How to get Cyber Essentials Certification
What is Cyber Essentials Certification?
Originally launched in 2014, Cyber Essentials is a UK government-backed scheme aimed at providing basic cyber security for organisations of any size. A Cyber Essentials certification is designed to help protect against common cyber threats, such as hacking, phishing, and malware. By achieving Cyber Essentials certification, a company demonstrates that it has taken the necessary steps to protect its information and systems.
Overseen by the National Cyber Security Centre (NCSC),, the certification requires organisations to undergo a self-assessment questionnaire that covers five key technical controls: boundary firewalls, secure configuration, access control, malware protection, and security update management. The questionnaire is reviewed by an independent certification body, which verifies the organisation's responses and awards the certification if standards have been met.
Beyond simply providing a basic level of protection against cyber threats, Cyber Essentials certification can also help organisations to comply with industry regulations and standards. For example, companies that handle sensitive information, such as financial or personal data, may be required to demonstrate their cyber security measures as part of their regulatory obligations.
Furthermore, Cyber Essentials can also help organisations to improve their overall security posture by providing a framework for implementing and maintaining effective security measures. By undergoing the self-assessment process and achieving certification, organisations can identify any gaps in their existing security measures and take steps to address them.
How to get Cyber Essentials Certified
The process of Cyber Essentials certification can be broken down into the following steps:
1. Prepare for the certification process
Before starting the certification process, organisations should ensure that they have the necessary resources and systems in place to meet the requirements of the Cyber Essentials scheme. This may involve making changes to their existing security measures, such as updating software, patching vulnerabilities, and implementing appropriate access controls.
2. Self-assessment questionnaire
The first step towards Cyber Essentials certification is to complete the self-assessment questionnaire. Covering five areas of technical control (boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management), organisations are required to answer questions about their existing security measures and provide evidence to support their responses.
3. External assessment
After completing the self-assessment questionnaire, organisations must undergo an external assessment. An independent certification body will review responses and carry out a vulnerability scan to check the organisation's system. The certification body will then verify if the organisation has met the necessary standards and, depending on their evaluation, award the certification.
4. Implement recommended improvements
If the certification body identifies any weaknesses in the organisation's security measures, it will provide recommendations for improvement. Organisations must implement these recommendations within a set timeframe to maintain their Cyber Essentials certification.
5. Annual certification
Cyber Essentials certification must be renewed annually. Organisations must complete the self-assessment questionnaire and undergo a new external assessment each year to ensure that their security measures are up to date with any changes, and thus remain effective.
The Cyber Essentials certification process is designed to be straightforward and accessible, even for organisations with limited technical expertise. The self-assessment questionnaire provides a clear framework for organisations to assess their own security measures, while the external assessment provides an independent check and the assurance that the necessary standards have been met.
Cost of Cyber Essentials Certification
Becoming Cyber Essentials certified involves several costs, including the cost of preparing for the certification process, the cost of the self-assessment questionnaire and external assessment, and the cost of implementing any recommended improvements.
The cost of preparing for the certification process can vary depending on the size of the organisation and the extent of its existing security measures. For example, organisations may need to update software, patch vulnerabilities, and implement access controls, which can incur additional costs.
The cost of the self-assessment questionnaire and external assessment can range from a few hundred to several thousand pounds, depending on the certification body chosen, and the size and complexity of the organisation.
Below is a pricing guide as provided by the NCSC:
Micro organisations (0-9 employees) £300 + VAT
Small organisations (10-49 employees) £400 + VAT
Medium organisations (50-249 employees) £450 + VAT
Large organisations (250+ employees) £500 + VAT
Additionally, the cost of implementing any recommended improvements will depend on the nature of the recommendations and the resources required to implement them. For example, organisations may need to purchase additional software or hardware, hire additional staff, or engage the services of a consultant to implement the changes.
Finally, organisations must also consider the ongoing cost of maintaining their Cyber Essentials certification. This includes the cost of renewing the certification each year and making any necessary updates to security measures.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials and Cyber Essentials Plus are both cyber security certification schemes provided by the UK government's NCSC. However, there are several key differences between the two schemes.
As we’ve seen, Cyber Essentials is a basic certification scheme that provides organisations with a framework to assess their own security measures and identify areas for improvement. The certification process involves completing a self-assessment questionnaire and undergoing an independent assessment by a government-accredited certification body.
Cyber Essentials Plus, on the other hand, is a more in-depth certification scheme that provides organisations with a higher level of assurance about their cyber security posture.
The certification process for Cyber Essentials Plus is similar to that for Cyber Essentials but includes a more detailed technical assessment. The assessment includes a vulnerability scan of the organisation's systems and infrastructure, which identifies any weaknesses or vulnerabilities that could be exploited by cyber criminals.
The certification body then provides recommendations for improvement, which the organisation must implement to maintain its certification.
Generally speaking, organisations should choose the certification scheme that best meets their needs, considering the level of assurance they require, the resources they have available, and their overall cyber security goals.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.
Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.
Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).
Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.
With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.
Essential cyber tips for helping your business or SME improve information and cyber security.
By maintaining compliance for your business you can ensure operational efficiency, reduce financial risk, enhance public trust, engage your employees and realise your mission.
Insights, trends, and statistics from the world of phishing in 2022.
The main concepts of the Nation Cyber Security Centre's '10 Steps to Cyber Security' guidance.
Part two in our blog series examining how the psychology of behaviour change will help us deliver effective awareness campaigns.