Cyber Essentials FAQs

Cyber security is the means by which individuals and organisations reduce the risk of becoming victims of cyber-attack.

Cyber security's core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage. It is also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.

Cyber security is important because smartphones, computers and the internet are now a fundamental part of modern life, it is difficult to imagine how we would function without them. It is more important than ever to stake steps that can prevent cyber criminals getting hold of our accounts, data, and devices.

Cyber Essentials is a Government backed scheme that will help you to protect your organisation against a whole range of the most common cyber-attacks.  These include things like Phishing attacks, Malware, Ransomware, Password guessing and Network attacks

Cyber-attacks can affect all businesses in a variety of different ways with varying impacts whatever the size of the business some being catastrophic and costly eventually leading to the closure of businesses. Attacks can be small or large, but the vast majority are very basic and carried out by relatively unskilled individuals. They are the digital equivalent of a thief trying your front door to see if it is unlocked. Cyber Essentials is designed to help you prevent these attacks.

With over 80% of UK businesses vulnerable to avoidable security threats, the Cyber Essentials framework has been designed as a strong security baseline for every business in

There are two levels of certification, Cyber Essentials & Cyber Essentials Plus dependent on your organisation’s needs.

Businesses of all shapes and sizes use Cyber Essentials to help protect their IT from attack.  Cyber Essentials can help to keep the devices and data you rely on safe.

Not everyone has a dedicated IT department, or an in-depth knowledge of cyber security. Cyber Essentials has been designed to be flexible, considering all types and sizes of organisation.

This self-assessment option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.

Certification will reassure current and potential customers that you take cyber security seriously.

Certification gives you peace of mind that your defenses will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. This gives the added assurance to your customers that:

·         You have demonstrated that you have undertaken essential precautions in minimising cyber risk

·         Attract new business as you can demonstrate you take cyber security seriously and have measures in place

·         Satisfy customers, suppliers, insurers and industry regulators requirements

·         Give assurance that the security of your IT systems and networks can protect their data that you hold about them

·         Show that you have a clear focus of your organisation’s cyber security level

·         Satisfy tender requirements that require Cyber Essentials such as government contracts.

·         Listed on the NCSC directory of Cyber Essentials holders, click to view   

·         Includes £25K free Cyber security insurance (terms apply)

·         Cyber Essentials Plus – gives you assurances that what you are doing is working.

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

Cyber Essentials looks at five simple technical controls which means it is easy to achieve Cyber Essentials certification. Organisations assess themselves against these controls and a qualified assessor verified the information provided: These controls include:

• Access control
• Firewalls and routers
• Malware protection
• Secure configuration
• Software updates

You can download a copy of the self-assessment here. Please note you cannot submit this application form for verification, you will need to complete the online form.

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 per cent) and then decide whether further testing is required.

The assessor will need to visit your head office and a representative sample of your other offices in order to carry out the tests. The quantity of other offices visited depends on the complexity of your organisation – in a multinational organisation the assessor may need to visit several countries. Some tests may be carried out remotely provided that the agreed on-site visits have been carried out.

The schemes both consist of the same core cyber security assurance activities. Cyber Essentials Plus assessment includes additional checks, providing a greater depth and accuracy of the cyber security status of an organisation providing enhanced certification and greater peace of mind.

• A Cyber Essentials assessment requires completions of an online self-assessment questionnaire which covers the five key technical controls that clearly demonstrated your organisations compliance to the Cyber Essentials scheme.
• Cyber Essentials Plus in addition to the self-assessment questionnaire goes one step further and is an audit of your network which validates that the information you provided is correct and accurate. It includes a vulnerability scan of both internal and externally facing devices in scope along with a workstation assessment. An onsite visit may be required to validate some information.

Yes, you will need to complete the Cyber Essentials basic online assessment as part of your Cyber Essentials Plus assessment.

• If you have been certified for Cyber Essentials basic within the last 3 months, then you do not need to repeat this part.

Yes. Cyber Essentials focusses on fundamental IT controls, whereas ISO 27001 is a management systems certification looking at your systems and controls, incorporating policies and procedures. As ISO 27001 is much more involved, you’ll find it easier to obtain Cyber Essentials/Cyber Essentials Plus certification if you’re already ISO 27001 compliant.

We recommend achieving Cyber Essentials in addition to ISO 27001 as they complement each other and demonstrates your commitment to good security practices, systems and controls. Having both gives you that business advantage over others making you more attractive to work with over other businesses.

If you are not already ISO 27001 certified and would like to find out more contact our Business Development Team sales@centreforassessment.co.uk 0161 237 4080

The NSCC aim is for Cyber Essentials to be affordable for all types and sizes of businesses therefore the cost has been kept to a minimum.

Centre for Assessment offers three levels of assessment and certification for the Cyber Essentials scheme. Each assessment type offers different benefits and is applicable to a wide range of companies and industries.

Cyber Essentials Basic is a self-assessment driven scheme, whereby applicants review their IT infrastructure via an online application document. Once completed, this is then reviewed by a technical expert, if the standard is met certification is awarded. This scheme is recommended for businesses looking for entry-level cyber protection compliance. Cost: £300.00 + VAT

Centre for Assessment are pleased to offer our newest Cyber Essentials Plus EXTRA scheme. The new EXTRA scheme covers all the important details of both the Basic and Plus levels of assessment, however, this also includes a full pre-assessment evaluation of client systems, which is then fully reported on. We then work with clients to help improve and manage systems from the findings of the pre-assessment and help to ensure that any issues are rectified. Once satisfied, you would then be assessed under the scheme rules, following the same process as Cyber Essentials PLUS. This is recommended for companies that are looking to ensure that they meet the standard with as much support and information as available. Cost: £3,250.00 + VAT

For more information contact Centre for Assessment Ltd on 0161 237 4080 or enquiries@centreforassessment.co.uk

The process of applying for Cyber Essentials Certification is very easy and simple:

• Access the apply now page on our website www.centreforassessment.co.uk and select which scheme you would like to be assessed against.
• You will be given an option to pay online (this is the quickest and fastest way to apply) or request an invoice. We recommend you let us know that you paid if paying using an invoice by sending an email to enquiries@centreforassessment.co.uk so that our accounts team can verify your payment quickly. 
• Once payment has been received you will receive an email from IASME with your username and an SMS with your passcode.
• The Cyber Essentials self-assessments are available through a secure hosted platform powered by the Cyber Essentials assessment platform. The assessments can be accessed and answered quickly and easily using Pervade’s intuitive user interface.

The process is the same as how to apply and get certified. However, the questions remain the same as last year and therefore will be the same in areas that have not changed. You will need to review your previous answers and update with any changes.

The IASME Consortium have been selected to work in partnership with the National Cyber Security Centre’s (NCSC) to deliver the Cyber Essentials scheme.

The NCSC previously worked with 5 accreditation bodies and undertook a tender process in 2019 to reduce this down to 1 accreditation body whom they would work with to improve the scheme and ensure a consistent approach.

IASME do not carry out the actual verification/assessments this is done by their selected certification bodies.  Centre for Assessment Ltd is a Cyber Essentials assessment body

IASME manages the portal that all online assessments are carried out through. Auto emails from the portal will come from IASME and not the Certification body, you will need to ensure that your IT email system recognises IASME emails.  

The certificate is valid for 12 months and will expire on the expiry date. You will need to ensure that you reapply and pass your renewal before the expiry date.

You will need to clearly define the boundary of the scope that is being covered in your application. The boundary of the scope must be defined in terms of business unit managing it, the network boundary and physical location. It is strongly recommended that you include all your IT infrastructure to gain the best protection.

Further information is available on the NCSC website.

You will need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government.

If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.

You will get a pdf of all the answers you gave and comments from the assessor against any that were considered non-compliant.

If you fail, you will be allow you two working days to examine the feedback from the assessor and change any simple issues with your network and policies. You can then update your answers and the assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

Please note that any company using unsupported software in the scope of the assessment, such as Microsoft XP, will probably fail to achieve Cyber Essentials certification.

If you fail the assessment the feedback you receive should help you improve your security so you can pass in the future.

A mobile number is required in order to receive a passcode. This is needed when you first login and at random intervals on login during completion of your application. This is part of ensuring that all your data and information is secure.

If you forget or your password does not work, then we suggest you rest this by clicking on the reset password option on the login page. Please note all passwords are case sensitive.

Please ensure that you have paid your invoice, login details will only be sent once payment has been received.

If you have paid then please check your junk folder or ask your IT department to check if the email has been blocked. Please note it will come from IASME

Please contact the office on 0161 234 4080 if you need assistance

Once you receive your login details and start your application your application will remain live for 6 months. After this time, you will be required to start the process again which will involve applying and paying again.

Once you have paid and completed your application form you can get certified within 1-3 working days. This only applies if you pass on your first submission.

If you do have a deadline date, please ensure that you inform us of this.  

https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf

https://www.ncsc.gov.uk/files/Cyber-Essentials-Plus-Illustrative-Test-Specification-April-2020.pdf

https://iasme.co.uk/wp-content/uploads/2020/03/Cyber-Essentials-only-question-booklet-v11b.pdf

https://www.ncsc.gov.uk/cyberessentials/resources