Frequently Asked Questions About The Cyber Essentials Scheme
The Cyber Essentials certification scheme was launched by the National Cyber Security Centre (NCSC) in 2014 to help protect businesses from the most common cyberattacks. It has proved to be very successful, with nearly 200,000 certificates issued so far.
According to the latest data, organisations with Cyber Essentials are 92 per cent less likely to make a claim on their insurance than those without it. As the frequency and sophistication of cyberattacks continues to grow every year, so does the importance of maintaining high standards of cybersecurity, particularly for small to medium sized enterprises (SMEs).
Here’s a look at some of the most frequently asked questions about Cyber Essentials to help you understand the benefits and requirements, and how to go about getting certified. If you would like more tailored IT support and advice in the Bradford area, please get in touch with our team today and we will be happy to discuss your needs.
What are the benefits of Cyber Essentials?
The core principles of the Cyber Essentials scheme are designed to provide an assurance that your organisation’s IT infrastructure complies with basic security measures and has a good standard of protection against the most common online threats.
The certification not only provides peace of mind that your organisation is well protected, but also demonstrates to your customers, business partners and suppliers that your business is safe to deal with and has high operational standards. This is particularly important if your business handles sensitive information.
Which businesses should get Cyber Essentials?
The certification is not mandatory, but it is recommended for all businesses, for the reasons outlined above. If your business works with government departments or public bodies, or wants to bid for government contracts, Cyber Essentials may be a mandatory requirement.
Which level of certification is appropriate for my business?
There are two levels of certification Cyber Essentials and Cyber Essentials Plus. The first level is ideal for small to medium businesses with relatively straightforward IT infrastructure. It involves a self-assessment of your IT system, and the results will be submitted to a certification body.
Cyber Essentials Plus requires an independent assessment, including an on-site evaluation. It is suitable for larger organisations, or those with complex IT infrastructures or who handle highly sensitive data.
How do you get the certification?
There are various approved certification bodies under the IASME Consortium, which manages the scheme. They will send you details of the security controls that are assessed by the scheme. Review your IT network to ensure that you meet the relevant standards and complete the questionnaire to submit to the certification body.
If you require the Cyber Essentials Plus, you will need to complete the basic review first, unless you have already completed it within the last three months and been awarded the certification. You will then need to arrange a suitable date for the external assessment.
If you do not pass, the assessors will provide feedback and you can reapply. Should you pass the assessment, you will receive a certificate that will be valid for 12 months.
How much does it cost to get a certificate?
The cost follows a pricing structure depending on the size of the organisation. Currently, costs are £320 for SMEs with up to nine employees; £440 for SMEs with up to 49 employees; £500 for SMEs with up to £500 employees; and £600 for large businesses with 250 employees or more. VAT is payable on all of these costs.
For the more advanced Cyber Essentials Plus certification, the costs will vary depending on the size and complexity of the IT network.
How often do I need to renew my certification?
The Cyber Essentials certification is valid for 12 months and needs to be renewed on an annual basis. This is to ensure that the security measures in place remain robust and relevant to the rapidly evolving online security environment, and also that they are appropriate for your IT infrastructure.
What happens if the Cyber Essentials assessment is failed?
If an organisation doesn’t meet the criteria during the Cyber Essentials assessment, the assessing body will usually provide feedback on the areas requiring further improvement. There will be the opportunity to make the relevant adjustments and reapply for the assessment.