As an IT leader, navigating the complex world of cybersecurity is part of your role. The Cyber Essentials scheme, backed by the UK government, is designed to help organisations like yours protect themselves against a broad spectrum of common cyber threats.
Earning a Cyber Essentials certification is a clear signal to your customers and partners that you take cybersecurity seriously.
There are two ways you can go: Cyber Essentials or Cyber Essentials Plus. What's difference between the two? Which one should your organisation go for? We're breaking it all down in this article.
In this blog post, we'll cover:
- What are the five main controls of Cyber Essentials?
- What is Cyber Essentials?
- What is Cyber Essentials Plus?
- What are the key differences between Cyber Essentials and Cyber Essentials Plus?
- When do you need the basic Cyber Essentials certification, and when Cyber Essentials Plus?
- Why should you get Cyber Essentials and Cyber Essentials Plus?
- How long does it take to get Cyber Essentials and Cyber Essentials Plus and how much does it cost?
- Is Cyber Essentials the same as ISO 27001?
What are the five main controls of Cyber Essentials?
Cyber Essentials is a government-backed scheme that helps organisations protect themselves from common cyber threats and demonstrates that organisations have a basic minimum level of cybersecurity. It certifies that they are protected against a range of common cyber attacks.
To ensure compliance with Cyber Essentials, organisations should focus on five key controls of cyber security. These controls are essential for protecting against a wide range of cyber threats and attacks. Here's a checklist of the five key controls:
1. Firewalls
All devices with internet connectivity must have a firewall installed in order to comply with the Cyber Essentials scheme. Between the network/device inside your organisation and the outside networks, firewalls form a "buffer zone." Ensure that firewalls are turned on in end-user devices and that port opening/closing is authorised and documented. In short:
- Close unnecessary ports
- Keep records of the port opening and closing process
- Restrict remote access to defined IP addresses by setting up boundary firewalls
- Enable firewall on all end-user devices
2. Secure configuration
A network, device, or software's default settings cannot be regarded as secure since they frequently make use of an administrator account with an easily crackable default password. Have all unneeded user accounts and software been disabled and uninstalled? The organisation's computers and network hardware should be configured for maximum security. In short:
- Change default login details on all network devices
- Uninstall software no longer in use
- Disable user accounts that are not in use
- Outline and enforce a strong password policy
3. Access control
Maintaining user accounts helps prevent abuse and unauthorised access, especially for those with special access credentials. Do you consistently monitor admin accounts and enforce user permissions regulations? Only authorised users should be given access to accounts, and they should only have the barest of privileges on computers, networks, and applications.
- Create employee account policies during onboarding and offboarding
- Set up policies for user permissions
- Establish separate accounts for admin tasks
- Review admin accounts regularly
4. Security update management
Manufacturers and developers frequently offer new features and upgrades that could address any security issues that have been found. Are all mobile platforms and OS systems up to date? Setting up your systems to update automatically ensures that your systems are protected the moment a new version becomes available. Applying these updates is referred to as "patching." In short:
- Ensure third-party applications are up to date
- Ensure all systems are up to date
- Uninstall any unsupported or outdated software
- Verify that software are appropriately licensed for business use
- Update software on mobile devices regularly
5. Malware protection
Organisations should deploy anti-malware software on all devices with internet access. Malware is intentionally created and spread to make unauthorised use of systems possible. Examples of malware sources include malicious downloads, email attachments and unauthorised application installs. Check to see whether your malware and antivirus software is up to date.
- Install antivirus software on all devices
- Ensure antivirus software is up to date
- Automate antivirus software to conduct regular scans
These controls are crucial for organisations to enhance their cybersecurity posture and protect against the most common types of cyber-attacks and data breaches.
By implementing these measures, businesses can significantly reduce the risk of falling victim to cybercrime.
What is Cyber Essentials?
Cyber Essentials is a self-assessment questionnaire that helps you assess and align your organisation’s information security posture to the current Cyber Essentials baseline standard. It enables an organisation to advertise publicly that they are Cyber Essentials compliant for 1 year.
The main goal of Cyber Essentials is to identify oversights in the device/network security and procedures of your organisation. For SMEs, it is a cost effective method to comply with basic level GDPR standards. To ensure continued compliance, Cyber Essentials must be renewed annually.
What is Cyber Essentials Plus?
Cyber Essentials Plus is an expansion upon the Cyber Essentials self-assessment questionnaire. It includes an audit of your organisation's IT systems by a trained auditor. In this audit, they may confirm that all the necessary controls that have been declared in Cyber Essentials are implemented in the organisation's network.
Keep in mind that, to be certified by Cyber Essentials Plus, you must already have Cyber Essentials. Your verified self-assessment must be dated within three months prior to applying for Cyber Essentials Plus.
The notable key elements of the Cyber Essentials Plus certification process are:
- An assessor chooses a small number of computers from your organisation and conducts an audit to confirm that they are configured according to the scheme.
- These sample computers are subjected to a vulnerability scan to ensure that they have been patched and configured properly.
- A scan of your internet-facing IP addresses' external ports is performed to make sure no obvious vulnerabilities or misconfigurations are found.
- Email and internet browsers are tested to see if their settings prevent dangerous files from being downloaded and executed.
- Once the system is deemed Cyber Essentials compliant, screenshots are taken as proof.
Once your organisation has been successfully certified, this certification is valid for 12 months from the issue date.
What are the key differences between Cyber Essentials and Cyber Essentials Plus?
