30th May 2022

What does Cyber Essentials mean?

Cyber Essentials is an accreditation sponsored by the National Cyber Security Centre (NCSC) and promoted by the UK government for UK businesses. It describes the core activities that they see as a baseline stance for awareness and defence against cyber-attacks on business computing systems and data.

A Guide to Cyber Essentials

An overview of Cyber Essentials

How does Cyber Essentials work?

As a business owner, you review and answer the key points forming the Cyber Essentials checklist, adapt your business equipment, processes and training as needed. Once you can answer all the points satisfactorily, you apply for accreditation. Cyber Essentials Standard is a self-assessed accreditation; Cyber Essentials Plus is formally inspected and assessed by an independent third party.

When was Cyber Essentials launched?

Launched in June 2014 and modified in January 2022.

What does Cyber Essentials cover?

A given accreditation scope can be defined, which can include some or all of an organisation’s services, procedures, and staff training related to data and computer use.

Why is Cyber Essentials important?

To protect businesses and save money. In the modern world, it is essential to have a robust stance against cyber threats. Successful attacks can cripple or destroy a business through lost time, money and reputation. The cost of preparation and protection is always substantially less than the cost of recovery. Being Cyber Essentials accredited can either allow operation or create opportunities in some sectors. There are also some discounts available, e.g. insurance, for being Cyber Essentials accredited.

Cyber Essentials and government contracts

In many cases a Cyber Essentials accreditation is essential to being allowed to bid on or fulfill UK Government contracts. It is mandatory for contracts handling the personal information of UK citizens or Government officials.

Who needs Cyber Essentials?

In one sense, every business needs the basic defences of Cyber Essentials. No business however is required to have Cyber Essentials, although it is essential if working in specific markets, Governmental contracts in particular. All businesses can benefit from the increased security and reduced risk of operating within the requirements of Cyber Essentials.

How to get Cyber Essentials certification

There may be work needed to make a business ready for certification, so the first step is to understand the requirements and perhaps put things in place to ensure your business complies. It is possible to do it by yourself but our recommendation is to work with a specialist who will find a balance between meeting the requirements without unduly impacting normal business operations. Flex IT works closely with a fully independent consultant to achieve compliance for our clients.

Once you are ready, the certification process itself is straightforward. You need to apply to a Certifying Body, pay the fee, and answer the questions to show how your business complies with the requirements. 

If the application is for Cyber Essentials Plus then there will be follow-on steps after the initial application to arrange and pay for the assessment.

How long does it take to get Cyber Essentials?

It's hard to be specific. From one month to a year or more depending on the size and level of preparedness of the organisation and the effort devoted to the work. Most small businesses should be able to achieve compliance within 3 months.

How much does Cyber Essentials cost?

The direct cost of submitting a successful self-assessment and obtaining the certificate costs from £300 for a micro organisation up to £500 for a large organisation. The main indirect cost is for the time needed to implement and maintain any changes to the business systems and processes. Most businesses will benefit from external expert help, the fees here will vary depending upon the level of support required.

Does Cyber Essentials expire?

Yes, Cyber Essentials lasts for one year and must be re-assessed annually to maintain the certificate. Re-certification is the same process as the initial certification and costs the same.

What is Cyber Essentials self-assessment?

The process requires you to answer around 50 questions about your cyber security controls to the satisfaction of a qualified assessor. The questions are set by IASME (iasme.co.uk) which operates the scheme on behalf of the NCSC. The assessors work for Certifying Bodies, there are around 200 of these across the UK; IASME is also a Certifying Body. Most Certifying Bodies (CBs) will operate an online portal through which you submit your responses.

Who is Cyber Essentials for?

Small to medium-sized organisations (SMEs). Most of these will not have their own Cyber Security team and may also outsource their IT provision.

Cyber Essentials Logos

Cyber Essentials Plus

What does Cyber Essentials Plus mean?

This is the audited version of Cyber Essentials. An independent auditor assigned by your Certification Body will check that the controls you stated in your self-assessment are actually implemented by sampling a number of your PCs and running penetration tests.

How much does Cyber Essentials Plus cost?

Cyber Essentials Plus is the audited version of Cyber Essentials and therefore incurs the same direct and indirect costs as the basic certification. Additional costs are incurred as a result of the audit. Audits may be carried out online or in person. Costs start at around £1000 for an online Plus audit, in-person audits will cost more.

Why get Cyber Essentials Plus?

The third-party audit of the applicants' responses to the certification questions confirms the effectiveness of the control measures. The benefit to holding Cyber Essentials Plus over standard is reputational because there is an independently-verified confirmation that the business has taken its compliance seriously.

What does Cyber Essentials Plus cover?

Cyber Essentials Plus covers exactly the same topics in the same way as the standard self-assessed Cyber Essentials. The difference between them is not in the extent of cover. Cyber Essentials Plus is differentiated by having a third-party audit of the applicant to confirm the stated measures have been adopted and are effective.

Cyber Essentials Plus requirements

The business must operate within the UK and must demonstrate how it meets or exceeds the assessment criteria. It must submit the report and achieve the Cyber Essentials Standard certificate. Within 3 months the business needs to request a Cyber Essentials Plus audit by a third-party auditor who will check the statements made in the standard submission.

Cyber Essentials FAQs

Is Cyber Essentials available in the UK only?

Yes, although organisations outside the UK may apply (as long as they have some operation within the UK) and achieve certification.

Is Cyber Essentials mandatory?

No.

Is Cyber Essentials a framework?

You could say CE provides an approved framework of controls and policies for any business to improve its cyber security defences. It can be followed regardless of whether the certificate is applied for, although if you have made the effort to comply you may as well get the certificate!

Next steps

A successful cyber-attack is serious, stopping all operations, incurring significant costs to recover, and resulting in reputational damage. Many businesses never recover and ultimately cease trading.

Cyber Essentials has two main benefits. It is an indication of taking the threat of cyber attack seriously, giving you credibility to other organisations. At the same time, it ensures your business takes measures to protect itself and significantly reduces the risk of a successful attack, saving financial or reputational losses.

Flex IT can assist with implementing Cyber Essentials for your business. We have good experience in the process and can implement mechanisms to ensure your systems verifiably comply with the key requirements. We work closely with an independent consultant when taking our clients through accreditation to ensure they get an expert's view on the required steps.

Want to know more about Cyber Essentials? Contact us today.

This examination of Cyber Essentials continues in part two, in which some technical aspects of the requirements and comparisons with other certifications are discussed.