What are the five main controls of Cyber Essentials?
Cyber Essentials covers five main controls, namely:
- Firewalls - All devices with internet connectivity must have a firewall installed in order to comply with the Cyber Essentials Scheme. Between the network/device inside your organisation and the outside networks, firewalls form a "buffer zone." Ensure that firewalls are turned on in end-user devices and that port opening/closing are authorised and documented.
- Secure configuration - A network, device, or software's default settings cannot be regarded as secure since they frequently make use of an administrator account with an easily crackable default password. Have all unneeded user accounts and software been disabled and uninstalled? The organisation's computers and network hardware should be configured for maximum security.
- Access control - Maintaining user accounts helps prevent abuse and unauthorised access, especially for those with special access credentials. Do you consistently monitor admin accounts and enforce user permissions regulations? Only authorised users should be given access to accounts, and they should only have the barest of privileges on computers, networks, and applications.
- Security update management - Manufacturers and developers frequently offer new features and upgrades that could address any security issues that have been found. Are all mobile platforms and OS systems up to date? Setting up your systems to update automatically ensures that your systems are protected the moment a new version becomes available. Applying these updates is referred to as "patching."
- Malware protection - Organisations should deploy anti-malware software on all devices with internet access. Malware is intentionally created and spread to make unauthorised use of systems possible. Examples of malware sources include malicious downloads, email attachments, and unauthorised application instals. Check to see whether your malware and antivirus software is up to date.
What is Cyber Essentials Basic?
Cyber Essentials Basic is a self assessment questionnaire that helps you assess and align your organisation’s information security posture to the current Cyber Essentials baseline standard. It enables an organisation to advertise publicly that they are Cyber Essentials compliant for 1 year.
The main goal of Cyber Essentials Basic is to identify oversights in the device/network security and procedures of your organisation. For SMEs, it is a cost effective method to comply with basic level GDPR standards. To ensure continued compliance, Cyber Essentials Basic must be renewed annually.
What is Cyber Essentials Plus?
Cyber Essentials Plus is an expansion upon the Cyber Essentials Basic self assessment questionnaire. It includes an audit of your organisation's IT systems by a trained auditor. In this audit, they may confirm that all the necessary controls that have been declared in Cyber Essentials are implemented in the organisation's network.
Keep in mind that, to be certified by Cyber Essentials Plus, you must already have Cyber Essentials Basic. Your verified self assessment must be dated within three months prior to applying for Cyber Essentials Plus.
The notable key elements of the Cyber Essentials Plus certification process are:
- An assessor chooses a small number of computers from your organisation and conducts an audit to confirm that they are configured according to the scheme.
- These sample computers are subjected to a vulnerability scan to ensure that they have been patched and configured properly.
- A scan of your internet-facing IP addresses' external ports is performed to make sure no obvious vulnerabilities or misconfigurations are found.
- Email and internet browsers are tested to see if their settings prevent dangerous files from being downloaded and executed.
- Once the system is deemed Cyber Essentials compliant, screenshots are taken as proof.
Once your organisation has been successfully certified, this certification is valid for 12 months from the issue date.
What are the key differences between Cyber Essentials Basic and Cyber Essentials Plus?
Although Cyber Essentials Basic and Plus are implemented around the same 5 controls, they have some key differences.
| Cyber Essentials basic | Cyber Essentials Plus |
| This is a self assessment questionnaire that can be carried out by employees of the organisation. | It is a professionally conducted audit that is ideal for large organisations. |
| It is ideal for SMEs with few system processes who are looking for a cost effective way to comply with the GDPR. | An external certification body will remotely conduct vulnerability scans of your organisation’s systems. |
| The self assessment is an audit of basic system requirements needed for baseline compliance. | This audit assesses all system requirements and ensures that your organisation is compliant with all five controls listed in Cyber Essentials. |
| The self assessment can be conducted by an internal IT team. This team must be aware of all business and system processes. | Hiring independent assessors provides the benefit of working with individuals who have auditing experience in several comparable organisations. |
Understanding the main differences between both certifications is an important aspect of our next question—who needs Cyber Essentials?
When do you need Cyber Essentials Basic and Plus?
The Cyber Essentials Basic and Plus is a way for organisations to identify and train on how to keep their IT systems secure.
