Cyber Essentials is a body of standards and assessments encouraging cybersecurity's best practices for the UK companies. It guides businesses as they implement technical and administrative controls. And it provides a baseline certification demonstrating the companies take security seriously.
There are two Cyber Essentials certification tiers, with different levels of assessment depth:
Cyber Essentials provides a grounding in cybersecurity basics via self-assessment exercises. This tier introduces core cybersecurity principles and is a springboard for extra measures.
Cyber Essentials Plus includes on-site auditing of cybersecurity systems by outside experts. It comprehensively assesses the security posture of an organization.
This article will introduce the Cyber Essentials certification. We will learn about the benefits of certification and the five focus areas of cybersecurity. We will finish with a quick Cyber Essentials checklist to follow as you prepare to complete the self-assessment exercise.
Cyber Essentials is a security framework that explains basic cybersecurity controls. Compliance contributes to a stronger security posture. It allows organizations to participate in sensitive government contracts. And compliance builds trust between companies and customers.
Cyber Essentials is designed to combat the most common cyber attacks. It provides a robust foundation for securing network assets.
Certification costs vary depending on the assessment type and organization's size. Components include self-assessments and external audits.
There are five core pillars of the Cyber Essentials assessment, and these pillars cover critical cybersecurity concerns. Recent updates have added extra criteria, bringing the regulations up to date.
Follow our Cyber Essentials checklist as you complete the self-assessment. This sets out basic Cyber Essentials requirements and guides companies on the road to compliance.
What is a Cyber Essential certification?
Cyber Essentials is a cybersecurity certification scheme introduced by the UK government in 2014. Managed by the National Cybersecurity Centre (NCSC), it protects businesses and other organizations against common digital attacks. It does so via cost-effective and flexible assessment exercises.
Cyber Essentials certification benefits
Cyber Essentials accreditation is optional. However, certification has a range of benefits that companies should consider.
Compliant companies show customers or partners that they take cybersecurity seriously. This should attract more business and improve the organization’s reputation.
Supply chain security
Certified companies also appear on the UK’s NCSC Database. Business partners can be confident that listed organizations are responsible and safe. This is a huge benefit in a world of constant data breaches.
Reduced risk of cyber attacks
Accredited organizations are protected against 80-85% of known cyber attacks. This reduces the risk of malware infections and data leaks.
Cyber Essentials helps organizations to understand and simplify their security systems. The organization will know its security level. IT teams will find it easier to manage security in the future.
Certification is not legally required. However, some UK government contracts demand Cyber Essentials compliance. Certification aligns corporate processes with data security regulations.
Does your business need Cyber Essentials?
Cyber Essentials are a starting point for organizations lacking effective controls. Certification provides solid protection against generic attacks and well-known threats.
NCSC certification enables companies to reshape their security systems to meet baseline standards without investing huge sums of money. So, it makes sense to add Cyber Essentials to your regulatory planning.
5 security controls of Cyber Essentials
The Cyber Essentials certification system covers five core requirements for IT infrastructure:
Firewalls. Block unauthorized access from outside the company’s network. Firewalls should be securely configured, avoiding default passwords.
Secure configuration. IT systems and apps must be configured as securely as possible while meeting business needs.
Access control systems. Systems should deny access to unauthorized users. Users should have sufficient access to carry out business functions. But they should not be free to roam across the network. There should be no unauthenticated inbound connections.
Malware prevention. Threat detection tools should identify cyber threats and use sandboxing to neutralize attacks. Allow listing tools should specify approved applications that can execute code on company devices.
Security update management. Devices and applications must be updated to the newest version. Organizations should manage updates centrally and ensure that no services fall through the net.
Cyber Essentials certificate costs
Certification costs for a Cyber Essentials verified self-assessment are as follows:
Micro-organizations (fewer than 10 employees) - £300 + VAT
Small organizations (10-49 employees) - £400 + VAT
Medium-sized organizations (50-249 employees) - £450 + VAT
Large organizations (250+ employees) - £500 + VAT
Costs for Cyber Essentials Plus vary depending on the scope of the verification audit. But this table above gives an idea of average costs:
Micro-organizations (fewer than 10 employees) - £1,650 + VAT
Small organizations (10-49 employees) - £2,250 + VAT
Medium-sized organizations (50-249 employees) - £3,250 + VAT
Large organizations (250+ employees) - £4,250 + VAT
Recent changes in the Cyber Essentials certification system
Cyber Essentials assessments change as new threats and technologies emerge. In 2022, NCSC introduced new certification areas. This reflected technological developments and changes in work patterns following the COVID-19 pandemic. New themes include:
Organizations are responsible for implementing Cyber Essentials criteria on cloud platforms. This includes Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS).
Certified organizations must put in place multi-factor authentication (MFA). MFA applies for admin accounts. It also applies to users connecting to cloud assets.
Work-from-home devices are within the Cyber Essentials scope. Assessments recommend using business VPNs to secure remote connections.
Tablets and smartphones are part of the Cyber Essentials assessment. Users must apply secure authentication controls for phones and other work devices.
All in-scope software must be supported. Processes should remove unsupported apps or operating systems. Or they should separate unsupported assets from internet connections.
Separation of duties should apply. Administrative accounts should be separated from ordinary work accounts.
In 2023, NCSC published version 3.1 of the Cyber Essentials questions. This involves more than a change of wording. Key changes include:
More information about the use of firmware on IT hardware.
Asset management is listed as a critical security priority
Bring-Your-Own-Device (BYOD) guidance assists companies that rely on hybrid work.
Devices loaned by organizations to third parties are now in scope.
Locked vendor defaults are now allowable.
Guidance provides a route map to achieve Zero Trust Network Architecture.
New recommendations also add clarity about the capabilities of anti-malware tools. These tools should:
Stop all malware from executing code
Be regularly updated to meet vendor recommendations
Prevent connections to dangerous websites
Screen network activity to allow only approved applications.
Block installation of unsigned applications.
What do the changes mean for your company?
The changes listed above are significant. But they do not revolutionize the Cyber Essentials system. The price of certification has risen slightly. However, certification is still relatively affordable.
The main change is that customers benefit from a more comprehensive assessment process. Updated Cyber Essentials qualifications cover cloud computing, working from home, and other critical security issues.
The phrasing of questions may be unfamiliar to organizations that have already achieved certification. But you can discuss any issues with auditors from NCSC or Information Assurance for Small and Medium Enterprises (IASME). And NordLayer's team is also happy to help.
How to prepare for the certification
The place to start when preparing for a Cyber Essential certification is the NCSC database. Check out the IASME readiness toolkit. And read through documents about version 3.1 of the Cyber Essentials standards. This should be the ideal preparation for diving into the self-assessment process.
Introducing the Cyber Essentials Self-Assessment Certification
The Cyber Essentials self-assessment questionnaire (SAQ) includes questions about the five core sections of the Cyber Essentials assessment. The SAQ confirms that your company complies with NCSC standards. And it requires to sign-off at the board or executive level.
Use the SAQ as a tool to understand and improve your cybersecurity measures. If you have any worries beforehand, IASME’s “Cyber Essentials Self-Assessment Preparation Booklet” is a great resource. Read it and keep the guide available as you complete each area of the SAQ.
Cyber Essentials checklist of requirements
Use this Cyber Essentials checklist to prepare for the Cyber Essentials self-assessment.
Set up all internet-facing devices securely. Configure firewalls and routers to protect against external threats.
Change default passwords for firewalls.
Only open necessary ports and services.
Use allowlisting to grant access to approved IP addresses. Block unauthenticated inbound connections.
Separate firewall admin interfaces from the public internet.
Create and update an inventory of all devices and applications
Delete unnecessary software
Each device should have a secure configuration. Enforce strong passwords. Change default passwords for all network devices.
Ensure users cannot access any systems without authentication.
Create policies to approve all new user accounts
Remove unnecessary accounts
Implement password management to enforce strong passwords
Protect privileged admin accounts with extra security measures
Separate admin accounts from standard user accounts
Require MFA for all network logins, including cloud platforms
Update malware protection tools every day (or as often as possible).
Automatically scan web pages and emails. Block suspicious websites by default.
Review application allowlists regularly.
Put in place measures to stop users from installing unapproved software.
Use sandboxing to isolate malicious code during cyber attacks.
Make sure sandboxes are separated from each other.
Ensure malware protection extends to Internet-of-Things (IoT) devices
Security update management
Only operate licensed applications
Check that the software is supported. Remove all unsupported applications.
Automate security updates where possible.
Update software, device firmware, and operating systems.
Set a two-week target for applying patches when the Common Vulnerability Scoring System (CVSS) value exceeds 7.
Taking the next stop: Cyber Essentials Plus
After completing the Cyber Essentials SAQ, you can apply for Cyber Essentials Plus. You have a period of 2 months to apply for Plus certification. Companies that miss the deadline must submit and purchase another SAQ.
Cyber Essentials Plus goes much further than the self-assessment exercise. Companies must bring in external auditors from IASME. Auditors assess security controls and verify that they meet NCSC standards. For instance, auditors will assess security issues like workstation builds and mobile device security.
The idea behind Cyber Essentials Plus is to provide a “hands-on” technical assessment. Assessors investigate network architecture and policies in great detail. This results in a stronger certification of cybersecurity compliance than the basic SAQ. But it comes with a much higher cost.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Based on a self-assessment questionnaire with external verification
Relatively basic, focused on external vulnerabilities
Can be completed in 1-2 days
Maximum cost £500
Cyber Essentials Plus
Requires external auditing after submitting an SAQ
Comprehensive. Includes internal vulnerabilities, mobile devices, malware exposure, and workstation build security.
Audits can take 1-2 weeks
Maximum cost £4,250
Do you need Cyber Essentials Plus if you have Cyber Essentials?
Cyber Essentials Plus assures outsiders that your organization meets cybersecurity compliance standards. External audits deal with vulnerabilities in granular detail. So if you deal with sensitive data or plan to bid for government contracts, the extra expense makes sense.
Otherwise, organizations do not need to apply for a Plus certificate. The self-assessment process is less time-consuming and cheaper. It allows you to implement security controls and update internal policies. And you can choose to upgrade certification later if required.
Additional requirements for Cyber Essentials Plus certification
The Cyber Essentials Plus certification requirements are very similar to the basic SAQ. However, the process is slightly different.
Firstly, you must submit a completed SAQ and receive verification.
After verifying the SAQ, you must apply online for Cyber Essentials Plus. This part of the application requires you to submit technical information so that experts can assess the application. Experts determine whether a Plus-level exercise is applicable. If so, they prepare an audit plan.
Auditors schedule a comprehensive security assessment. In-depth assessments include:
Vulnerability scans detect software without the latest security updates.
Scans to assess internet gateways, user devices, and other internet-facing devices.
Internal scans that check for insecure configurations.
Your company will receive Cyber Essentials Plus certification if you pass these scans successfully. However, this certification is not permanent. You will need to renew the certificate annually to ensure continuing accreditation.
Tips for successful Cyber Essentials implementation
All businesses should be able to achieve certification. However, compliance requires preparation and planning. Here are some things to remember while working towards a Cyber Essentials certification.
Give yourself time to make security improvements
After completing the SAQ, you have three months to start a Cyber Essentials Plus certification. Set aside at least two months beforehand to check for vulnerabilities.
Use NCSC resources to understand requirements
Spend a day or two reading through the documentation on the NCSC compliance database. You can find everything you need here. Use the readiness tool to verify your knowledge before starting the SAQ.
Bring executives on board
The SAQ requires board-level sign-off. But it’s a good idea to bring in senior executives when starting the assessment process. This helps IT teams secure the resources they need. It also makes it easier to share information between departments.
Plan for continuous compliance
NCSC certification lasts for one year. After that, you will need to apply for a fresh certificate. Don’t re-start the process every year. Create processes that constantly detect vulnerabilities and address threats. Carry out regular audits. And stay aware of security performance with centralized admin tools.
Common pitfalls and how to avoid them
There are various ways to fail Cyber Essentials assessments. Good planning ensures they won’t apply to your organization. For instance, common pitfalls include:
Failure to patch third-party apps. Make sure you update apps from third-party suppliers. Inventory all tools used on your network, including cloud integrations and create an allowed list of signed apps. Add each app to your update schedule. Leverage automated updates if possible, and audit patch management regularly.
Admin account violations. Users should never use administrative accounts day-to-day. Separate admin functions from ordinary user accounts. Add extra authentication for admin accounts. Track user activity to ensure employees only use these accounts for administrative functions.
Unsupported apps. Operating systems and apps must have vendor support. However, companies may use outdated versions without realizing it. The same applies to mobile devices. For instance, out-of-date iPhones pose a major vulnerability.
Endpoints lacking firewall protection. Firewalls must protect all endpoints. But loose BYOD or remote work policies can add unprotected devices. Check all devices and enforce access controls for every endpoint facing the public internet.
Leveraging expertise: when to seek help
Companies lacking cybersecurity expertise may wonder how to meet the requirements of Cyber Essentials assessments. Relying on internal employees is one option, but staff may need to learn new skills. And they may make mistakes when completing the SAQ.
If you have any doubts about your cybersecurity capabilities, it makes sense to enlist outside experts. They will assess your security posture and recommend ways to align security controls with the NCSC standards.
Achieving Plus certification is crucial for many companies, but compliance is a technical challenge, and sometimes outside expertise is essential.
Learn how NordLayer can assist you with Cyber Essentials certification
NordLayer’s cybersecurity solutions are ideally suited to the Cyber Essentials process. Our products contribute in all five core areas:
MFA excludes unauthorized users and adds extra safeguards for administrative accounts. NordLayer works with major authentication providers, making it easy to transition from legacy systems. Admins can manually provision new users or automate access functions if desired. They can toggle admin privileges via a central panel that provides total visibility.
NordLayer’s firewall tools block unauthorized traffic and enable network segmentation on a very granular level. Allowlisting admits approved IP addresses for admin functions and SaaS services.
Threatblock and DNS filtering block access to suspicious websites, limiting the risk of phishing attacks. Remote Access Virtual Private Networks (VPNs) encrypt data, making work-from-home setups more secure.
NordLayer’s security tools require strong passwords. Deep Packet Inspection (DPI) blocks unsafe apps. Users are automatically locked out of network assets after unsuccessful log-ins.
Security update management
Users can turn on auto-updates to keep their NordLayer software up-to-date. Device Posture Security ensures that all devices must use the latest NordLayer version.
NordLayer helps you address the five core parts of the Cyber Essentials process. You will still need robust malware protection, patch management systems, and password policies. But with NordLayer’s help, you can simplify the compliance challenge.
Contact NordLayer today and use our streamlined technical solutions to meet Cyber Essentials standards.