Exploring Cyber Essentials with Our Expert Advisor

Meet Ollie, our dedicated cyber security advisor specialising in Cyber Essentials certification. 

We recently had a discussion with him to delve into the intricacies of the program and determine the most suitable Cyber Essentials solutions tailored to different organisations. 

Let’s start with the basics: What exactly is Cyber Essentials? 

Cyber Essentials is a government-backed certification designed to fortify UK organisations against prevalent, low-level cyber threats such as malware and phishing attacks. 

 It emphasises five fundamental control themes that are both cost-effective and easy to implement: 

1. Firewalls 
2. Secure configuration 
3. Security update management 
4. User access control 
5. Malware protection 

Why should organisations pursue certification? 

Obtaining Cyber Essentials certification enables organisations to demonstrate their commitment to basic, yet effective, cyber security measures. This fosters trust with stakeholders and serves as a prerequisite for securing certain contracts, particularly those with government entities. Equally if your organisation works in Healthcare, Defence, Financial Services or indeed any industry which stores sensitive data, there’s a strong possibility Cyber Essentials is a business requirement. 

Additionally, Cyber Essentials certification can lead to reduced insurance premiums with the scheme itself providing cyber insurance coverage up to £25,000, making it a cost-effective investment for most organisations. 

What else should organisations know about certification? 

One key aspect to note is that the certification process comprises two tiers: 

1. Cyber Essentials
2. Cyber Essentials Plus 

Both tiers share the same technical requirements but differ slightly in their certification procedures. While Cyber Essentials involves completing a self-assessment questionnaire independently verified by a third party, Cyber Essentials Plus validates an organisations Cyber Essentials through a technical audit, including vulnerability scans and tests of in-scope systems. 

It’s important to mention that Cyber Essentials Plus applicants must first achieve Cyber Essentials certification, and the technical audit must be completed within three months of obtaining the initial certification. 

Who should opt for Cyber Essentials Plus certification? 

Organisations aiming to enhance and validate their overall security posture against evolving cyber threats are prime candidates for Cyber Essentials Plus certification. 

Specifically, organisations pursuing government contracts, particularly those with the Ministry of Defence, often require Cyber Essentials Plus. However, other entities may also demand this higher-tier certification, reflecting its growing prominence in the UK. 

Cyber Essentials Plus provides additional assurance to customers and stakeholders, verifying the correct implementation of technical controls, which is not included in the basic tier. This extra layer of validation reinforces confidence in an organisation’s cyber security measures. 

Is Cyber Essentials Plus a stepping stone to more comprehensive frameworks like ISO 27001? 

Indeed, many organisations leverage Cyber Essentials and Cyber Essentials Plus as stepping stones toward more robust frameworks such as ISO 27001. 

While ISO 27001 encompasses a broader spectrum of requirements, Cyber Essentials focuses solely on basic technical controls, making it a pragmatic starting point for organisations.  

What support is available to coach organisations through Cyber Essentials? 

At NormCyber, we offer a range of Cyber Essentials packages tailored to various organisational needs. 

For example, our Supported packages provide extensive guidance for Cyber Essentials newcomers, ensuring a smooth experience, while experienced clients who undergo annual assessments may opt for our Basic or Guided packages, depending on their support requirements. 

Considerations such as organisational experience, familiarity with Cyber Essentials, and the complexity of the scope should inform the selection of the appropriate package. 

What can customers anticipate when purchasing a Cyber Essentials package from NormCyber? 

NormCyber offers a variety of packages for organisations pursuing Cyber Essentials certification. Here’s what each package includes: 

• Basic Cyber Essentials: Customers create an account in the IASME portal to access and submit their Cyber Essentials assessment, which we review and mark. This package does not include additional support. 
• Guided Cyber Essentials: This package includes everything in the Basic package plus half a day of consultancy. Customers can submit a “dry run” of their Cyber Essentials assessment using the IASME spreadsheet of questions. The consultant reviews and provides feedback on this dry run during the half-day session before the customer completes the final application. 
• Supported Cyber Essentials: This package includes all the benefits of the Guided package plus one full day of consultancy (additional time can be purchased). The consultant spends half a day going through each question in the assessment with the customer. Afterward, the customer submits a dry run, which the consultant reviews during the remaining time, providing feedback before the final submission. 
• Cyber Essentials Plus: We conduct the Cyber Essentials Plus audit, which typically requires half a day for audit activities and any necessary remediation work. Customers have 30 days from the audit date to address any issues and achieve CE+. If issues are not resolved within 30 days, a new audit is required, restarting the 30-day remediation period. Customers must achieve CE+ within three months of their Cyber Essentials certification. 

For further information on how Norm can support your Cyber Essentials requirements, please contact info@normcyber.com