Cyber Essentials is a body of standards and assessments encouraging cybersecurity's best practices for the UK companies. It guides businesses as they implement technical and administrative controls. And it provides a baseline certification demonstrating the companies take security seriously.
There are two Cyber Essentials certification tiers, with different levels of assessment depth:
This article will introduce the Cyber Essentials certification. We will learn about the benefits of certification and the five focus areas of cybersecurity. We will finish with a quick Cyber Essentials checklist to follow as you prepare to complete the self-assessment exercise.
Cyber Essentials is a cybersecurity certification scheme introduced by the UK government in 2014. Managed by the National Cybersecurity Centre (NCSC), it protects businesses and other organizations against common digital attacks. It does so via cost-effective and flexible assessment exercises.
Cyber Essentials accreditation is optional. However, certification has a range of benefits that companies should consider.
Compliant companies show customers or partners that they take cybersecurity seriously. This should attract more business and improve the organization’s reputation.
Certified companies also appear on the UK’s NCSC Database. Business partners can be confident that listed organizations are responsible and safe. This is a huge benefit in a world of constant data breaches.
Accredited organizations are protected against 80-85% of known cyber attacks. This reduces the risk of malware infections and data leaks.
Cyber Essentials helps organizations to understand and simplify their security systems. The organization will know its security level. IT teams will find it easier to manage security in the future.
Certification is not legally required. However, some UK government contracts demand Cyber Essentials compliance. Certification aligns corporate processes with data security regulations.
Cyber Essentials are a starting point for organizations lacking effective controls. Certification provides solid protection against generic attacks and well-known threats.
NCSC certification enables companies to reshape their security systems to meet baseline standards without investing huge sums of money. So, it makes sense to add Cyber Essentials to your regulatory planning.
The Cyber Essentials certification system covers five core requirements for IT infrastructure:
Certification costs for a Cyber Essentials verified self-assessment are as follows:
Costs for Cyber Essentials Plus vary depending on the scope of the verification audit. But this table above gives an idea of average costs:
Cyber Essentials assessments change as new threats and technologies emerge. In 2022, NCSC introduced new certification areas. This reflected technological developments and changes in work patterns following the COVID-19 pandemic. New themes include:
Organizations are responsible for implementing Cyber Essentials criteria on cloud platforms. This includes Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).
Certified organizations must put in place multi-factor authentication (MFA). MFA applies for admin accounts. It also applies to users connecting to cloud assets.
Work-from-home devices are within the Cyber Essentials scope. Assessments recommend using business VPNs to secure remote connections.
Tablets and smartphones are part of the Cyber Essentials assessment. Users must apply secure authentication controls for phones and other work devices.
All in-scope software must be supported. Processes should remove unsupported apps or operating systems. Or they should separate unsupported assets from internet connections.
Separation of duties should apply. Administrative accounts should be separated from ordinary work accounts.
In 2023, NCSC published version 3.1 of the Cyber Essentials questions. This involves more than a change of wording. Key changes include:
New recommendations also add clarity about the capabilities of anti-malware tools. These tools should:
The changes listed above are significant. But they do not revolutionize the Cyber Essentials system. The price of certification has risen slightly. However, certification is still relatively affordable.
The main change is that customers benefit from a more comprehensive assessment process. Updated Cyber Essentials qualifications cover cloud computing, working from home, and other critical security issues.
The phrasing of questions may be unfamiliar to organizations that have already achieved certification. But you can discuss any issues with auditors from NCSC or Information Assurance for Small and Medium Enterprises (IASME). And NordLayer's team is also happy to help.
The place to start when preparing for a Cyber Essential certification is the NCSC database. Check out the IASME readiness toolkit. And read through documents about version 3.1 of the Cyber Essentials standards. This should be the ideal preparation for diving into the self-assessment process.
The Cyber Essentials self-assessment questionnaire (SAQ) includes questions about the five core sections of the Cyber Essentials assessment. The SAQ confirms that your company complies with NCSC standards. And it requires to sign-off at the board or executive level.
Use the SAQ as a tool to understand and improve your cybersecurity measures. If you have any worries beforehand, IASME’s “Cyber Essentials Self-Assessment Preparation Booklet” is a great resource. Read it and keep the guide available as you complete each area of the SAQ.
Use this Cyber Essentials checklist to prepare for the Cyber Essentials self-assessment.
