FAQ: What is Cyber Essentials?

Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations.

What are the certification levels?

There are two levels of certification available: Cyber Essentials and Cyber Essentials Plus.

What are the requirements?

In order to become certified your IT infrastructure must meet specific requirements. These are defined by five technical controls:

1. Firewalls – You must configure and use a firewall to protect all devices, particularly those that connect to public or other untrusted wifi networks
2. Secure Configuration – Only use necessary software, accounts and apps
3. User Access Control – You must control access to your data through user accounts. Only give administrative privileges to those who require them and control what an administrator can do on those accounts
4. Malware Protection – You must implement at least one measure (e.g. Anti Malware, Whitelisting, Sandboxing) to defend against malware
5. Patch Management – You must keep all your devices, software and apps up to date

Companies applying will also need to test all their in-scope public-facing IPs. For most companies, this will be the block of IP addresses they get from their internet service provider, but it also includes IP addresses at all in-scope locations like data centres and cloud providers.

You can exclude IP addresses from tested if you do not have control of the security configuration of the service, for example where the address belongs to the cloud provider.

Cyber Essentials Plus also includes a technical audit of in-scope systems. This includes a representative set of workstations, mobile devices and build types in use by the organisation which an unauthorised user could access.

To determine the number of build types you must review the number of operating systems and software suites installed. For instance, if more than one browser or Office suite is used then each variant will need to be tested.

What are the benefits of Cyber Essentials?

• Protects your organisation from approximately 80% of cyber-attacks, according to the UK government.
• Demonstrates your commitment to security and data protection to customers and stakeholders.
• Boosts your reputation and increases your chance of securing new business by showing you have cyber-security measures in place.
• Cyber Essentials permits you to work with the UK government, Plus gives you the opportunity to work with the MoD.
• Lets you focus on your business objectives, knowing you are secure.

What are the requirements for Cyber Essentials certification?

• Firstly, complete a self-assessment questionnaire.
• Then, a senior company representative signs off the questionnaire.
• An external certification body then verifies the questionnaire.
• The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.

What are the requirements for Cyber Essentials Plus certification?

• Firstly, complete a self-assessment questionnaire.
• Senior company representative signs off the questionnaire.
• Then, an external certification body then verifies the questionnaire.
• The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.
• They will also test the security and anti-malware configuration of each device type/build. This is done using malicious email attachments and web-downloadable binaries, including an on-site assessment.

How to get Cyber Essentials certified

QuoStar offers a Cyber Essentials consultancy service for organisations that require additional guidance. Our service includes Gap Analysis, technical support and guidance to implement the required controls, practical advice to ensure ongoing security and guaranteed certification. Please click here for more information on our Cyber Essentials consultancy service.