What is Cyber Essentials?

Cyber Essentials is a Government backed scheme which provides simple but effective controls to protect your organisation, whatever its size, against a range of the most common cyber-attacks. 


Why should my business be interested in Cyber Essentials?

There are a number of reasons why your business would want to achieve Cyber Essentials certification.

  • Obtaining Cyber Essentials will help protect your business against the vast majority of cyber-attacks that are faced today.  Research shows that of the commodity attacks out in the wild, almost 70% are fully mitigated and nearly 29% are partially mitigated simply by implementing the controls in Cyber Essentials;
  • Being certified will show your customers that you are taking cyber security seriously and are working to protect your business.  As businesses start to examine their supply chain and establish what cyber security precautions are in place, can you afford not to be certified?;
  • Having Cyber Essentials may allow your business to take on government contracts.  For example, the Ministry of Defence has mandated Cyber Essentials for all of its new suppliers since 2016.  Businesses looking to bid for NHS contracts are also required to have Cyber Essentials or Cyber Essentials Plus;
  • Successfully obtaining Cyber Essentials certification will provide your business with cyber liability insurance (NB some conditions apply).


What’s the difference between Cyber Essentials and Cyber Essentials Plus?

There are two levels of certification – Cyber Essentials and Cyber Essentials Plus.

The same set of technical controls apply to both certifications.  Businesses need to complete a questionnaire and then submit this for verification by a qualified assessor.  As long as your business meets the controls, you will obtain the Cyber Essentials certification.

To achieve Cyber Essentials Plus, you will complete the same questionnaire, but then you will need to go through a technical audit with a qualified assessor who will examine the controls and testing that they work in the way you have stated.  Part of this assessment includes a vulnerability scan against a selection of your systems in scope for assessment. 


I’m only a small business, surely I can’t get certified in Cyber Essentials?

The size of your business is not important when it comes to obtaining Cyber Essentials.  The certification can be achieved by sole traders up to global corporations and everything in between.  The controls you need to implement are fully scalable regardless of the number of employees you have. 


I’ve already got ISO 27001, why do I need Cyber Essentials as well?

Businesses may presume that if they already have ISO 27001 then they already meet the requirements for the seemingly less complex Cyber Essentials certification; however, that might not actually be the case. 

ISO 27001 is fundamentally an information security management standard.  An organisation will carry out a risk assessment of its information security risks and then determine which controls they want to implement in order to treat those risks.  As part of this, the business may decide to implement a different set of controls from Cyber Essentials or even decide not to implement at all.  The controls within Cyber Essentials are mandated and therefore provide a different assurance from ISO 27001.  Both certifications hold value, but in different ways. 


How can Nexor help?

You may find the thought of achieving Cyber Essentials/Cyber Essentials Plus a little daunting or maybe you don’t know where to start with implementing the required controls.  Nexor can offer a range of services to help your business get Cyber Essentials certified.  Contact us now to speak to book your consultation.


Get In Touch

Author Bio – Sarah Knowles

Sarah Knowles is Nexor’s Senior Security Consultant. She is a NCSC certified Security and information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Cyber Essentials and IASME Governance Assessor. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.


Be the first to know about developments in secure information exchange