The Cyber Essentials scheme is a cybersecurity certification that outlines the security procedures a company should have in place to keep their data secure. Firewalls, internet gateways, secure configuration, access control, malware protection, and patch management are the protection measures the certification covers.
Cyber Essentials is a certification scheme backed by the Government in an attempt to reduce cyber vulnerability throughout the supply chain. When implemented correctly, the security controls outlined should prevent 80% of cyber-attacks.
How is Cyber Essentials implemented?
There are two different levels of badge that your company can apply for:
- Cyber Essentials: the standard Cyber Essentials certification is a self-assessment questionnaire and is reviewed externally
- Cyber Essentials Plus: this includes all the assessment for the Cyber Essentials certification but system tests are carried out by an external certifying body.
Any organisation, no matter the size, can download the Cyber Essentials documents and use them to put essential security controls in place via the self-assessment.
What type of Cyber Essentials should you go for? What’s the difference?
We would recommend you go for Cyber Essentials Plus. The reason being, Cyber Essentials plus certification involves an onsite audit and testing the technical security controls from the Certification body. The certification process ensures that you have the required technical controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it.
On the other hand, CE is a straightforward exercise where you answer the self-assessment questionnaire from the certification body and they will evaluate your answers. If all goes well you will pass and certificate will be issued.
In layman terms, Cyber Essentials is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body auditing the technical controls.
Why do you need it?
Having the Cyber Essentials badge not only protects your organisation against 80% of cyber-attacks, it demonstrates to your customers and supply chain that you have considered security controls and are working in a safe and secure environment. It also means that you can bid for important government contracts, as the Cyber Essentials certification is likely to become mandatory.
Why is it important when bidding for public sector contracts?
From as early as 2014, the Government issued a mandate stating that all suppliers must comply with the new Cyber Essentials controls if bidding for some government contracts; this was mainly seen in contracts which involved handling sensitive information and technical services. The Ministry of Defence implemented this from 2016 for all suppliers, but Cyber Essentials is now a lot more common across the board for all contracts.
In recent months, we have seen numerous tender documents from local authorities asking for Cyber Essentials as a minimum requirement when bidding for a contract, i.e. if you do not have Cyber Essentials you will not be considered for the contract and it will count as a fail.
We can only assume that in future months this requirement will become mandatory, as it is extremely risky for the public sector to work with suppliers who do not have Cyber Essentials in place. Taking into account the vast supply chain associated with the public sector in the UK and the fact it is a clear government initiative, you cannot blame them.
Get ahead of the competition and ensure that you are up to date with exactly what Cyber Essentials is, and see example questions from the self-assessment questionnaire to find out more about what is involved in the process.
If you would like to discuss how your business could implement and make the most of Cyber Essentials, or have any other questions please feel free to get in touch with us here at Afinite. You can arrange a meeting with one of our team here, just choose the time that best suits you below.
Book a Meeting