Although Cyber Essentials and Cyber Essentials Plus are implemented around the same 5 controls, they have some key differences.
| Cyber Essentials | Cyber Essentials Plus |
| This is a self assessment questionnaire that can be carried out by employees of the organisation. | It is a professionally conducted audit that is ideal for large organisations. |
| It is ideal for SMEs with few system processes who are looking for a cost-effective way to comply with the GDPR. | An external certification body will remotely conduct vulnerability scans of your organisation’s systems. |
| The self-assessment is an audit of basic system requirements needed for baseline compliance. | This audit assesses all system requirements and ensures that your organisation is compliant with all five controls listed in Cyber Essentials. |
| The self-assessment can be conducted by an internal IT team. This team must be aware of all business and system processes. | Hiring independent assessors provides the benefit of working with individuals who have auditing experience in several comparable organisations. |
Understanding the main differences between both certifications is an important aspect of our next question—who needs Cyber Essentials?
When do you need Cyber Essentials basic certification, and when Cyber Essentials Plus?
Cyber Essentials and Cyber Essentials Plus are a way for organisations to identify and train on how to keep their IT systems secure.
The Cyber Essentials and Cyber Essentials Plus are not just necessary for keeping your organisation's data safe from hackers, but it can also help you mitigate other cybersecurity risks such as cyber extortion or denial-of-service attacks.
It is mandatory for all organisations whether private or non private, looking to take part in UK government tenders.
For government contracts
Cyber Essentials and Cyber Essentials Plus are mandatory for organisations looking for specific government contracts, and without the certification, they may not be able to bid for such contracts. It is also important since these organisations are working with the personal information of UK citizens and UK government employees.
For ministry of defence contracts
The UK Ministry of Defence (MOD) requires all its suppliers to comply with the Cyber Essentials and Cyber Essentials Plus schemes. This means that all organisations directly conducting business with the MOD, or organisations delivering to the MOD supply chain require Cyber Essentials.
When looking for internal reasons
It is important for employees on all levels to understand how to comply with data protection when handling personal data and sensitive personal data of customers. Complying with Cyber Essentials Plus is the ideal choice if you want to show that your company takes data protection seriously—and is compliant with cyber security.
For IT support/managed service provider
It is important to know how to assist customers with everything from basic IT needs and troubleshooting to cutting-edge security and network administration. If your customers need help with their Cyber Essentials and Cyber Essentials Plus, your organisation should be certified at least at the level at which your customers are seeking assistance with their Cyber Essentials and Cyber Essentials Plus.
Why should you get Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials Basic and Plus allows you to receive the most up-to-date cyber security. This ensures that your organisation has the knowledge and skills necessary to protect its data from hackers and cybercriminals. Cyber Essentials Basic and Plus is a great way to make sure that your organisation's information is protected against any possible threats.
There are a few important reasons why organisations should opt for Cyber Essentials and Cyber Essentials Plus, such as:
To obtain cyber Insurance
Cyber Essentials-certified organisations can automatically receive £25,000 in cyber insurance if their annual turnover is under £20m.
It's cost-effective
Since it is government-sponsored, it is affordable for almost every organisation.
It is the best option for SMEs
Cyber Essentials Basic and Plus does not require organisations to undertake rigorous and detailed audits, which may sometimes prove to be too difficult.
Protects from cyber security breaches
In 2020, up to 88% of UK organisations suffered from security breaches, where the average cost of a break for a UK SME was £16,100. Having Cyber Essentials Basic and Plus can prevent you from incurring these devastating costs.
Provides more business opportunities
Clients who understand that you are committed to cybersecurity are more prone to wanting to work with you, hence helping with business growth.
How long does it take to get Cyber Essentials and Cyber Essentials Plus, and how much does it cost?
The cost of Cyber Essentials certification is £300, however this number may vary according to the provider, especially concerning Cyber Essentials Plus.
Assuming that you have the knowledge and information required, the Cyber Essentials Basic self-assessment can be completed as quickly as one week. On the other hand, Cyber Essentials Plus may take longer—up to three weeks—if the organisation is large.
Cyber Essentials is among some of the most recognised information security standards. However, is it the same as other standards, and can it be used in place of more detailed standards?
Is Cyber Essentials the same as ISO 27001?
Cyber Essentials and ISO 27001 are both standards that are aimed at helping organisations comply with regulations. However, they have some key differences.
Firstly, Cyber Essentials is a compliance-based standard, while ISO 27001 is risk-based. Compliance refers to the actions that must be taken by organisations in order for them to conform with an organisation's rules and regulations; risk-based refers to determining what risks exist within an organisation and how those risks can be managed.
Unlike ISO 27001, Cyber Essentials does not define an Information Security Management System (ISMS). This means that it simply requires organisations to implement the stated controls in response to common threats, not ISMS-specific threats. Cyber Essentials controls are available in ISO 27001, but this doesn't mean you can use them interchangeably; each standard has its own purpose and scope of use within an organisation.
Strengthen cybersecurity in your organisation
Certain government contracts, as well as all Ministry of Defence contracts, require organisations and suppliers to have the Cyber Essentials certification. In order to preserve a contract with the UK government or key industries, it is critical that your organisation considers certification and yearly recertification.
For organisations that are not looking to take part in government tenders, being Cyber Essentials certified may still show your consumers and clients that you have taken the necessary measures toward cybersecurity. If you want to learn about other certifications related to information security, check out our page on ISO 27001 Certification. Or reach out to us for a free consultation.
