Everything you need to know about Cyber Essentials scheme
More than 80% of the cyber attacks happened on businesses in the UK could have been prevented with implementing some basic security controls. Hence the UK government introduced Cyber Essentials Certification scheme in 2014. It is run by the National Cyber Security Centre (NCSC)
The Scottish Government has introduced a Cyber Essentials Voucher Scheme for SMEs. You can get up to £1000 towards achieving this certification. Let’s look at what is it and how do you get the voucher. (Update: The voucher scheme is now put on hold)
1. What is Cyber Essentials?
Cyber Essentials certified scheme is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). The scheme was first launched on 05 June 2014 and from 1 October 2014, Government required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.
The scheme helps businesses to put basic security controls in place to fight most common cyber security threats. By achieving the certification your business shows the commitment to Cyber Security. There are two levels of Cyber Essentials (CE) Certification. CE and CE Plus.
2. Why do you need Cyber Essentials?
By achieving Cyber Essentials your business is showing the commitment for Cyber Security. Your suppliers, partners and clients feel more confident in sharing sensitive data and personal information with you. If you are tendering for Government projects you must have Cyber Essentials. Some of the MoD projects and Local Authorities are asking for a minimum of CE Plus. More organisations are now asking the suppliers especially small and medium enterprises to have the Cyber Essentials certification to tender for the project. Read our separate blog on why is Cyber Essentials important.
3. What is being tested in the process?
Cyber Essentials certification process involves testing the following 5 technical controls of your IT infrastructure.
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
4. What type of Cyber Essentials should you go for? What's the difference?
We would recommend you go and apply for the Cyber Essentials Plus certification. The reason being, Cyber Essentials plus certification involves an onsite audit and testing the technical security controls from the Certification body. the certification process ensures that you have the required technical controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it.
On the other hand, CE is a straightforward exercise where you answer the self-assessment questionnaire from the certification body and they will evaluate your answers. If all goes well you will pass and certificate will be issued.
In layman terms, Cyber Essentials is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body auditing the technical controls.
5. How much does the certification cost?
- The certificate cost for Cyber Essentials Level 1 is around £300 + VAT.
- The certificate cost for Cyber Essentials Plus is around £1,900 + VAT.
The costs are for certificates only. There will be an extra cost depending on your infrastructure and if you have security controls in place. If you are hiring an expert to help with this then costs will increase. In most cases, Cyber Essentials certification will cost you more than standard costs from the Certification body.
Get certified today
Step 1: Organisation Size
Step 2: Pick Cyber Essentials Package
Cyber Essentials Basic - CEB001
£300 + VAT
2 Days for Remediation
1 Day Turnaround
Guided Cyber Essentials - CEB002
£500 + VAT
Everything in CEB001 plus
Cyber Essentials Plus - CEP001
£1500 + VAT
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
Guided CE Plus - CEP002
£2500 + VAT
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
6. Do I need Cyber Essentials Level 1 to get Cyber Essentials Plus?
The short answer is no. You can apply for either Cyber Essentials or the Plus. Not both. Cyber Essentials Plus involves going through level 1 where you would do the self-assessment questionnaire then external scan and the onsite visit by the Certification Body. You don’t need to pay for the certification twice.
UPDATE July 2020: Yes. Before April 2020, You can apply for either CE or the Plus but now with the latest changes and IASME consortium process is to achieve CE before you apply for Cyber Essentials Plus.
7. What is the Voucher Scheme and how do you get it?
The Scottish Govt has introduced the Cyber Essentials Voucher Scheme to help SMEs achieve the certification. You can claim up to £1,000 towards your certification. How do you do that? To register your interest click here, the Scottish Enterprise will send you the application form, choose a provider that can help you with the CE or CE Plus, complete and the form and send it back. You will then be notified of the outcome. Achieve the certification, pay for the invoice and send the evidence to the voucher scheme admins at the Scottish Enterprise. You will be paid in one instalment. It’s that simple.
UPDATE 07 July 2020: The scheme is now put on hold.
8. What is the criteria for Voucher Scheme?
The criteria to claim the Cyber Essentials Voucher Scheme is simple. Here it is
- Your business must employ less than 250 people
- Business must be registered in Scotland
- You access the internet to perform business activities
UPDATE 07 July 2020: The scheme is now put on hold.
9. How long is the Cyber Essentials Certification is valid for?
Certification is only valid for a year and the organisation needs to be re-certified every year to keep the status. The certification process will be same again but not as tedious as the first time as long as you are keeping up with technical controls that were put in place.
10. Does it work for Mac's/Linux? How is the testing carried out?
The way the testing works is, Certification body will pick a few devices per build [in laymen terms, sample] to audit. For example, if you use Mac, Linux, Windows 7 or 10, etc… you will need to pick one per build and they will be tested.
Update July 2020: If you have legacy systems on your network likes of Windows 7 or older and Windows server 2008 R2 and older then it's a straight fail unless you can isolate these from the network.
11. How about if we have multiple offices or remote workers?
Any system or the user that is accessing the company’s data comes under the scope for Cyber Essentials. If you are going for Cyber Essentials Plus then the assessor might need to visit a few locations. There might be extra charges for expenses and extra days of work.
Update July 2020: Due to COVID-19 the Cyber Essentials Plus audit is now done remotely.
