What is Cyber Essentials?

It is a base line certification to help protect you from cyber threats. It is a good first step on the ladder of cyber security that can help lead you to Cyber Essentials PLUS, ISO 27001 and more. Having Cyber Essentials will help ensure you have your business cyber security basics covered.

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place: access controls, firewalls and routers, malware protection, secure configuration, and software updates.

Cyber Essentials is an independently verified self-assessment questionnaire and the goal is to get all questions correct/compliant to obtain a pass.

Cyber Essentials Plus is the next step after Cyber Essentials. It can be thought of as an independent verification of everything that was claimed in Cyber Essentials. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers.

Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the Certification Body. If you feel a bit overwhelmed and don’t know where to start, don’t worry – we have a range of packages to help you through the process.

What are the benefits of Cyber Essentials?

  • Enhanced security – helps protect your organisation from the most common internet based cyber attacks such as phishing, malware, ransomware, password guessing and network attacks.
  • Simple and cost effective – a simple process with a Cyber Essentials certification fee starting from £295.
  • Gain and retain business – an increasing number of public, private and third sector contracts are mandating or actively encouraging Cyber Essentials from their suppliers.
  • Aligns with GDPR – recognised by the Information Commissioner’s Office as a scheme that can provide security assurances that help protect personal data.
  • Flexible scheme – regardless of sector or size, the scheme reviews basic, yet effective, technical controls an organisation has in place. The scheme also recognises that not all organisations have a dedicated IT department, or an in-depth knowledge of cyber security.

What is the process once I am signed up for Cyber Essentials?

Once you have your logins you will be able to access the IASME portal and be able enter your answers.

Once you have completed your answers, please submit the assessment. We will then assign an assessor and you will be scheduled for marking. Once marked you will get your results from the IASME portal, you will either pass, fail, or get asked for more information.

If you fail or get asked for more information you will have a chance to review your answers and update them using the guidance notes the assessor leaves for you.

You can then resubmit and once again you will be scheduled for marking with hopefully a pass being the result. You may get asked for more information again which will require you to readdress it, if you fail twice though that would mean you would have to repurchase Cyber Essentials to be able to retry.

I have remote support, how do I request help?

You can request support by emailing the request to ce@bulletproof.co.uk at any time after you have been set up. An assessor will be assigned and reach out to arrange a Teams meeting to go over the assessment with you. You are also welcome to reach out to your assessor if you have any further questions throughout the process.

Once I submit how long will it take to be marked?

We aim to mark an assessment within 48 hours of it being submitted, not including weekends or bank holidays. This can vary depending on how many assessments we have at one time.

I need my Cyber Essentials by a specific date, can you meet that?

You will still be under the same guidelines as above, if you require your certification by a specific date, you must take this into consideration. Start your assessment in good time to allow enough time to, complete, submit, be marked, remediate, resubmit, and pass!

All my workers are home workers. Does this mean questions around networks are not applicable to me?

No, in the absence of a physical office space you list just one home network, ideally directors’ network e.g., ‘Director’s network in London’. You will then need to add a small back up statement such as ‘all staff are currently working from home based in the UK’.

Further questions around networks and managing networks will relate to the main network and all homeworkers.

Do I have to list the network equipment of all my home workers?

No, you just need to list the equipment of your provided office network. You must then confirm under network equipment if your home workers connect to the network using a VPN. Any commercial VPN (e.g. NordVPN) is not acceptable. The solution must be an enterprise/corporate product that secures all connections between EUDs and the Internet. If you do not have a VPN, you must confirm that your workers have their software and/or hardware firewalls enabled.

I am a single person company; do I still need to have a process for account creation and leavers?

Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.

I am a single person company; do I still need to have a process in place for admin accounts?

Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.

I am a single person company; do I still need to have a separate user account to my admin account?

Yes, you must ensure that you use separate administrator accounts from the standard user account, such as when installing software. Using administrator accounts all-day-long exposes the device to compromise by malware.

We use Mac’s, do we need to install additional malware software?

Yes, the standard protection provided by Apple devices does not meet the standards of Cyber Essentials and additional software should be installed to provide adequate protection.

We use out of support operating systems to test or use legacy software. Can this be accepted?

No, all operating systems in scope of your Cyber Essentials must be up to date and in support. Failing to do so will not be compliant.

We do not install updates right away in case it causes problems. Can this be accepted?

No, to meet compliance you must ensure that all critical updates are applied within 14 days of release. If this is not possible you would not be compliant with Cyber Essentials.

We have an IT team that handles all our IT, can I answer questions with “Handled by our IT provider.”?

No, you must still provide processes and descriptions where asked. When a third party manages your IT, you should confirm with them all processes to ensure that they are meeting the standards required for Cyber Essentials.

We allow our staff to use their own devices, do I have to include them?

Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should track these devices to ensure your staff are using supported models and OS are up to date.

I hire contractors and provide them access to select folders, are they in scope?

Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should ensure that contractors meet your security standards, the standards that will allow you to pass your Cyber Essentials assessment.

Where can I display my certificate or badge?

The certificate will be part of a public register. You can display the Cyber Essentials and Cyber Essentials Plus badge on your website and/or in your email signatures.

Can you help define the scope?

Yes, we can. You will want to ensure you have remote support so we can discuss this in a call. There is also guidance in the IT infrastructure document. For the avoidance of doubt, the scope should include any internet facing devices, including mobiles and anything considered as part of a BYOD.

Cyber Essentials vs ISO 27001

Cyber Essentials focuses on fundamental IT controls, whereas ISO 27001 takes a more holistic approach, incorporating policies and procedures. As ISO 27001 is much more involved, you’ll find it easier to obtain Cyber Essentials/Cyber Essentials Plus certification if you’re already ISO 27001 compliant.

We recommend achieving Cyber Essentials certification in addition to ISO 27001 as it demonstrates your commitment to good security practices, and some business/customers may only look for your Cyber Essentials certification, or not understand the difference between Cyber Essentials and ISO 27001.

Comparing ISO 27001 and Cyber Essentials Standards
ISO 27001Cyber Essentials
What is itAn international standard that sets out the requirements of an Information Security Management System to manage information security risk in a systematic way. The standard isn’t mandatory however many contracts/tenders do stipulate it as a requirement.An NCSC backed UK assurance scheme addressing five technical security controls to help businesses address the most common cyber security vulnerabilities. Cyber Essentials is mandatory for government contracts.
RiskISO 27001 adopts a risk-based approach where organisations set their risk acceptance criteria and risk methodology. This determines how risks are addressed.Cyber Essentials aims to address the most common vulnerabilities found in organisations. It is not a risk-based approach.
RecognitionISO 27001 is an international standard recognised around the world.Cyber Essentials is a UK based scheme and is not well known worldwide.
Time to implementMonthsDays–weeks
Certification processCertification is provided by a Certification Body. This involves a Stage 1 and Stage 2 audit, and annual surveillance audits. Certification lasts for 3 years, as long as the organisation passes the audits.Complete a self-assessment questionnaire (or undergo vulnerability scans and a workstation assessment if taking Cyber Essentials Plus) and be assessed by a IASME Cyber Essentials Assessor. Certification must be repeated annually.
CostsMed/HighLow
ScopeScope is defined by the organisation but the standard encompasses the business and is not just focused on IT.Focuses on 5 key areas (shown below) and is more IT focused.
  • Secure internet connection
  • Secure devices and software
  • Access control
  • Malware protection
  • Security update management
ApplicabilityAimed at all businesses.Aimed at all businesses, but particularly targets smaller businesses that may have not previously considered cybersecurity.

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus