Getting your Business Certified
The first stage in the certification process is to decide which level to certify against – Cyber Essentials or Cyber Essentials Plus
- Cyber Essentials - organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body
- Cyber Essentials Plus - tests of an organisation's systems are carried out by an external Certifying Body
Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources. CREST Certifying Bodies also conduct a remote technical assessment at Cyber Essentials aimed at validating elements of the questionnaire.
The key differentiator for Cyber Essentials Plus is the inclusion of a technical review of the organisation’s workstations and this additional phase of testing increases the validity of certification considerably by providing evidence of compliance against the following scenarios:
- Can malicious files enter the organisation from the Internet through either web traffic or email messages?
- Should malicious content enter the organisation, how effective are the anti-virus and malware protection mechanisms?
- Should the organisation’s protection mechanisms fail, how likely is it that the organisation will be compromised due to failings in the patching of the organisation’s workstations?
Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance. However, it does come at an additional cost, which will factor into the decision making process. Ultimately the decision on which level to certify against will be influenced by an organisation’s cyber security stance and those of its business partners, suppliers and stakeholders.
Once an organisation has been assessed against the Cyber Essentials security criteria and passes, they will receive the relevant Cyber Essentials award (badge) based on the level of certification achieved, which demonstrates that they have achieved a fundamental level of cyber security.