Cyber Essentials, is it Essential?

There is a pretty good chance you will have heard of the Cyber Essentials but is it essential?

Cyber Essentials was launched back in 2014 by the National Cyber Security Centre (part of GCHQ) as a UK Government backed initiative aimed at improving the basic level of cyber security within UK organisations. The scheme is based around 5 key controls that, if implemented correctly, will help organisations guard against the most common internet-based cyber security threats.

The scheme is based around 5 key controls:

  • Firewalls
  • Secure configuration
  • Malware protection
  • User access control
  • Patch management

From the launch in 2014 to the 1st April 2020 several Accreditation Bodies (ABs) worked with the National Cyber Security Centre (NCSC) to administer the scheme via their networks of Certification Bodies (CBs). Since 1st April 2020, the IASME Consortium (one of the original ABs) was awarded the contract to become the NCSC's chosen partner to deliver the Cyber Essentials Scheme.

Since its inception, Cyber Essentials has become increasingly popular, with more organisations choosing to certify to the standard. This increase could partly be attributed to certification becoming a mandatory contractual requirement in some supply chains. This is especially the case when looking to supply into the public sector.

Certifying to the Cyber Essentials standard can also help showcase an organisation's commitment to cyber security as well as act as a useful marketing tool with which to attract potential clients. Certification is offered at 2 levels: 'Cyber Essentials' and 'Cyber Essentials Plus'.

Cyber Essentials

Cyber Essentials, sometimes referred to as 'Cyber Essentials Basic', consists of a self-assessed questionnaire (SAQ) aimed to assess whether applicants meet the Cyber Essentials standard. The SAQ is completed by the applicant organisation and submitted online via an assessment portal. Upon submission, the SAQ responses are independently reviewed by a qualified assessor who will then issue a certificate with a pass or guidance with a fail.

Cyber Essentials is an entry level cyber security certification that is designed to be both accessible and affordable. A reason for this is to encourage uptake from smaller organisations that have traditionally held the misplaced belief that they are 'too small to be a target' of cyber criminals. The scheme offers a straight-forward certification process where all the questions asked of the applicant deal with basic security concepts. The SAQ questions and guidance are worded so that individuals possessing only a modest understanding of IT can complete it with confidence.

That said, there are instances where some larger organisations have initially experienced difficulties in meeting the required standard. This is usually due to the Cyber Essentials requirements being binary and not allowing for any compensating controls or mitigations that are typically implemented within larger organisations.

As an added bonus for achieving Cyber Essentials certification, free cyber insurance is offered to all qualifying organisations that meet the required standard. Certification is valid for a 12-month period after which time the process needs to be repeated in order to renew for a further 12 months.

Cyber Essentials Plus

Cyber Essentials Plus revolves around the same basic controls as Cyber Essentials. The difference between the certifications is that Cyber Essentials Plus requires a qualified assessor to independently audit the applicant organisation. The audit process involves a series of tests on a representative sample of 'in scope' systems as well as conducting external and internal vulnerability assessments. Achieving the Cyber Essentials Plus certification results in a higher degree of assurance that the required standards have been met.

Due to the nature of the testing requirements, the costs associated with Cyber Essentials Plus are greater than Cyber Essentials. Assessment prices can vary depending on the size, scope, and complexity of the applicant organisation. It is also worth mentioning that Cyber Essentials certification is a prerequisite to achieving Cyber Essentials Plus, which must then be attained within a 3-month period.


All about guiding, not hiding.

The only 3 numbers you need.

Microsoft 365 combines the latest business applications, with Windows 10, Office 365, and best-in-class security.

New digs.

As a result of continued business growth, we are excited to announce the opening of our new state of the art Head office in Derbyshire.

New Website and Brand.

After deciding it was time for a change, we’re excited to announce the launch of our freshly designed website!

Back to School.

IDT is delighted to announce its partner status with Microsoft, through its Authorised Education Partner (AEP) programme.

Social Media .... We got this, so follow us.

We are great at what we do but up to now haven’t been great in shouting about it and for a business who has been around for 24 years many do not know we exist. We are changing that so jump on board our social media highway

Winner winner chicken dinner.

IDT's Managing Director Collects the Leadership Award for Emerging Entrepreneur Leader 2022

Notts County Foundation receive cutting-edge Education Suite

Notts County Foundation to receive cutting-edge Education Suite thanks to two East Midlands heavyweights.

Apprenticeship? Completed it mate!

IDT to make investment in youth after apprenticeship success.

Small Business of the Year Finalist.

IDT is very pleased to announce that we are finalists in the East Midlands Business Masters Awards 2021, in the category of Small Business of the Year

IDT celebrates 'unprecedented' growth

'Managed IT services specialist set for 'unprecedented' growth after revealing EE and 02 partnerships