Cyber Essentials FAQs

General information about the scheme

• Why should we get a Cyber Essentials certificate?

  The Cyber Essentials scheme’s five security controls provide the basic level of protection that you need and can protect it from around 80% of cyber attacks, allowing you to focus instead on your core business objectives.

  By properly implementing cyber security controls, you will also drive business efficiency throughout the organization, saving money and improving productivity.

  A Cyber Essentials or Cyber Essentials Plus badge will enhance your business’s reputation and open up new commercial opportunities by proving to your customers that you take the security of their information seriously and are taking the necessary steps to reduce cyber risks.

  If you supply – or want to supply – larger organizations that manage their third-party risks properly, the independent verification of your security posture provided by certification demonstrates that you won’t endanger the supply chain.

  Cyber Essentials certification also reduces insurance premiums. A 2015 government report found that the majority of insurers believed Cyber Essentials provides “a valuable signal of reduced risk when underwriting cyber insurance for SMEs”. A number of insurers have “agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant.”

  If you want to apply for government contracts, you’ll need Cyber Essentials certification too. The UK Government now requires “suppliers of most contracts and services to hold a Cyber Essentials certificate.”

  A government report found that the majority of insurers believe “that Cyber Essentials would provide a valuable signal of reduced risk when underwriting cyber insurance for SMEs, allowing them to use a reduced question set and informing their decisions to underwrite” and that “participating insurers operating in the SME insurance sector have agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant.”

• What is required for certification to Cyber Essentials?

  In short, the application process entails the following:

  • Complete a self-assessment questionnaire;
  • Questionnaire is signed off by a senior company representative;
  • Questionnaire is verified by an external certification body.
  • Certification from CREST-approved certification bodies provides the added protection and assurance of an external vulnerability scan and, at IT Governance, this is already included in the pricing and integrated into the process.
• What is required for certification to Cyber Essentials Plus?

  Cyber Essentials Plus provides a more advanced level of assurance. In addition to the requirements stated for Cyber Essentials, organizations applying for CE Plus benefit from an additional internal assessment and internal scan, conducted on-site by the certification body.

• Who will conduct the assessments for Cyber Essentials and Cyber Essentials Plus?

  Only accredited certification bodies can undertake assessments and issue certificates. IT Governance is a CREST-accredited certification body.

• How long will it take between submitting our questionnaire and receiving our certificate?

  For Cyber Essentials, it is possible, depending on your current security setup and speed of action, to get from application to certification in a couple of days. However, most organizations will take about a fortnight to complete the questionnaire, schedule and successfully complete the external scan, and finalise their SAQ. This may be longer for Cyber Essentials Plus clients, which will also need to arrange the on-site visit to complete the internal security assessment.

  This timescale is also dependent on the client correctly completing the scope and target details first time and responding to requests on time.

• Why choose a CREST-accredited certification body?

  By choosing a CREST-accredited certification body such as IT Governance, you will benefit from an additional level of independent verification of your cyber security status, provided by an external vulnerability scan. Although non-CREST-accredited certification options exist, none offer the same level of independent verification and stakeholder assurance that the CREST-accredited option does.

  Many large organizations prefer their suppliers to have this form of certification.

---

Application process

• What can we expect from the Cyber Essentials application process?

  The process below describes the Cyber Essentials DIY package, using IT Governance’s Cyber Essentials portal. Step-by-step guidance is contained within the portal.

  • Purchase the ‘DIY online submission’ option for Cyber Essentials.
  • Receive an automated response email with details to log in to the Cyber Essentials portal.
  • Register on the Cyber Essentials portal.
  • Start the application.
  • Complete the scope.
  • Complete the SAQ.
  • The SAQ is automatically marked and provides an interim result.
  • IT Governance reviews and approves the scope.
  • Schedule the scans via the Cyber Essentials portal.
  • IT Governance approves the scan schedule and conducts the scans.
  • IT Governance reviews the results of the scans and the questionnaire.

  If all previous activities result in a ‘pass’:

  • Submit the questionnaire and scan results for certification.
  • The IT Governance assessors review the final submission, which is then checked by a QA.
  • A certificate and branding pack are issued to your organization.
  • A report is prepared and available usually within ten days.
  • The certification process is complete.

  For Cyber Essentials Plus, there is an additional step where an on-site visit and internal assessment will be conducted by IT Governance.

---

Certification

• Where can we display our Cyber Essentials certificate?

  On successfully passing all components of the Cyber Essentials application, you will receive a branding pack including your certificate. The pack will also include a Cyber Essentials Badge that can only be displayed by organizations that have passed the relevant assessment.

  The badge can be displayed by authorised organizations on:

  • Websites;
  • Promotional material;
  • Letterheads; and
  • Email signatures.
• Where are Cyber Essentials certified organizations listed?

  You can search by name to find organizations holding a Cyber Essentials certificate issued in the past 12 months here on the NCSC (National Cyber Security Centre) website.

• How do certified organizations get listed on the NCSC website?

  Within the portal, you have the option to publish your company details and certificate level to the NCSC website.

• How do we renew our Cyber Essentials certificate?

  The UK government recommends that you renew your certification at least annually.

  If you do not re-certify:

  • You will be automatically removed from the directory of organizations awarded Cyber Essentials certification. These details can be searched by anyone wishing to assess their supply chain at www.cyberessentials.ncsc.gov.uk/; and
  • You will not be able to apply for government contracts. The UK government now requires “suppliers of most contracts and services to hold a Cyber Essentials certificate”

  Re-certifying is like having an annual MOT for your cyber security controls. It gives your IT an essential annual check to protect against a wide variety of the most common cyber attacks.

  To get started, simply:

  • Purchase your package here; and
  • Make sure you use the email for your existing account to be able to port across your company details and questionnaire answers from your previous application to your new application.

---

Guidance about the certification process

• We need more guidance about the certification process.

  IT Governance offers the basic ‘DIY’ package for Cyber Essentials and Cyber Essentials Plus. It is ideal for organizations that have knowledge of the five security controls required for Cyber Essentials certification: secure configuration, boundary firewalls, access controls, patch management and malware protection. This knowledge is necessary to complete the SAQ.

  However, if you need some help with your application process, we recommend that you purchase one of the following products:

  • Get A Little Help: includes two hours of Live Online consultancy to help you through the application process.
  • Get A Lot of Help: includes on-site consultancy with a cyber security practitioner to provide guidance on completing the SAQ and how to implement the five controls.
  • Live Online: online consultancy by the hour.

---

Defining the scope

• How do we define the scope?

  The scope should be clearly defined in terms of the organization or business unit managing it, the network boundary and the physical location(s).

  Regardless of whether the whole or a part of the organization is subject to certification, the name on the certificate must be consistent with the scope. The scope must be agreed before any testing starts.

  The scope statement will appear on your Cyber Essentials certificate; the description will be used to verify that the scope, questionnaire responses and subjects of the scan are consistent.

  A simple way to determine this:

  • If you are using SaaS (Software as a Service) then it is out of scope.
  • With PaaS (Platform as a Service) then in all likelihood it will also be out of scope, depending on the application that must be configured.
  • If it is Infrastructure as a Service (IaaS) then it will be in scope as you will be responsible for configuring the platform.
  • If you have VPNs connecting sites together, then, depending on the technology, the public IP address of the VPN connection is in scope even if you are using internal private addressing and route all internet traffic through the VPNs to a central egress point.

  If you use a private MPLS VPN then there may not be public IP addresses.

• What should a scope description look like?

  Here is an example scope description:

  The Internet-facing infrastructure consists of the email server, SharePoint and three firewalls. Company mobiles are out of scope as they only connect to a guest wireless network that connects straight out of the Internet and has no connection to the corporate network. External hosted systems include a custom ERP platform, which also connects to our infrastructure over the Internet and is in scope. Our externally hosted web servers are out of scope as they are wholly managed by third parties. We also use Google Docs and ShareFile cloud based services, which are also out of scope.

• How do we determine IP addresses?

  An IP (Internet protocol) address is a unique number assigned to a computer when it connects to the Internet. It consists of a series of numbers separated by periods (also called a “dotted quad”)

  organizations applying for Cyber Essentials will also need to test all of their in-scope public-facing IPs.

  For most organizations, this will be the block of IP addresses they get from their Internet service provider, but it also includes IP addresses at all in-scope locations such as data centres and Cloud providers.

  IPs can be excluded from testing, especially those belonging to Cloud providers, if you do not have control of the security configuration of the service.

  If you need advice about how many IP addresses to test, purchase a short Live Online consultancy session with one of our experts.

• What should we do if we have more than 16 IP addresses?

  Certification to Cyber Essentials and Cyber Essentials Plus requires organizations to undergo an external vulnerability scan of their Internet-facing applications and networks.

  All of our packages include an external vulnerability scan that covers up to 16 IP addresses.

  Through our Cyber Essentials portal, you can schedule these external vulnerability scans online and automatically submit the results to IT Governance upon completion.

  If you need to test more than 16 IP addresses, you can purchase additional IP packages for your Cyber Essentials certification vulnerability scan here.

• How do we determine how many workstations, mobile devices and build types need to be tested for Cyber Essentials Plus?

  Cyber Essentials Plus involves a technical audit of the systems that are in scope for Cyber Essentials. This includes a representative set of workstations, mobile devices and build types in use by the organization that can be accessed by an unauthorised user.

  The number of builds is defined by the number of configurations of operating system and software suites installed. Examples of relevant software include:

  • Oracle Java
  • Adobe Acrobat
  • Microsoft Office
  • Adobe Flash
  • Mozilla Firefox
  • Google Chrome
  • Opera
  • Microsoft Internet Explorer
  • Antivirus solution

  If more than one browser or Office suite is used, each variant will need to be tested. If they are installed on the same build, this is acceptable. The table below can be used to determine the representative sample size for each build type:

  Number of devices by build type	Sample of devices to be tested
  1	1
  2-5	2
  6-19	3
  20-60	4
  61+	5

   

  Example:

  Build type	Number is use	Sample to test
  Windows 8 laptop	1	1
  Windows 10 laptop	6	3
  Windows 10 desktop PC	50	4
  iPhone	200	5
  Kali Linux laptop	3	2
  Total sample size to be tested:		15

• What should we do if we have more than ten device builds?

  IT Governance’s Cyber Essential Plus provides on-site testing at one location, of one type of user account, on up to ten device builds.

  If you need to test additional devices, you can purchase our Cyber Essentials Plus Additional Device Testing package for your Cyber Essentials Plus on-site assessment.

---

Vulnerability scanning

• Why do some certification bodies require an external scan in addition to the SAQ?

  CREST-accredited certification bodies know that their clients place greater value on independently verified claims of security and therefore use an additional level of independent assurance in the form of a technical vulnerability scan. This scan is mandated by CREST in order to demonstrate another level of independent assurance, instead of only the SAQ. This approach is known as an independently verified approach.

• Must we have vulnerability scans/penetration tests provided by a third party?

  The scans are conducted to a common standard, as mandated by CREST. This guarantees their integrity and correctness. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• Should we apply for a CE badge in addition to our ISO 27001 certification?

  Although ISO 27001 is seen as a more comprehensive level of assurance, a CE badge might ought to be seen as a core indicator of cyber security. It might also be required by certain clients as well as ISO 27001 certification.

• Can we use our existing vulnerability scanning/penetration testing company?

  No. Only appointed certification bodies (e.g. CREST-accredited certification bodies) can conduct vulnerability scans for Cyber Essentials certification.

  The scans are conducted to a common standard, as mandated by CREST. This guarantees their integrity and correctness. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• Can we self-certify and carry out our own vulnerability scans and penetration tests?

  No. All assessments must be done independently by an external certification body as part of the certification work.

  The scans are conducted to a common standard, as mandated by CREST. This guarantees their integrity and correctness. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• What is the difference between the types of scans and assessments that will be conducted by the certification body for Cyber Essentials and Cyber Essentials Plus?

  Cyber Essentials:

  • A review of the SAQ (self-assessment questionnaire).
  • An external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.

  Cyber Essentials Plus:

  • A review of the SAQ (self-assessment questionnaire).
  • An external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.
  • A test of the security and anti-malware configuration of each device type/build using malicious email attachments and web-downloadable binaries, including an on-site assessment.

---

Cyber Essentials and ISO 27001 certification

• Do organizations have to certify to Cyber Essentials if they have already achieved ISO 27001 certification?

  Yes. Although ISO 27001 is considered a much more comprehensive and rigorous standard, organizations wishing to obtain the Cyber Essentials badge will still need to apply for certification to either Cyber Essentials or Cyber Essentials Plus.

• Should we apply for a Cyber Essentials badge in addition to our ISO 27001 certification?

  Although ISO 27001 is seen as a more comprehensive level of assurance, a Cyber Essentials badge is seen as a core indicator of cyber security. It might also be required by certain clients in addition to ISO 27001 certification.

• Can Cyber Essentials replace ISO 27001?

  No. We recommend that Cyber Essentials is adopted in addition to – rather than instead of – ISO 27001. ISO 27001 offers various additional benefits, such as its international recognition, comprehensive approach and position at the core of cyber resilience.

  Because ISO 27001 includes controls focusing on information security continuity, it provides an excellent foundation for a more comprehensive cyber resilience posture.

  “You can use Cyber Essentials to try to stop low-level attacks from succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.” – Alan Calder, Founder and Executive Chairman, IT Governance.

• Which should we start first: Cyber Essentials, ISO 27001, or both at the same time?

  It will be more efficient to start both at the same time – IT Governance can help you with an integrated approach. However, depending on your current resources, time commitments and budget, you could start with the Cyber Essentials scheme, which will give you an introduction to the world of certification, and then continue to ISO 27001 when you are ready.