If you are starting to look at cyber protection for your business, then the UK Government backed Cyber Essentials scheme is a great place to start.
In fact, these are excellent standards to consider, wherever you are on your journey – at North Green, we go through the annual process for both Cyber Essentials and Cyber Essentials Plus.
But what exactly is Cyber Essentials? In this blog, we look at the certification standards, what they cover, and the cost involved.
What is Cyber Essentials?
Cyber Essentials and Cyber Essentials Plus are two certifications that companies can use to demonstrate their commitment to implementing cyber security best practices.
Both certifications are backed by the UK government and focus on providing organisations of all sizes with guidance on the steps they should take to protect against a cyber attack.
Cyber Essentials accreditation can help you:
- reassure customers that you are working to secure your IT against cyber attack.
- attract new business with the promise you have cyber security measures in place.
- give a clear picture of your organisation’s cyber security level.
- grow business, as some Government contracts require Cyber Essentials certification.
Cyber Essentials (Basic)
The Cyber Essentials certification is a self-assessment questionnaire that helps organisations review and improve their cyber security posture.
The questionnaire covers five key areas of cyber security:
– firewalls
– secure configuration
– user access control
– malware protection
– patch management
Once you complete the Cyber Essentials questionnaire and submit your responses for review, if your answers meet the required standard, then you will receive a Cyber Essentials certification.
At this point, any organisation with a turnover of less than £20 million, that has included the whole organisation in the scope of their assessment, will get automatic cyber liability insurance valued at £25,000 provided by Sutcliffe & Co Insurance Brokers.
This is free of charge and would be used toward the cost of:
- technical incident response team to help identify the issue and restore systems and data.
- legal team who would deal with any litigation or regulatory issues such as a breach of Data Protection Act
- crisis management and PR support to assist with communication management
Your Cyber Essentials certification will last for 12 months, so you will need to repeat the process annually to retain the standard.
Cyber Essentials Plus
Cyber Essentials Plus is a more rigorous certification process, which involves an external party conducting an assessment of your cyber security posture.
In addition to the self-assessment questionnaire, a certified assessor will perform vulnerability scans and simulated attacks on your organisation’s systems to identify any potential weaknesses. The assessor will then provide a report with recommendations for improvement, and your organisation will receive a Cyber Essentials Plus certification if they meet the required standard.
This is conducted by a certification body that has been approved by IASME and demonstrates that your organisation’s cyber security measures are not just theoretical or paper-based, but are actually implemented and functioning correctly, and can stand up to a real world attack.
Companies working toward Cyber Essentials Plus must have completed their self-assessment questionnaire within the three months prior to applying.
Just as with Cyber Essentials, certification is valid for 12 months.
How much does Cyber Essentials cost?
The Cyber Essentials self-assessment questionnaire may be downloaded at any point free of charge.
The pricing for Cyber Essentials certification starts at £300 (excl VAT) for micro-sized organisations, with the cost increasing on a sliding scale, based on company size, to reflect the complexity involved in assessing larger organisations:
Micro organisations (0-9 employees) £300 + VAT
Small organisations (10-49 employees) £400 + VAT
Medium organisations (50-249 employees) £450 + VAT
Large organisations (250+ employees) £500 + VAT
Because the Cyber Essentials Plus assessment involves technical experts, there is no standard pricing – instead, it is quoted for on an individual basis. Businesses can only charge the assessment rate set by IASME and the UK Government for the certification aspect, however the time taken to conduct the assessment and the supporting consultancy can vary in price.
If you are looking to secure your organisation and want advice from our team of experts, get in touch and we can provide guidance of the appropriate steps to take. Our team are certified Cyber Essentials & Cyber Essentials Plus assessors and hold the Cyber Advisor (Cyber Essentials) qualification to demonstrate our commitment to providing appropriate and valuable advice.
An A-Z of pentesting terms and abbreviations – Part 2
In this blog post, we continue our A-Z glossary of common pentesting abbreviations, acronyms and terms, from N-Z. Get ready for the likes of OSINT, RFI, YubiKeys and more. And don’t forget, you can catch up on any terms you missed in part one (A-M) here. N – Nmap One...
How to identify and exploit XSS vulnerabilities
What is Cross-site scripting (XSS)? Cross-site scripting (XSS) is a web security vulnerability in which an attacker is able to inject malicious scripts into vulnerable sites and compromise the interaction between the user and the site. Cross-site scripting is what we...
An A-Z of pentesting terms and abbreviations – Part 1
The tech industry is synonymous with abbreviations, and cyber security is no different. TLAs (three letter abbreviations), acronyms, other abbreviations and unfamiliar names or terms are the norm. As a result, in this blog we have collated an A-Z glossary for the...
Training, mentoring and the illusion of short-term mentorship
Cyber security is an interesting, fast moving and in demand industry. On the one hand, we are constantly being told there are not enough professionals to fill the need. Yet without clear pathways, it can be challenging to find roles at the beginning of your journey...