Launched in 2014, Cyber essential is a scheme designed to help businesses reinforce their cyber defences and display their commitment to online security. Implemented by the National Cyber Security Centre and backed by the government, the scheme has been designed to help businesses of all sizes protect themselves from the most widespread cyber threats through the implementation of 5 key technical controls. It’s a certification scheme, offering 2 tiers of certification that businesses can use to prove to customers, suppliers and partners alike that they take cybersecurity seriously.
These 2 tiers are:
- Cyber Essentials
- Cyber Essentials Plus
The Business Benefits of being Cyber Essentials certified
You’ll be protected against the majority of online threats
The Cyber Essentials scheme doesn’t promise to make your business impenetrable to cybercriminals, but successful implementation of the 5 controls will help guard against roughly 80-90% of online threats. The scheme provides a solid base upon which you can construct more sophisticated defences.
You’ll be able to bid for more government contracts
A wide range of government contracts requires bidding companies to hold Cyber Essentials certification. This is the case for all contracts involving the handling of sensitive information such as health records, confidential technical information or data pertaining to military activities. Some contracts require Cyber Essentials Plus accreditation; this is the case for many MOD (Ministry of Defence) contracts, where high levels of risk demand extra cybersecurity assurances.
It will help you meet your GDPR obligations
GDPR’s ‘security principle’ states that personal data should be: “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures” Cyber Essentials will help ensure that you have the appropriate ‘technical or organisational measures’ in place in order to protect the sensitive data that your business holds. While there is a lot more to GDPR than the statement above, the 5 controls of Cyber Essentials will at least help you satisfy the data security aspect of this important body of legislation.
Certification inspires confidence
Upon completion of the certification process, you’ll be permitted to display a Cyber Essentials badge wherever you choose for one year after certification. This badge will distinguish your business as one that cares about online security, which will reassure your customers, suppliers and partners that their data is safe in your hands.
You could see a significant return on investment
There are costs associated with Cyber Essentials Certification (which we’ll explore in a moment) but these costs are modest compared to the financial penalties that could result from a Cyber Attack; with the average breach costing SMEs £6500. Accredited firms also benefit from ‘Cyber Liability Insurance.’ Available to firms with an annual turnover of less than £20m, you’ll enjoy £25,000 worth of cover against cyber attacks. Your Cyber Essentials certificate will also prove attractive to potential customers concerned about the security of their data, possibly resulting in new revenue streams for your business.
The Assessment process – what will happen?
The assessment process will differ depending on the level of certification you’re seeking to achieve. Both tiers offer certificates valid for one year.
Cyber Essentials
Price (indicative): £300 (plus VAT) The basic level of accreditation involves the successful completion of a self-assessment questionnaire carried out via an online portal. Following the initial purchase, you will have 3 months to complete the questionnaire and submit it for approval by the certification body. This gives you time to implement the technical security measures required by the scheme; once the appropriate measures are in place you’ll only need a couple of hours to complete the questionnaire itself. After submitting the assessment, grading will be carried out by an external certification body. If your submission doesn’t meet the required standard, you’ll get one chance imposed under a time limit of three days to implement the required changes and resubmit. Further failure will require you to restart the process so it’s best to strive to achieve success on your first submission.
Cyber Essentials Plus
Price (indicative): £1999-£2199 (plus VAT) To achieve Cyber Essentials plus accreditation you’ll have to deploy the same measures required to achieve the basic level of certification; the main difference with ‘Plus’ is that your business’ cyber defences will also be subject to on-premise assessment by a qualified technical assessor. ‘Plus’ also requires the successful completion of the Cyber Essentials self-assessment within the previous 3 months. The on-premise technical audit is simply to ensure that the answers you’ve submitted in the self-assessment accurately relate to the technical controls implemented. Similar to the self-assessment, failing the audit results in just one chance to make the required changes, and should you fail the audit process a second time you’ll have to restart the process from the beginning. Due to the costs involved it’s wise to approach the technical audit with confidence. If you don’t have the extensive technical expertise in-house, it might be a good idea to seek consultancy services to prepare you for the process and to guide you through the deployment of the measures required.
The 5 Controls
Now that we’ve explored the benefits of certification, the levels of certification on offer and the processes involved, let’s take a look at the 5 technical controls businesses are required to implement. These technical controls (known as the 5 controls) are the mandatory components necessary to achieve Cyber Essentials accreditation. Failure to put these controls in place will result in assessment failure, so it’s important to become familiar with the requirements before starting the process.
The 5 controls are:
- Firewalls
- Secure configuration
- Access controls
- Anti-malware measures
- Ensuring proper system maintenance
In the following blogs, we shall examine each of the 5 controls in greater detail, with the aim of giving you an understanding of what’s required so that you can tackle the Cyber Essentials certification process with confidence.
We’re 1-fix, we can help you secure your business
At 1-fix, we take a realistic approach to technology – ensuring our client’s systems are best protected.
If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take. If you have any questions, concerns or would like to discuss how we might help you with your regulatory challenges, we’d love to chat. Please click the banner below to book a call, or contact us straight away on 0118 926 0084 or by email to
Thank you for reading.