What is it?
The Cyber Essentials scheme is the UK cyber security standard developed by NCSC (National Cyber Security Centre - a subsidiary of GCHQ), which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.
Why do you need it?
You may have been asked by your clients, or your bank, insurance company, suppliers, trustees, local government (e.g. for a tender or pre-qualification request) to obtain this (now almost pre-requisite) accreditation in order to do business or achieve compliance with them.
Which version do you need?
You need to know if they want you to achieve Cyber Essentials in its basic form or the ‘verified’ Cyber Essentials 'Plus'. Most organisations now want their suppliers to have the latter. You can actually do the basic one yourself online, but because it’s not ‘verified’, it is of little comfort to the people who want to know you take your cyber security seriously. It basically says: "I'm starting to make provision for improving my cyber security".
Where do I get it from?
Hold on! Before you go off and tell your IT supplier or internal IT department to "Get us certified!", a note of warning. Most IT providers are not ‘Certifying Bodies’ for Cyber Essentials basic or Plus, they have to go to somebody else (like us!) to do this for you and they also tend to approach it from a very ‘techie’ perspective, when it is actually more of a policy and standards approach. The IT elements come later – as a direct result of the information security policy and security controls written specifically for YOUR business objectives and not an ‘applies to everyone’- 'off the shelf' software solution.
What should I do first?
1. Get Cyber Essentials from a Certifying Body for around £299+Vat.
Then what should I do?
2. Plan on how to get Cyber Essentials Plus. It's going to cost you around £3K - £5K
We have found that rather than ‘be assessed’ and then inevitably ‘fail’ – by the way, most people do not pass first time; it is usually better to have a ‘pre-assessment’, which tells you what you need to put in place in order to ‘pass’ when the actual accreditation assessment is conducted. This is less expensive and the report gives you both the executive-level clarity of what is required, as well as the actual technical instructions to pass onto your IT guys - telling them what gaps they need to fill. This way you also 'stay in control', rather than it becoming the preserve of the IT guys. Again, you need to find a Certifying Body to start the process and also worth noting is that you need to do these accreditations 'in order'. i.e. you can't go straight to Cyber Essentials Plus.
Still have unanswered questions? Check out our Ultimate Guide to Cyber Essentials which will answer every question you've ever had around Cyber Essentials.