CYBER ESSENTIALS

– certify your organisation against cyber attacks –

What is Cyber Essentials?

Cyber Essentials is a government-backed cyber security certification scheme that implements basic levels of protection against Internet-based threats. Under this scheme organisations can apply for a badge which recognises the achievement of government-endorsed standards of cyber security. Cyber Essentials is designed for organisations of all sizes, and in all sectors.

Why should you get Cyber Essentials?

The primary aim of the scheme is to encourage organisations to adopt best practices in their information security strategy, offering a mechanism to demonstrate that they have taken essential precautions to secure against the majority of cyber risks.

Having a Cyber Essentials badge will:

  • Protect your organisation against common cyber threats
  • Show your customers you take this issue seriously
  • Enable you to bid for Government contracts (since October 2014 Cyber Essentials has been mandatory for suppliers of Government contracts which involve handling personal information and providing some ICT products and services)
  • Help you to address other compliance requirements such as the EU General Data Protection Regulation
  • Reduce insurance premiums as a CE badge provides a valuable signal of reduced risk for insurers

Cyber Essentials assurance framework

Cyber Essentials includes an assurance framework and identifies some fundamental technical security controls that an organisation needs to have in place within their IT systems to protect information from threats coming from the internet.

The scheme focuses on the following  five essential technical controls:

These are devices which control connections between networks. They are set up to allow authorized access and prevent unauthorized access from the public network to business information on your private network. For intruders these will be the locked doors requiring more effort to gain access.

Security measures should be implemented when building and installing computers and network devices in order to minimise the number of inherent vulnerabilities. A secure configuration ensures each device discloses only the minimum information about themselves to internet and provide only the services required to fulfil their intended function.

The purpose of access control is to ensure that user accounts are assigned only to authorized individuals and at the appropriate level.

Computers connected or exposed to the internet can be infected with malware and dedicated software is required to monitor, detect and disable malware.

A patch management strategy is required to ensure the latest supported version of applications is used.

Certification options

There are two levels of Cyber Essentials certification available:

CYBER ESSENTIALS – An independently verified self assessment

Organisations assess themselves against five basic security controls filing in a questionnaire. The information provided is verified by us and if there is sufficient confidence that the controls have been effectively implemented a certificate is awarded. Certification at this stage provides a basic level of confidence that the controls have been implemented correctly, and relies on the organisation having the skills to respond appropriately to the questionnaire.

CYBER ESSENTIALS PLUS – A higher level of assurance

A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking attacks. The Cyber Essentials Plus certification includes all of the assessments for the Cyber Essentials certification, and also includes an additional internal scan and some on-site checks and vulnerability assessments. We carry out tests of the systems using a range of tools and techniques and if the tests are successful, award the Cyber Essentials Plus certificate.

Any organization that have knowledge of the five security controls and are comfortable carrying out all of the preparation for certification can complete the self assessment questionnaire. For organisations that have difficulty in defining their scope and have little or no knowledge of the five controls or have complex organizational structures, we can provide a day ??? on-site consultancy. We will identify the key areas to address and help you complete the questionnaire.

The process of getting certified

STAGE 1
    • STEP 1

      Organisation identifies the systems it believes are at risk of external compromise, defining the scope of Cyber Essentials

    • STEP 2

      Organisation self assesses that the systems identified meet the requirements

    • STEP 3

      Organisation fills in the self-assessment questionnaire, which is signed by the CEO

    • STEP 4

      The assessment is independently verified by us

    • STEP 5

      If you pass, Cyber Essentials Certificat is issued

STAGE 2
    • STEP 6

      Tests of the systems are carried out on site by us using a range of tools and techniques

    • STEP 7

      If you pass, Cyber Essentials Plus Certificat is issued

In addition to the Cyber Essentials certification route organisations can obtain certification to the IASME Standard which includes aspects of basic information security governance and also the GDPR assessment elements.

We are a Cyber Essentials Certification Body

We provide all the tools and resources needed to achieve accredited certification at both levels of the Cyber Essentials scheme.