Cyber Essentials Basic and Plus is not just necessary for keeping your organisation's data safe from hackers, but it can also help you mitigate other cybersecurity risks such as cyber extortion or denial-of-service attacks.
It is mandatory for all organisations whether private or non private, looking to take part in UK government tenders.
- For government contracts
Cyber Essentials Basic and Plus is mandatory for organisations looking for specific government contracts, and without the certification, they may not be able to bid for such contracts. It is also important since these organisations are working with the personal information of UK citizens and UK government employees. - For ministry of defence contracts
The UK Ministry of Defence (MOD) requires all its suppliers to comply with the Cyber Essentials Basic and Plus schemes. This means that all organisations directly conducting business with the MOD, or organisations delivering to the MOD supply chain require Cyber Essentials. - When looking for internal reasons
It is important for employees on all levels to understand how to comply with data protection when handling personal data and sensitive personal data of customers. Complying with Cyber Essentials Plus is the ideal choice if you want to show that your company takes data protection seriously—and is compliant with cyber security. - For IT support/managed service provider
It is important to know how to assist customers with everything from basic IT needs and troubleshooting to cutting-edge security and network administration. If your customers need help with their Cyber Essentials Basic and Plus, your organisation should be certified at least at the level at which your customers are seeking assistance with their Cyber Essentials Basic and Plus.
Why should you get Cyber Essentials Basic and Plus?
Cyber Essentials Basic and Plus allows you to receive the most up-to-date cyber security. This ensures that your organisation has the knowledge and skills necessary to protect its data from hackers and cyber criminals. Cyber Essentials Basic and Plus is a great way to make sure that your organisation's information is protected against any possible threats.
There are a few important reasons why organisations should opt for Cyber Essentials Basic and Plus, such as:
- To obtain cyber Insurance - Cyber Essentials certified organisations can automatically receive £25,000 in cyber insurance if their annual turnover is under £20m.
- It is cost effective - Since it is government sponsored, it is affordable for almost every organisation.
- It is the best option for SMEs - Cyber Essentials Basic and Plus does not require organisations to undertake rigorous and detailed audits, which may sometimes prove to be too difficult.
- Protects from cyber security breaches - In 2020, up to 88% of UK organisations suffered from security breaches, where the average cost of a break for a UK SME was £16,100. Having Cyber Essentials Basic and Plus can prevent you from incurring these devastating costs.
- Provides more business opportunities - Clients who understand that you are committed to cybersecurity are more prone to wanting to work with you, hence helping with business growth.
How long does it take to get Cyber Essentials Basic and Plus and how much does it cost?
The cost of Cyber Essentials certification is £300, however this number may vary according to the provider, especially concerning Cyber Essentials Plus.
Assuming that you have the knowledge and information required, the Cyber Essentials Basic self assessment can be completed in as quickly as one week. On the other hand, Cyber Essentials Plus may take longer—up to three weeks—if the organisation is large.
Cyber Essentials is among some of the most recognised information security standards. However, is it the same as other standards and can it be used in place of more detailed standards?
Is Cyber Essentials the same as ISO 27001?
Cyber Essentials and ISO 27001 are both standards that are aimed at helping organisations comply with regulations. However, they have some key differences.
Firstly, Cyber Essentials is a compliance-based standard, while ISO 27001 is risk-based. Compliance refers to the actions that must be taken by organisations in order for them to conform with an organisation's rules and regulations; risk based refers to determining what risks exist within an organisation and how those risks can be managed.
Unlike ISO 27001, Cyber Essentials does not define an Information Security Management System (ISMS). This means that it simply requires organisations to implement the stated controls in response to common threats, not ISMS specific threats. Cyber Essentials controls are available in ISO 27001, but this doesn't mean you can use them interchangeably; each standard has its own purpose and scope of use within an organisation.
Conclusion
Certain government contracts, as well as all Ministry of Defence contracts, require organisations and suppliers to have the Cyber Essentials certification. In order to preserve a contract with the UK government or key industries, it is critical that your organisation considers certification and yearly recertification.
For organisations who are not looking to take part in government tenders, being Cyber Essentials certified may still show your consumers and clients that you have taken the necessary measures toward cybersecurity. If you want to learn about other certifications related to information security, check out our page on ISO 27001 Certification.
Level up your knowledge on Data privacy and Information security with our monthly newsletter. Receive the latest compliance-related business advice, tips, news and events - directly delivered to your inbox every month!