12. If we fail, can we try again and how much does it cost?
If you fail the Cyber Essentials certification you will have 3 days to fix the issues and re-submit the application. For Cyber Essentials Plus certification, you will have 15 days to rectify the issues and re-submit. However, we recommend you work with a CE consultant who makes sure you have the required controls in place and hence you will achieve the certification without any hiccups. TechForce is an Approved Cyber Essentials Practitioner and we can help with that [shameless plug]. We can perform pre-assessment and make sure you are ready before you submit the application. Unless your infrastructure really poor and you are not willing to update then chances are you will likely fail. In fact, why do go through the scheme when you don’t want to update your systems to be more secure?
13. Why do I need a consultant? And how much do you cost/what money do you save me/value do you add?
The need for a consultant depends on how good your infrastructure is and if you have internal resources to help. For example, if you are going for Cyber Essentials Level 1 it is a straightforward process for an internal IT literate person. You need to know what technical security controls you have in place for the company. If you don’t know or don’t have the required controls then you will benefit from having a consultant help you. The whole exercise is to make sure you have technical controls in place to ensure your business is not impacted by most common cyber threats. A good consultant will keep you right. If you do have an IT department and they need an extra hand or they don’t know where to start you will also benefit from a consultant service.
If you are going for Cyber Essentials Plus I would definitely recommend bringing an approved practitioner/assessor onboard. They will help you save time, hassle and make sure you have the controls in place to achieve the certification. They will also help you with the pre-audit scan. It will save you from failing the certification and going through the process again.
Consultancy services for Cyber Essentials Plus usually work on a day rate basis. Each company might have a different day rate but cheap is not always the best.
14. What is the benefit of having Plus?
Cyber Essentials Plus shows that you have proven technical security controls in place. Part of achieving Cyber Essentials Plus is an Assessor from Certification Body visiting the site and double checking and testing that the security controls are in place. It gives your customers assurance that their information shared with secured business.
A few of the MoD contracts are now asking for Cyber Essentials Plus for the suppliers. Cyber Essentials Level 1 is not enough. We would always recommend going with the Plus.
15. Do I need to buy extra software to go through Cyber Essentials?
You shouldn’t need to. The scanning and testing tools are provided by the hired expert or the assessor as part of the process. However, if you do like the software they are using and see the benefits you can most certainly purchase for the company. It will help you stay on top of the technical Security controls we discussed.
16. What do I get when I complete the certification process?
You will receive the confirmation from the certification body about the result and certificate reference number. You will also have the Cyber Essentials badges to publish them on your website. Your company will be listed on NCSC's database of CE certified organisations.
Do check out our other cybersecurity case studies:
- Maersk Ransomware Attack
- British Airways Data Breach Fine by ICO of £183.4million
- Colleges and Universities in the UK targeted by cyber-attacks during the pandemic
- Microsoft Servers Hit by Cyberattack 2021
- Peterson Control Union Email Phishing & Security Awareness training
Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:
“TechForce have helped us with our Cyber Essential Plus Certification and the process has been seamless. The pre-scanning and the gap analysis report has been very helpful. If you are thinking about Cyber Essentials Plus or Cybersecurity Services in general, look no further.”
"Mintra worked with TheTechForce to successfully achieve our Cyber Essentials Plus certification.
TheTechForce team were thorough and professional, carefully guiding us through the process and providing excellent support throughout.
Gaining this certification demonstrates to our business and customers that our processes and procedures are in line with the core industry standard security controls.
We would highly recommend TheTechForce to any business looking to efficiently gain CE certification."
"We were the target of a cyber fraudster who tried to steal thousands of pounds from us and signed up for the Cyber Essentials Certification after this. Before we went on this course we had left ourselves wide open to being targeted and The TechForce Cyber Essentials Certification took us through a step by step procedure to prevent anyone being able to do this to us again. All avenues of tightening up our procedures
have now been investigated and changed. We would highly recommend the TechForce Cyber Essentials Certification for all companies as in this day and age we all have online activity and these fraudsters are very clever so we need to be one step ahead of them."
“We engaged with The TechForce to assist with our Cyber Essentials certification. The team identified relevant gaps within our organisation’s security and recommended best-practice solutions, such as more complex passwords and two-factor authentication, to help address these. As a small business owner, these practical measures can make a huge difference in terms of added security and providing peace of mind; freeing up time to focus on operations."
The Techforce Limited really assisted us on our journey to achieving our Cyber Essentials certification. At HR Hub Plus Limited we fully appreciate the value of solution your effective team provided.
Your team are incredibly friendly and helpful. You are truly the local business communities “trusted Cybersecurity Partner”
I will have no hesitation in recommending you and the team to any of my contacts that would require your services.
TechForce Cyber Talks Cyber Security to the Portlethen Academy Students
TechForce's Arbrar visits Portlethen Academy to educate the students on Cyber Security wellness and provide hints and tips for ensuring they are cyber safe.More
5 Reasons to get Cyber Essentials and Plus for your Business
There have been a few changes made to the framework in the year 2022 and 2023. The changes in 2022 were major and 2023 were not so much.More
What Exactly Happens During the Cyber Essentials Plus Technical Audit?
This is one of the most frequently asked questions, what exactly happens during the Cyber Essentials Plus audit or sometimes we get asked ‘what is the exact process for Cyber Essentials Plus...More
Cyber Essentials for Remote Businesses
Cyber essentials refer to the fundamental technical controls and practices that businesses need to have in place to protect their digital systems and data from cyber threats.More
FOR LATEST UPDATES SUBSCRIBE HERE: