Cyber Essentials is a Government scheme that helps organisations to guard against the most common cyber threats from the internet and demonstrate commitment to cyber security.
It covers five main technical controls which will protect companies against an estimated 80% of common internet threats. The controls are:
- Secure your Internet connection (Firewalls and routers)
- Secure your devices and software (Secure configuration)
- Control access to your data and services (Access control)
- Protect from viruses and other malware (Malware protection)
- Keep your devices and software up to date (Software updates)
IASME Governance certification is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME Governance is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement.
There are 2 levels of certification within each standard:
Cyber Essentials: An entry level, independently verified self assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.
Cyber Essentials Plus: A technical audit of your systems. A qualified assessor examines the same five controls, testing that they work through a technical audit.
IASME: Self assessed and independently verified standard. Based on international best practice, IASME Governance is risk based and includes key aspects of security such as incident response, staff training, planning and operations.
IASME Audited: The highest level of security standard, IASME Governance Audited (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation.
You can download the requirements from the UK Government website here.
You need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.
If you have any questions about how to meet the Cyber Essentials or IASME Governance requirements, please contact our assessor who will be happy to discuss these with you.
The basic level assessment of Cyber Essentials only requires a self-assessment. No additional vulnerability scan, test or third-party verification is needed. However, one of your Board members will have to sign a declaration that all the answers you have entered are true.
Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. Our assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.
The Cyber Essentials question set is part of the Cyber Essentials Plus certification process. If you have achieved the basic level Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.
All audits are being run remotely at the moment and so there is no need for the assessor to visit your organisation.
The full test specification which all the Accreditation Bodies work to can be downloaded from the NCSC website.
No, Cyber Essentials Plus is an audited level of the Cyber Essentials assessment, testing the 5 Cyber Essentials controls only. IASME Governance Audited (sometimes known as IASME Gold) is an independent on-site audit of the level of information security provided by your organisation, against the IASME Governance standard. It is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized organisations to implement. The standard includes GDPR requirements and adds additional topics that mostly relate to people and processes. These include services which we are able to support:
- Risk assessment and management
- Training and managing people
- Change management
- Incident response and business continuity
We would normally require the Cyber Essentials and IASME Governance to be assessed at the same time, but they can be done separately provided that the IASME Governance is completed within 6 months of the Cyber Essentials certification.
For more information on how IASME Governance maps to other industry standards please click here.
If you fail we allow you two working days to examine the feedback from our assessor and change any simple issues with your network and policies. You can then update your answers and our assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.
While every company will have its own motivation for becoming certified, the most common are:
- To reassure customers that their data is protected and you are proactively working to secure your IT against cyber attack.
- To attract new business with the promise you have cyber security measures in place.
- To meet the standards required to tender for public contracts.
- To provide your supply chain with confidence in your security standards.
- To build a clear picture of your organisation’s cyber security level.
- To mitigate the risk of a successful cyber attack and avoid financial and reputational damage.
- To fulfill legal obligations.
- As a prerequisite of a Cyber Insurance policy.
From start date to certification, the following timescales should be expected:
- Cyber Essentials = 10 to 21 days
- Cyber Essentials Plus = 21 days
- IASME = 28 days (assumes Cyber Essentials has been awarded)
- IASME Gold = 50 days (assumes Cyber Essentials Plus and IASME have been awarded)
We always do our best to get the Cyber Essentials assessment results back to you as quickly as possible. It usually takes us 1 – 3 working days from the time you submit your assessment. If you have a tight deadline please let us know and we can try to fast-track your assessment.
- CE, CE+ & IASME certificates are valid for 12 months.
- IASME Gold certificates are valid for 36 months.
None. Nominally, Cyber Essentials Plus and IASME Gold certification require on-site face-to-face visits. During the COVID-19 pandemic the National Cyber Security Centre has made special dispensation that these assessments can be carried out using remote tools.
- eLearning – our computer-based training covers core cyber security topics including phishing, malicious websites and social engineering. Our 7 online modules can be completed on any device and after successfully passing a short quiz each user receives a certificate of completion.
- Presentation – our Chief Security Officer can deliver team awareness sessions to help staff understand the threats that they are faced with on a daily basis and also how they can better protect themselves, both at home and in the workplace. This non-technical input will cover subjects including phishing emails, malicious software and password security.
- Phishing test – working in conjunction with your organisation we develop and distribute a bespoke phishing email to your staff. The purpose of this test is to determine how likely users are to click on a suspicious email and submit information. The results drive the development of further appropriate training to reduce the risk of this happening in a real attack situation.
The virtual and bespoke nature of our training, means that we can support companies all over the world.
- eLearning – there are 7 modules in total and each takes between 10-15 minutes to complete.
- Presentation – at the moment these are conducted virtually and take around 1 hour.
- Phishing test – the length of the test can be determined by your organisation, but you need to factor in holiday periods, weekends etc. Generally, it can be completed in 3-5 working days.
Yes. As a Cyber Essentials Plus Assessor, an IASME Gold Assessor and a Trusted Partner of the Scottish Business Resilience Centre, we have all the skills and qualifications required to support your application from initial conversation through to certification.
Yes. With 15 years’ experience of supporting our clients’ IT, we are well versed on what a secure infrastructure looks like. Through our dedicated cyber team and in-house qualified engineers, we are uniquely positioned to take your security to the max without involving any external parties. Read more about out IT Support services here.