Cyber essentials checklist & SAQ [free download]

Why do you need a Cyber Essentials Checklist?

A Cyber Essentials Checklist helps you stay up-to-date on your cyber security obligations. It condenses the security requirements found in IASME’s extensive self-assessment questionnaire (SAQ) into a simple guide. Similar to the IASME’s SAQ, our checklist covers five key controls of cyber security which you can refer to to ensure you are remaining compliant with Cyber Essentials. 

What are the five security controls of Cyber Essentials?

Cyber security concerns organisations of all sizes, and it is important to understand how to mitigate the risks associated with cyber attacks.

Cyber Essentials Certification assures protection against most cyber attacks, i.e., the attacks that target networks which lack Cyber Essentials security controls. These controls fall under five main categories:

• Firewalls - To comply with the Cyber Essentials Scheme, a firewall must be installed on all devices with internet connectivity. Firewalls create a "buffer zone" between your organisation's network/device and external networks. Make sure that opening/closing of ports are authorised and documente, and that firewalls are enabled on end user devices.
• Secure configuration - The default settings for a network, device, or software cannot be considered safe as they often use an administrator account with a default password that anyone can find. Have all unnecessary software and user accounts been uninstalled and disabled? Computers and network devices should be set up to ensure maximum security for the organisation.
• User access controls - Managing user accounts, especially those with special access privileges, prevents misuse and unauthorised access. Do you review admin accounts regularly and enforce user permissions policies? Accounts should only be assigned to authorised individuals, with minimum access to applications, computers, and networks.
• Security update management - Manufacturers and developers regularly release new updates and features that might address any identified security risks. Are all operating systems and mobile devices up-to-date? Applying these updates is known as "patching", and setting up your systems to update automatically ensures your system are protected the instant a new update is made available. 
• Malware management - Organisations should install malware software on all devices with internet connectivity. Malware is intentionally created and spread to perform unauthorised activities on systems. Some examples of malware sources are malicious email attachments, downloads, and unauthorised software installations. Check that malware protection and antivirus software is regularly updated.

The Cyber Essentials readiness toolkit helps you assess your readiness for Cyber Essentials, and relates to the 5 controls mentioned above, which, as of 24th January 2022, has been expanded to consider Bring Your Own Device (BYOD) policy, cloud services and home/remote working.

Assessing your readiness ensures that your organisation is on track to complying with the cyber essentials scheme, and is mandatory to ensure your organisation is safeguarded against cyber threats.

Why is the Cyber Essentials Certification important?

On average, 80% of cyber attacks can be prevented with airtight cyber security and a Cyber Essentials Certification. Some examples of preventable cyber attacks are:

• Phishing attacks
• Malware
• Ransomware
• Password-guessing attacks
• Network attacks 

Being Cyber Essentials certified also demonstrates to your customers that your organisation is committed to data protection and cyber security, boosting your reputation and attracting new business. Once certified, your organisation will be listed on the NCSC’s website for a period of 12 months, as a public testament of your data protection commitments.

The cost of getting certified in Cyber Essentials depends on the size of your organisation, and can range from £300 to £500 + VAT. Additionally, the cost of Cyber Essentials Plus Certification can range from £1,900 and £4,000 + VAT.

Being Cyber Essentials certified also permits you to work with the UK Government. Should you choose to pursue a Cyber Essentials Plus Certification, your organisation will be eligible to work with the UK Ministry of Defence. 

Let us take a quick look at how the two certifications differ.

Cyber Essentials vs Cyber Essentials Plus: What is the difference?

At first glance, the two certifications may seem similar. Both offer a limited number of resources that set the benchmark for cyber security,  but there are some key differences that set Cyber Essentials apart from Cyber Essentials Plus:

Cyber Essentials Plus expands on the basic Cyber Essentials Certification with a detailed audit of your organisation with more assurance of compliance. However, the basic Cyber Essentials SAQ is a valuable tool in assessing the state of your organisation's cyber security, and it is necessary to have the basic certification for three months before pursuing Cyber Essentials Plus. 

Conclusion 

Reviewing your organisation’s existing cyber security measures is the first step to pursuing Cyber Essentials Certification. Use the checklist included in this article to assess your organisation’s readiness for the certification and decide whether you will benefit from Cyber Essentials Plus as well. Protect your organistion from malware and phishing attempts, and demonstrate a strong commitment to cyber security.

Cyber Essentials requirements tie in very closely with the ISO 27001 framework for information security, and the latter guides the requirements for an organisation’s information security management system (ISMS). If you wish to learn more about the ISO 27001 standard and begin strengthening your organisation's infosec strategy, check out our article on becoming ISO 27001 compliant!

Level up your knowledge on Data privacy and Information security with our monthly newsletter. Receive the latest compliance-related business advice, tips, news and events - directly delivered to your inbox every month!