Cyber Essentials for UK businesses
Cyber Essentials helps guard your business from the most common cyber threats and demonstrate the commitment you have towards cyber security. It is a certification program focused on basic cyber security controls that was created by the UK government’s National Cyber Security Centre and the Information Assurance for Small and Medium Enterprises (IASME) consortium.
The key things to know about Cyber Essentials are:
It specifies a core set of technical controls around five key areas: firewalls, secure configuration, access control, malware protection, and patch management. Businesses must demonstrate they have implemented controls in each area in order to be certified.
The controls defined represent IT security best practices that are simple and inexpensive for most businesses to implement, yet provide protection against the most common cyber attacks.
Once the certification has been achieved, it must be renewed annually, providing an incentive for companies to stay on top of maintaining their defences.
Cyber Essentials has tiers of certification that require different levels of robustness and types of assessments by accredited external auditors. Cyber Essentials Plus is discussed in the next section.
The program represents a cost-effective starting point for cyber security. While more advanced certifications like ISO 27001 might be overkill for many SMEs, Cyber Essentials provides a strong baseline aligned to common cyber threats.
Discover how our experts can improve your security standing
Cyber Essentials Plus for UK businesses
Cyber Essentials Plus certification builds on the core Cyber Essentials requirements. This is by adding some additional elements focused on more rigorous verification and ongoing compliance.
The key additions in Cyber Essentials Plus include:
Cyber Essentials only requires a self-assessment questionnaire. But for Cyber Essentials Plus, an independent external IT security professional must audit the implementation of technical controls through validation testing and examination of policies and procedures.
Businesses must develop a framework explaining how they will maintain compliance with Cyber Essentials controls on an ongoing basis across changes to systems, employees, offices etc.
As well as testing the current efficacy of controls, external auditors must simulate real-world cyber attack scenarios to evaluate whether the company’s security posture stands up to threats.
Certification must be renewed annually, including an onsite audit, ensuring security provisions do not reduce over time. Audits ensure that as the threat landscape changes, controls are up to date.
£25K of cyber insurance coverage is included to support incident response and recovery costs in the aftermath of a breach.
The extra rigor, testing, and auditing required for Cyber Essentials Plus aims to provide increased confidence in an company’s cyber security measures. The ongoing auditing and simulation testing focuses on cyber resilience – the ability to both resist attacks and recover normal operations quickly. Together, these additions result in a more comprehensive and externally validated defence against cyber threats.
Get your Cyber Essentials Certification today
Learn how we can help your business