Flexible packages, plus get all the security tools you need to meet Cyber Essentials certification as part of the package.
Great value certification with tailored packages to suit every budget.
Get support from our certified Cyber Essentials assessors.
Protect your business with optional cyber protection tools.
Certification inspires customer trust & helps win new business.
Cyber Essentials is a Government-backed certification scheme, designed to set a strong security baseline and help businesses operate securely online. As a certification standard, Cyber Essentials and Cyber Essentials Plus demonstrate your business’ commitment to cyber security, enhancing your reputation with customers, stakeholders and supply chain partners. Cyber Essentials certification also includes free cyber insurance available to UK companies, if the certification covers the entire organisation (additional conditions apply).
Cyber Essentials is also required for many Government and public-sector contracts, making it a key driver of new sales and business growth. Cyber Essentials Plus is an extended version of Cyber Essentials, with additional security controls, that unlocks more public-sector opportunities.
As an official Cyber Essentials Certification Body, we offer the right level of support to simplify your journey to achieving certification.
Bulletproof demonstrated their expertise from day one, and thanks to their insight we passed Cyber Essentials first time. With our 10-year history of keeping customer data secure, the Cyber Essentials scheme adds further confidence and value to Backup Systems offerings.
As strategic partners to the Healthcare Sector, Latchmore needed Cyber Essentials certification to meet NHS requirements. Bulletproof were recommended to us and they certainly lived up to expectations. Jamie in particular provided really clear and helpful support, and we passed first time. I’d definitely recommend Bulletproof to anyone needing Cyber Essentials.
B2 was invited to tender for a large Government contract and we needed to be Cyber Essentials certified. Bulletproof’s experienced team guided us through the process, taking us from not knowing what this was through to full Cyber Essentials certification. We’re pleased to say that we won the tender and are now in a position to follow up more Government and large business contracts.
We recently undertook our Cyber Essentials Plus renewal with Bulletproof as they were recommended to us. Communication was fast and reliable, making the certification process simple, whilst still remaining comprehensive and ensuring full compliance.
We sought to renew our Cyber Essentials accreditation but had concerns regarding the status of our previous assessor so were forced to seek a new partner. After looking at several options we chose Bulletproof and are very pleased with that choice. The entire process, and in particular the quality of communications and assistance, has been thorough and of a high standard. I am happy to recommend Bulletproof and look forward to continuing our Cyber Essentials journey towards the ‘Plus’ certification with them in the coming years.
Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place: access controls, firewalls and routers, malware protection, secure configuration, and software updates.
Cyber Essentials is an independently verified self-assessment questionnaire and the goal is to get all questions correct/compliant to obtain a pass.
Cyber Essentials Plus is the next step after Cyber Essentials. It can be thought of as an independent verification of everything that was claimed in Cyber Essentials. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers.
Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the Certification Body. If you feel a bit overwhelmed and don’t know where to start, don’t worry – we have a range of packages to help you through the process.
With over 80% of UK businesses vulnerable to avoidable security threats, the Cyber Essentials framework has been designed as a strong security baseline for every business in every industry. Mapping against five simple technical controls means it’s easy to achieve Cyber Essentials certification. These include:
Access control
Firewalls and routers
Malware protection
Secure configuration
Software updates
Issued to Bulletproof by The IASME Consortium Ltd.
Download the latest 2023 Cyber Essentials question set, called ‘Montpellier’. In April 2023 it replaced the previous ‘Evendine’ question set.
Whether you’re starting from scratch with your business security, or you’re looking to renew your Cyber Essentials certification, Bulletproof has you covered. The easiest route to Cyber Essentials certification is with consultant-led compliance support. With remote or on-site assistance, tailored policy documents and free retests, it’s never been easier to get Cyber Essentials certification.
One of our expert cyber essentials consultants will get back to you as soon as possible.
Enhanced security – helps protect your organisation from the most common internet based cyber attacks such as phishing, malware, ransomware, password guessing and network attacks.
Simple and cost effective – a simple process with a Cyber Essentials certification fee starting from £200.
Gain and retain business – an increasing number of public, private and third sector contracts are mandating or actively encouraging Cyber Essentials from their suppliers.
Aligns with GDPR – recognised by the Information Commissioner’s Office as a scheme that can provide security assurances that help protect personal data.
Flexible scheme – regardless of sector or size, the scheme reviews basic, yet effective, technical controls an organisation has in place. The scheme also recognises that not all organisations have a dedicated IT department, or an in-depth knowledge of cyber security.
You can request support by emailing the request to [email protected] at any time after you have been set up. An assessor will be assigned and reach out to arrange a Teams meeting to go over the assessment with you. You are also welcome to reach out to your assessor if you have any further questions throughout the process.
Cyber Essentials focuses on fundamental IT controls, whereas ISO 27001 takes a more holistic approach, incorporating policies and procedures. As ISO 27001 is much more involved, you’ll find it easier to obtain Cyber Essentials/Cyber Essentials Plus certification if you’re already ISO 27001 compliant.
We recommend achieving Cyber Essentials certification in addition to ISO 27001 as it demonstrates your commitment to good security practices, and some business/customers may only look for your Cyber Essentials certification, or not understand the difference between Cyber Essentials and ISO 27001.
ISO 27001 | Cyber Essentials | |
|---|---|---|
What is it | An international standard that sets out the requirements of an Information Security Management System to manage information security risk in a systematic way. The standard isn’t mandatory however many contracts/tenders do stipulate it as a requirement. | An NCSC backed UK assurance scheme addressing five technical security controls to help businesses address the most common cyber security vulnerabilities. Cyber Essentials is mandatory for government contracts. |
Risk | ISO 27001 adopts a risk-based approach where organisations set their risk acceptance criteria and risk methodology. This determines how risks are addressed. | Cyber Essentials aims to address the most common vulnerabilities found in organisations. It is not a risk-based approach. |
Recognition | ISO 27001 is an international standard recognised around the world. | Cyber Essentials is a UK based scheme and is not well known worldwide. |
Time to implement | Months | Days – weeks |
Certification process | Certification is provided by a Certification Body. This involves a Stage 1 and Stage 2 audit, and annual surveillance audits. Certification lasts for 3 years, as long as the organisation passes the audits. | Complete a self-assessment questionnaire (or undergo vulnerability scans and a workstation assessment if taking Cyber Essentials Plus) and be assessed by a IASME Cyber Essentials Assessor. Certification must be repeated annually. |
Costs | Med/High | Low |
Scope | Scope is defined by the organisation but the standard encompasses the business and is not just focused on IT. | Focuses on 5 key areas (shown below) and is more IT focused.
|
Applicability | Aimed at all businesses. | Aimed at all businesses, but particularly targets smaller businesses that may have not previously considered cybersecurity. |
No, all questions are applicable to applicants, however some requirements may change depending on whether your organisation is office based, hybrid or fully remote. ISP (Internet Service Provider) equipment is not included in the scope of the assessment. In the absence of an in-scope network, confirmation of the use of software-based firewalls will instead need to be provided.
Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.
Yes, you must ensure that you use separate administrator accounts from the standard user account, such as when installing software. Using administrator accounts all-day-long exposes the device to compromise by malware.
The inclusion of out of support / end of life operating systems in the scope of assessment will not be compliant with Cyber Essentials. However, you may still use unsupported operating systems if they are removed from the scope of assessment by isolating the device / OS from the organisation’s network via a segregated subset.
No, you must still provide processes and descriptions where asked. When a third party manages your IT, you should confirm with them all processes to ensure that they are meeting the standards required for Cyber Essentials.
Contractors using devices provided by your organisation will fall into scope and will need to be included. However, contractors using their own personal devices not owned by your organisation will fall out of scope of the assessment and will not need to be declared.
Yes, we can. It is best to raise this at the point of purchase, and we can discuss your scope prior to you getting started. In addition, there is guidance in the IT infrastructure document. The scope should include any internet facing devices, including mobiles and anything considered as part of a BYOD (Bring Your Own Device) approach.
Once you have your logins you will be able to access the IASME portal and be able enter your answers.
Once you have completed your answers, please submit the assessment. We will then assign an assessor and you will be scheduled for marking. Once marked you will get your results from the IASME portal, you will either pass, fail, or get asked for more information.
If you fail or get asked for more information you will have a chance to review your answers and update them using the guidance notes the assessor leaves for you.
You can then resubmit and once again you will be scheduled for marking with hopefully a pass being the result. You may get asked for more information again which will require you to readdress it, if you fail twice though that would mean you would have to repurchase Cyber Essentials to be able to retry.
We aim to mark an assessment within 48 hours of it being submitted, not including weekends or bank holidays. This can vary depending on how many assessments we have at one time.
You will still be under the same guidelines as above, if you require your certification by a specific date, you must take this into consideration. Start your assessment in good time to allow enough time to, complete, submit, be marked, remediate, resubmit, and pass!
No. ISP provided equipment is not considered as in scope for Cyber Essentials and does not have to be declared. In this case, we will need confirmation that you are relying on software firewalls as your internet boundary and/or a VPN provided by your organisation. A VPN solution must be an enterprise/corporate product that secures all connections between End User Devices (EUDs) and the Internet.
Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.
The standard protection provided by Apple devices does not tend to meet the standards of Cyber Essentials, it is recommended that additional software should be installed to provide adequate protection.
As standard, all critical and high classified updates must be applied within 14 days of release to meet compliance in Cyber Essentials. During the assessment you may need to provide details of how you ensure this. If operating systems or application versions are found to be in use after 14 days of the latest patch being made available, you will incur major non-compliance marks which could lead to a failed attempt.
Yes, all staff devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should track these devices to ensure your staff are using supported models and operating systems are up to date.
The certificate will be part of a public register. You can display the Cyber Essentials and Cyber Essentials Plus badge on your website and/or in your email signatures.
After passing your Basic assessment, you will have 90 days to pass your Plus test. Once your Plus Test officially starts, you will have 30 days to complete any remediations, still within the 90 days. If you fail to remediate within 30 days you will fail your Plus test and will be required to restart from Basic.
After passing Basic our coordinator will reach out to you and book in your Plus test. Your Plus test will be booked from one to six weeks after passing your Basic assessment, so please make sure you have given yourself enough time to meet any of your deadlines.
No, the scope of your Plus assessment must be the same as your Basic one, any changes to your scope such as a significant increase or decrease in devices, changes in network topology etc. will cause a failure of Plus and a new Basic assessment would be required covering the correct scope.
