6. Do I need Cyber Essentials Level 1 to get Cyber Essentials Plus?

The short answer is no. You can apply for either Cyber Essentials or the Plus. Not both. CE Plus involves going through level 1 where you would do the self-assessment questionnaire then external scan and the onsite visit by the Certification Body. You don’t need to pay for the certification twice.

UPDATE July 2020: Yes. Before April 2020, You can apply for either CE or the Plus but now with the latest changes and IASME consortium process is to achieve CE before you apply for CE Plus.

7. What is the Voucher Scheme and how do you get it?

The Scottish Govt has introduced the Cyber Essentials Voucher Scheme to help SMEs achieve the certification. You can claim up to £1,000 towards your certification. How do you do that? To register your interest click here, the Scottish Enterprise will send you the application form, choose a provider that can help you with the CE or CE Plus, complete and the form and send it back. You will then be notified of the outcome. Achieve the certification, pay for the invoice and send the evidence to the voucher scheme admins at the Scottish Enterprise. You will be paid in one instalment. It’s that simple.

UPDATE 07 July 2020: The scheme is now put on hold.

8. What is the criteria for Voucher Scheme?

The criteria to claim the Cyber Essentials Voucher Scheme is simple. Here it is

1. Your business must employ less than 250 people
2. Business must be registered in Scotland
3. You access the internet to perform business activities

UPDATE 07 July 2020: The scheme is now put on hold.

9. How long is the Cyber Essentials Certification is valid for?

Certification is only valid for a year and the organisation needs to be re-certified every year to keep the status. The certification process will be same again but not as tedious as the first time as long as you are keeping up with technical controls that were put in place.

10. Does it work for Mac's/Linux? How is the testing carried out?

The way the testing works is, Certification body will pick a few devices per build [in laymen terms, sample] to audit. For example, if you use Mac, Linux, Windows 7 or 10, etc… you will need to pick one per build and they will be tested.

Update July 2020: If you have legacy systems on your network likes of Windows 7 or older and Windows server 2008 R2 and older then it's a straight fail unless you can isolate these from the network.

11. How about if we have multiple offices or remote workers?

Any system or the user that is accessing the company’s data comes under the scope for Cyber Essentials. If you are going for Cyber Essentials Plus then the assessor might need to visit a few locations. There might be extra charges for expenses and extra days of work.

12. If we fail, can we try again and how much does it cost?

If you fail the Cyber Essentials certification you will have 3 days to fix the issues and re-submit the application. For Cyber Essentials Plus certification, you will have 15 days to rectify the issues and re-submit. However, we recommend you work with a CE consultant who makes sure you have the required controls in place and hence you will achieve the certification without any hiccups. TechForce is an Approved Cyber Essentials Practitioner and we can help with that [shameless plug]. We can perform pre-assessment and make sure you are ready before you submit the application. Unless your infrastructure really poor and you are not willing to update then chances are you will likely fail. In fact, why do go through the scheme when you don’t want to update your systems to be more secure?

13. Why do I need a consultant? And how much do you cost/what money do you save me/value do you add?

The need for a consultant depends on how good your infrastructure is and if you have internal resources to help. For example, if you are going for Cyber Essentials Level 1 it is a straightforward process for an internal IT literate person. You need to know what technical security controls you have in place for the company. If you don’t know or don’t have the required controls then you will benefit from having a consultant help you. The whole exercise is to make sure you have technical controls in place to ensure your business is not impacted by most common cyber threats. A good consultant will keep you right. If you do have an IT department and they need an extra hand or they don’t know where to start you will also benefit from a consultant service.

If you are going for Cyber Essentials Plus I would definitely recommend bringing an approved practitioner/assessor onboard. They will help you save time, hassle and make sure you have the controls in place to achieve the certification. They will also help you with the pre-audit scan. It will save you from failing the certification and going through the process again.

Consultancy services for CE Plus usually work on a day rate basis. Each company might have a different day rate but cheap is not always the best.

14. What is the benefit of having Plus?

Cyber Essentials Plus shows that you have proven technical security controls in place. Part of achieving CE Plus is an Assessor from Certification Body visiting the site and double checking and testing that the security controls are in place. It gives your customers assurance that their information shared with secured business.

A few of the MoD contracts are now asking for CE Plus for the suppliers. Cyber Essentials Level 1 is not enough. We would always recommend going with the Plus.

15. Do I need to buy extra software to go through Cyber Essentials?

You shouldn’t need to. The scanning and testing tools are provided by the hired expert or the assessor as part of the process. However, if you do like the software they are using and see the benefits you can most certainly purchase for the company. It will help you stay on top of the technical Security controls we discussed.

16. What do I get when I complete the certification process?

You will receive the confirmation from the certification body about the result and certificate reference number. You will also have the Cyber Essentials badges to publish them on your website. Your company will be listed on NCSC's database of CE certified organisations.

Do check out our other cybersecurity case studies:

• Maersk Ransomware Attack
• British Airways Data Breach Fine by ICO of £183.4million
• Colleges and Universities in the UK targeted by cyber-attacks during the pandemic
• Microsoft Servers Hit by Cyberattack 2021
• Peterson Control Union Email Phishing & Security Awareness training

Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:

• Cyber Essentials Cost
• Cyber Essentials Lead time
• Cyber Essentials checklist
• Cyber Essentials Frequently Asked Questions
• CE Plus process