After completing the Cyber Essentials SAQ, you can apply for Cyber Essentials Plus. You have a period of 2 months to apply for Plus certification. Companies that miss the deadline must submit and purchase another SAQ.
Cyber Essentials Plus goes much further than the self-assessment exercise. Companies must bring in external auditors from IASME. Auditors assess security controls and verify that they meet NCSC standards. For instance, auditors will assess security issues like workstation builds and mobile device security.
The idea behind Cyber Essentials Plus is to provide a “hands-on” technical assessment. Assessors investigate network architecture and policies in great detail. This results in a stronger certification of cybersecurity compliance than the basic SAQ. But it comes with a much higher cost.
Cyber Essentials Plus assures outsiders that your organization meets cybersecurity compliance standards. External audits deal with vulnerabilities in granular detail. So if you deal with sensitive data or plan to bid for government contracts, the extra expense makes sense.
Otherwise, organizations do not need to apply for a Plus certificate. The self-assessment process is less time-consuming and cheaper. It allows you to implement security controls and update internal policies. And you can choose to upgrade certification later if required.
The Cyber Essentials Plus certification requirements are very similar to the basic SAQ. However, the process is slightly different.
Your company will receive Cyber Essentials Plus certification if you pass these scans successfully. However, this certification is not permanent. You will need to renew the certificate annually to ensure continuing accreditation.
All businesses should be able to achieve certification. However, compliance requires preparation and planning. Here are some things to remember while working towards a Cyber Essentials certification.
After completing the SAQ, you have three months to start a Cyber Essentials Plus certification. Set aside at least two months beforehand to check for vulnerabilities.
Spend a day or two reading through the documentation on the NCSC compliance database. You can find everything you need here. Use the readiness tool to verify your knowledge before starting the SAQ.
The SAQ requires board-level sign-off. But it’s a good idea to bring in senior executives when starting the assessment process. This helps IT teams secure the resources they need. It also makes it easier to share information between departments.
NCSC certification lasts for one year. After that, you will need to apply for a fresh certificate. Don’t re-start the process every year. Create processes that constantly detect vulnerabilities and address threats. Carry out regular audits. And stay aware of security performance with centralized admin tools.
There are various ways to fail Cyber Essentials assessments. Good planning ensures they won’t apply to your organization. For instance, common pitfalls include:
Companies lacking cybersecurity expertise may wonder how to meet the requirements of Cyber Essentials assessments. Relying on internal employees is one option, but staff may need to learn new skills. And they may make mistakes when completing the SAQ.
If you have any doubts about your cybersecurity capabilities, it makes sense to enlist outside experts. They will assess your security posture and recommend ways to align security controls with the NCSC standards.
Achieving Plus certification is crucial for many companies, but compliance is a technical challenge, and sometimes outside expertise is essential.
NordLayer’s cybersecurity solutions are ideally suited to the Cyber Essentials process. Our products contribute in all five core areas:
MFA excludes unauthorized users and adds extra safeguards for administrative accounts. NordLayer works with major authentication providers, making it easy to transition from legacy systems. Admins can manually provision new users or automate access functions if desired. They can toggle admin privileges via a central panel that provides total visibility.
NordLayer’s firewall tools block unauthorized traffic and enable network segmentation on a very granular level. Allowlisting admits approved IP addresses for admin functions and SaaS services.
Threatblock and DNS filtering block access to suspicious websites, limiting the risk of phishing attacks. Remote Access Virtual Private Networks (VPNs) encrypt data, making work-from-home setups more secure.
NordLayer’s security tools require strong passwords. Deep Packet Inspection (DPI) blocks unsafe apps. Users are automatically locked out of network assets after unsuccessful log-ins.
Users can turn on auto-updates to keep their NordLayer software up-to-date. Device Posture Security ensures that all devices must use the latest NordLayer version.
NordLayer helps you address the five core parts of the Cyber Essentials process. You will still need robust malware protection, patch management systems, and password policies. But with NordLayer’s help, you can simplify the compliance challenge.
Contact NordLayer today and use our streamlined technical solutions to meet Cyber Essentials standards.
Joanna Krysińska
Senior Copywriter
A writer, tech enthusiast, dog walker, and amateur pastry chef, Joanna grew up in a family of engineers and mathematicians, so a techy mind is in her genes. She loves making complex tech topics less complex and digestible. She also has a keen interest in the mechanics of cybercrime.
Subscribe to our blog updates for in-depth perspectives on cybersecurity.
