As the cyber security field evolves and changes, more threats emerge out of the blue. This calls for security certificates, like Cyber Essentials. If you’re in the UK, the government offers this certificate. It’s also the top cybersecurity certificate there.
Wondering why? This certificate shows that you and your company take the proper steps to protect computers and data systems. This is important if you’re storing sensitive customer data. This certificate will also show your customers that you’re protecting their data well.
In this article, you’ll learn all about Cyber Essentials, what it entails, and how to get it. You’ll also discover how long it takes to get the certificate and how long it’s valid for. Finally, you’ll see how much it costs.
Cyber Essentials: All You Need to Know
Cyber Essentials is a cybersecurity certification program created in the UK. It also holds companies to high cybersecurity standards. This certificate ensures that companies take the right steps to protect their systems and customer data. Cyber Essentials is also a mandatory certificate if you plan to work with the UK government in any form.
The certificate also comes in 2 versions: regular and premium. Here’s a breakdown of what you need to know about the two:
|Cyber Essentials||Cyber Essentials Plus|
|Certification Process||Questionnaire that you and your heads of IT and security will need to sit down and answer||Questionnaire that you and your heads of IT and security will need to sit down and answer|
|Assessment||Self-assessment against the 5 controls||A qualified auditor performs a hands-on technical verification audit against the 5 controls|
|Costs||It costs around £300 + VAT||It starts at around £1900 + VAT|
|Time Period||It depends on the time it takes you to complete the questionnaire||It takes more time due to performing an on-site verification|
Which One Should Your Company Choose?
According to the UK government website, you should first get your Cyber Essentials. Then, you can get the premium within 90 days. Regardless, both will also give your company many benefits. That said, Cyber Essentials Plus gives you a physical certificate. In turn, you’ll have more peace of mind. Now, let’s go over some of the benefits your company can reap from being certified.
Benefits of Cyber Essentials
Getting Cyber Essentials will give your company many advantages over other competitors. Let’s have a look at some of these below.
- Apply proper protection/configuration to your company. Through the questionnaire and audit, you’ll also ensure your protection is in place.
- Attract new customers and business. The certificate proves your company takes cybersecurity seriously. In turn, you become more trustworthy.
- Get certified in best cybersecurity practices. The governing body certifies you’re doing everything right when it comes to the best cybersecurity practices.
- Qualify for UK government contracts. Most contracts with the UK government require the certification before they work with you. That ensures your systems are protected.
Now that you have a clear idea of why your company needs Cyber Essentials, let’s discover what it really measures your company against.
The 5 Cyber Essentials Controls
You’ll have to test your company against these 5 controls:
- Boundary firewalls and internet gateways: Ensure you’ve configured your firewalls and gateways properly to keep out bad actors.
- Secure configuration: Ensure you’ve configured your servers, applications, software, etc. in the right manner to comply with the latest cyber security standards.
- Access control: Set up or configure security groups to ensure the people in your company only have access to what they need.
- Malware protection: Ensure you have the correct protection to keep malware out of your systems.
- Patch management: Ensure you manage the updates to your software and applications correctly.
Next, let’s see what you need to do to get the certificate.
How to Get Cyber Essentials?
Cyber Essentials is rather simple to get. Simply follow these 5 steps to plan the process:
- Use the Cyber Essentials Readiness tool first. Then, you’ll get an overview of your system and an action plan on how to prepare for the actual Cyber Essentials Questionnaire.
- Study some of the samples of the questionnaire to prepare your company better.
- Take the questionnaire once you’re ready.
- Remediate any issues that may come up before you get certified.
- Audit your IT and cybersecurity systems to verify your answers to the questionnaire.
How Long Does the Process Take?
The initial questionnaire takes only 2-3 hours to do. However, the preparation and internal assessment can take up to 6 months. That also depends on how well you know your system. Additionally, you should account for the time you spend fixing issues to meet the Cyber Essentials standards. Once you submit your questionnaire, you’ll receive a response in 1-3 business days. You’re all set to get the certificate now, but how much will it cost?
Cyber Essentials Costs
The below chart shows the new pricing schedule for the Cyber Essentials. This chart is also based on your company’s size.
|Micro companies (0-9 employees)||£300 + VAT|
|Small companies (10-49 employees)||£400 + VAT|
|Medium companies(50-249 employees)||£450 + VAT|
|Large companies (250+ employees)||£500 + VAT|
Note that the Cyber Essentials Plus starts at £1,900 + VAT.
The certificate is only valid for one year, so you’ll need to recertify each year. Once you get the certification initially though, it’s easier to maintain.
The Bottom Line
In conclusion, Cyber Essentials is an important certification to get. If your company is based in the UK or works with the UK government, then it’s highly recommended, if not mandatory, to get the certification. In brief, you need the certification to take on contracts from the UK government. The cost of this certification is also relatively low. Finally, its benefits certainly offset the cost. In brief, you can now decide if you want to get the Cyber Essentials certificate.
Got more questions about Cyber Essentials? Check out the FAQ and Resources sections below.
How are the Cyber Essentials certificates verified?
First, you’ll have an audit. If you pass, the board-certified auditor will sign a declaration to affirm that your company meets the standards set forth by the certification. If you fail, you’ll also get feedback on the lacking areas. You’ll then have the chance to revise and improve. This is similar to the process with the ISO 27001. However, you’ll need to pay again and take the assessment after you make the fixes.
Can companies outside the UK take the certification?
Yes. If your company is outside of the UK, you’re still more than welcome to take the certification. You might also want to do this if you plan to work with the UK government in some capacity. Many companies in Commonwealth countries may also consider taking this certificate as they rely on many standards set forth by the UK.
How do the new updates of the certificate affect certificates issued before Jan 2022?
The new standards are already in effect. That means you may also need to change your current security configurations when you go to recertify. Otherwise, you might be out of compliance. Certificates issued before January 24, 2022, are still valid until they expire.
Why were these new changes made in 2022?
The security environment and threats are evolving. That’s why the board made changes to ensure the certificate also keeps up with the new threats. For example, more people work from home now. While their devices are secured, routers might not be. You can also read more about the changes on the Cyber Essentials Blog.
What is the main company behind Cyber Essentials?
The UK Government’s National Cyber Security Center is the administering body of Cyber Essentials. They also work in conjunction with the IASME (Information Assurance for Small and Medium Enterprises Consortium). Together, they develop the standards and protocols.
TechGenix: Article on ISO 27001 vs. Cyber Essentials
Learn about the differences between ISO 27001 and Cyber Essentials.
TechGenix: Article on Network Security
Learn the ins and outs of network security and why it’s so important to your business.
TechGenix: Article on Access Control
Get unbiased comparisons between RBAC, MAC, and other access controls.
TechGenix: Article on Always On VPN
Get acquainted with the basics of Always On VPN.
TechGenix: Article on Improved Cybersecurity
See how much money you can save if you’re properly secured.