Passing Cyber Essentials

Cyber Essentials is a government backed scheme put in place to help you protect your organisation from cyber-attacks. No matter the size of your organisation or the industry that you work in, cyber-attacks now come in a wide range of styles, types, and varying degrees of severity. In recent years malicious actors have become particularly experienced at targeting organisations and gaining access to systems, information and credentials, all of which have a major impact on a business.

Passing Cyber Essentials
Image created by Market Business News.

The Cyber Essentials certification has been created to help you put the right processes in place to help protect yourself and your business from these attacks, whilst reassuring your customers/clients that cyber security is taken seriously.

What is Cyber Essentials?

There are two levels of certification, the first being Cyber Essentials, and the second Cyber Essentials Plus.

Cyber Essentials certification offers a self-assessment option whereby organisations can assess themselves against five security controls, which are then verified by a certification body.

The five security control themes are:

  • Boundary Firewalls & Internet Gateways
  • Secure Configurations
  • Access Controls
  • Malware Protection
  • Security Updates

The self-assessment questions are free for organisations to download in advance. Once certification is awarded, this also comes with the addition of cyber liability insurance (terms apply).

Cyber Essentials Plus uses the same question set but in order to achieve this additional level of certification, a technical assessment must be carried out. Companies like Data Connect are a certification body for both levels of the standard.

After 12 months it is important that CE and Cyber Essentials Plus certification is renewed.

Choosing between Cyber Essentials and Cyber Essentials Plus

To ensure you provide your organisation with as much protection as possible, you may be wondering which to choose between the Cyber Essentials and Cyber Essentials Plus certification.

Cyber Essentials is considered the minimum level of security an organisation should have. This level of certification is suitable for any size of organisation from micro and small businesses to larger organisations. Businesses find the self-assessment questionnaire extremely educational. However, some find this more complicated and do not fully understand what is required in order to pass. Below we have covered some of the basics for helping an organisation pass the certification process.

Cyber Essentials Plus, on the other hand, requires an assessor to carry out a technical audit either remotely or on site. Those organisations who opt for the Plus certification, will generally have greater peace of mind knowing the 5 core controls are being followed correctly. When receiving the Cyber Essential Plus assessment, the cost of this will differ depending on the size of your organisation, so this is certainly a factor to be aware of when making your decision. You can find a list of approved certification bodies on IASME’s website.

How to pass Cyber Essentials 

When completing your Cyber Essentials self-assessment or undergoing an audit from a certification body, be sure to research the most up-to-date information. Familiarise yourself with the questions and understand the detail of which you should answer these. A simple yes or no without providing details can lead to prolonging the certification process or even failure. The most recent major changes to the requirements were made in January 2022, any updates to these can be found in the Requirements for IT Infrastructure document from the NCSC, while the question set can be downloaded from IASME. To ensure you are prepared for passing the assessment, there are a few steps you can follow.

Fully understand the scope

Most organisations need help defining and understanding what is in scope. Without fully understanding the scope, you do not know exactly where to apply the question set. This is one of the most common issues certification bodies see and can lead to organisation’s failing Cyber Essentials Plus after passing the self assessment version.  Make sure to do your research and if you are unsure ask IASME or a certification body.

Perform a gap analysis

Preparation ahead of the assessment can be crucial. By carrying out a gap analysis, you can spot your organisation’s weaknesses and remedy these ahead of time. Communication is a big part of this. Ensuring that every department and every member of the team is on the same page and they are provided with the same information guarantees a clear understanding of the importance of cyber security.

Linking to this, where a certificate may be up for renewal, do not leave this until the last minute. Give yourself some time to prepare and to review important areas of your IT infrastructure to ensure nothing has changed or new problems have not arisen. Plus, you can also use this time to check for updates.

Keep track of your digital assets

Whatever digital devices your organisation are using, it is important to keep these up to date. Any of these endpoint devices, including laptops, tablets, computers and mobile phones can contain security vulnerabilities. This process is also known as ‘patching’ whereby devices and software are updated, not just for additional features but to fix security issues and vulnerabilities. Applying these updates ahead of your assessment is important for ensuring you pass.

Not a tick box exercise

Cyber Essentials certification is not a simple tick box exercise and should not be treated in this way. Use this assessment to better your cyber security strategy and reduce the risk of attack on your organisation.

Some of the benefits of completing the certification include:

  • Increases credibility
  • Allows you to become more aware of complex security threats
  • Provides you and your organisation with confidence in your procedures
  • The certification provides you with the ability to bid for government contracts (all organisations working on these contracts must have CE certification).
  • Verifies your internal protocols and reduces risk of fines in the event of a data breach
  • Provides you and your team with a better understanding of how to improve your cyber security strategy

Interesting related article: