Cyber Essentials Overview

About Cyber Essentials

Cyber Essentials is a certification scheme developed by the National Cyber Security Centre (NCSC) in the United Kingdom. This scheme aims to help organisations establish a baseline of cyber security controls to protect against common cyber attacks.

Two levels of certification are offered under the Cyber Essentials scheme: Cyber Essentials and Cyber Essentials Plus. To obtain the basic Cyber Essentials certification, organisations must complete a self-assessment questionnaire, which assesses the implementation of essential controls such as boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.

Once the self-assessment questionnaire is completed, organisations may also choose to undergo a Cyber Essentials Plus certification. This involves an additional external vulnerability scan, where an independent certifying body verifies the organisation's security controls by performing vulnerability tests. - as quoted by the NCSC.UK.

What is Cyber Essentials?

Cyber Essentials is a certification process that helps organisations protect against common cyber attacks by providing a framework for implementing basic cybersecurity controls. The certification process consists of two key components: a self-assessment questionnaire (SAQ) and an external vulnerability scan.

The SAQ is a series of questions that organisations must answer to assess their current cybersecurity controls and practices. This helps them identify areas that require improvement and highlights any vulnerabilities that need to be addressed. It covers topics such as network security, user access control, firewalls, secure configuration, and malware protection. The SAQ is designed to be user-friendly and straightforward, making it easy for organisations to navigate and complete.

What is Cyber Essentials Plus

Cyber Essentials Plus certification is an enhanced version of Cyber Essentials that offers additional requirements and benefits. This certification not only ensures that organizations meet the basic cybersecurity standards outlined in Cyber Essentials, but it also provides independent validation by an accredited third party.

One of the key additional requirements of Cyber Essentials Plus certification is the requirement for an external, independent validation. This means that an approved and accredited third party carries out a thorough assessment of an organisation's cybersecurity controls. This validation process adds an extra layer of assurance and credibility to the certification, as it ensures that the organisation's claims regarding their cybersecurity measures are independently verified.

The Benefits of Certification

• Greatly impacts a business's success and reputation 
• Restores customers of company competence and expertise 
• Customers are more likely to trust an organisation that has obtained certification as it validates their capabilities and ensures they meet industry standards.
• This reassurance can lead to increased customer loyalty and repeat business.
• Certification can attract new business opportunities. 
• By working with certified suppliers, businesses can ensure they are partnering with knowledgeable and reliable organisations. 

Why Should You Get Cyber Essentials?

In today's digital landscape, cybersecurity has become a crucial aspect for businesses of all sizes. With the increasing frequency and complexity of cyber threats, organisations need to take proactive measures to protect their sensitive data and mitigate potential risks. One such measure is obtaining Cyber Essentials certification. Cyber Essentials is a government-backed scheme in the UK that helps businesses implement basic cybersecurity controls to safeguard against common cyber attacks. By getting Cyber Essentials, organisations can enhance their overall security posture, instill trust in their customers, and demonstrate their commitment to protecting data privacy. This certification not only helps in mitigating the risk of cyber threats but can also provide a competitive advantage, especially when bidding for government contracts or working with clients who prioritise cybersecurity. 

What is the Difference Between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials and Cyber Essentials Plus are recognised cybersecurity certifications designed to help organisations protect against common online threats. However, there are key distinctions between the two.

Firstly, Cyber Essentials is a self-assessment certification that requires organisations to complete a detailed questionnaire. This questionnaire assesses their adherence to five key controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. Once completed, the organisation can apply for the certification.

On the other hand, Cyber Essentials Plus goes a step further by including an additional independent technical audit. This audit is conducted by qualified cybersecurity professionals who assess whether the relevant controls are in place. This means that organisations must not only complete the Cyber Essentials questionnaire but also allow the auditors to conduct penetration testing and vulnerability scans to validate their cybersecurity measures.

The main difference between the two certifications lies in the depth of the assessment process. While Cyber Essentials focuses on self-assessment, Cyber Essentials Plus combines both self-assessment and an independent technical audit. By subjecting organisations to this additional scrutiny, Cyber Essentials Plus offers a higher level of assurance to both the organisation seeking certification and its clients.

The Scheme Is Suitable for Any Organisation, Large or Small

The Cyber Essentials scheme is a comprehensive initiative designed to enhance the cyber security posture of organisations, irrespective of their size or industry. This scheme applies to any organisation, be it a large corporation or a small business, as it provides tangible and practical guidance to defend against common cyber security threats.

One of the key aspects of the Cyber Essentials scheme is its coverage of 80% of the most prevalent cyber security threats. This means that by implementing the recommendations and requirements of the scheme, organisations can significantly mitigate the risk of falling victim to these threats. The scheme focuses on fundamental security controls across various areas such as boundary firewalls, secure configuration, user access control, malware protection, and patch management. By enforcing these controls, organisations can address most of the vulnerabilities and weaknesses that cyber attackers commonly exploit.

What Pentest People Offer 

Pentest People offer three Cyber Essentials packages tailored to varying needs and levels of support required by businesses.

Self Assessment

This package is for companies familiar with and have experienced a cyber essentials basic audit. Pentest People will guide you through onboarding onto the audit portal and allocate a deadline data for the assessment marking. Noting that this package doesn't include any consultancy time to guide your technical team through the audit. If you have passed, you are provided with the cyber essentials certification and badge to share on your website and social media content.

Support

The Support package gives you access to all the benefits of the self assessment package but with more guidance throughout the preparation. Clients will be given access to our cyber essentials guides to help you through your audit. All email queries will be answered until the outcome of the audit.

Remediation window is increased to increase the likelihood of passing the audit. Our assessor team will complete a maximum of 2 remarks within 2 weeks of the initial audit.

Overall, the support package gives your business slight helping hand throughout your cyber essentials audit.

SurePass

With this package, you will receive all the benefits of self assessment and supported packages but much more.

This is a consultancy lead approach to your Cyber Essentials audit. PTaaS has expanded to Cyber Essentials and we will consult you through the complexity of the cyber essentials audit.

Throughout the preparation and audit you will have access to your dedicated Cyber Essentials auditor. We will share with you the pre assessment tool and provide any feedback prior to your audit.

Pass Protect means we will continue to complete remarks following remediation until you pass your audit.

Additional access;

• Access to our secure portal to help manage your vulnerabilities across your assets.
• Monthly scan of up to 50 Externally facing IP’s.
• Scan for common vulnerabilities across your infrastructure with our symbiote scanner.
• Be in the know of latest cyber threats with access to monthly threat reports.
  ‍

Frequently Asked Questions

1. What are the critical changes in the technical update of the Cyber Essentials requirements for 2023?

The technical update for Cyber Essentials requirements in 2023 includes several changes to align with the latest cybersecurity threats and best practices. These may include updated guidelines for network security, secure configuration, software patching, access control, and incident management.

2. Who is responsible for updating the Cyber Essentials standard?

The Cyber Essentials standard is regularly reviewed and updated by a panel of cybersecurity experts and industry professionals. This ensures that the standard remains up to date and reflects the latest cyber threats and technological advancements.

3. Will a grace period be provided for organisations to comply with the new requirements?

It is advisable to check with the relevant certification bodies or accreditation authorities for the availability of a grace period. Each organisation may have different policies or guidelines regarding the transition to the updated Cyber Essentials requirements.

4. Can organisations use existing technical controls that do not meet the new requirements to achieve certification?

To achieve Cyber Essentials certification, organisations must meet all the updated requirements listed in the technical update. However, organisations can work towards implementing the necessary changes and controls to meet the new requirements before applying for certification.

5. How long is the certification valid for?

Cyber Essentials certificates are typically valid for one year. After the expiry, organisations are required to undergo a renewal process to ensure ongoing compliance with the latest standards and requirements.

In conclusion, with the upcoming technical update of Cyber Essentials requirements for 2023, organisations may have questions regarding changes, implementation, and certification validity. It is recommended to consult the relevant certification bodies and stay updated with their guidelines and recommendations. For more infomation on cyber essentials check out out blog: https://www.pentestpeople.com/blog-posts/pentest-people-cyber-essentials-certification

‍