I.T. infrastructure, at point of enquiry.
We will visit you, perform a site survey on your I.T. infrastructure, advise you on where you’re likely to need the relevant work (and any hardware) to bring things up to Cyber Essentials spec (for both the Self Assessment and the Plus audit) and quote you accordingly. It is very unlikely that you will require expensive hardware – it’s highly likely that you will have sufficient networking hardware in place – most of the time our work (or what we like to term, ‘adjustments’) tend to be configuration based, and strengthening/hardening your current setup. Sometimes we find that a business doesn’t have a suitable network router/gateway device in place (i.e. they’re using a BT Home Hub, or a Virgin Media router) and we may recommend replacing/adding a router.
Our ethos is to ensure you have the bare minimum in place to pass the certification without making excessive changes, but we will make recommendations where more drastic and impactful improvements can be made. They aren’t required, but you may opt for a higher level of infrastructure – if the costing isn’t a big increase on the bare minimum, it may be a false economy in your business sector.
Once you agree to our quote and to the certification fees, we will get the ball rolling for you and contact the certifying body that we partner with and have a very proactive relationship with. This will be instrumental in delivering the certification to you quickly and smoothly.
And after that, leave the rest to us! We will proceed with analysing and improving (and filling in the complex forms). Firewalls, security configurations, user access controls, malware protection, and patch management are the key focus areas.