In this blog post, we'll cover:
A Cyber Essentials checklist helps you stay up-to-date on your cybersecurity obligations. It condenses the security requirements found in IASME's (Information Assurance for Small and Medium Enterprises) extensive self-assessment questionnaire (SAQ) into a simple guide.
Similar to the IASME’s SAQ, our Cyber Essentials checklist covers five key controls of cybersecurity, which you can refer to to ensure you remain compliant with Cyber Essentials.
Cybersecurity concerns organisations of all sizes, and it's important to understand how to mitigate the risks associated with cyberattacks.
Cyber Essentials certification assures protection against most cyberattacks, i.e., the attacks that target networks which lack Cyber Essentials security controls. These controls fall under five main categories:
To comply with the Cyber Essentials certification, a firewall must be installed on all devices with internet connectivity. Firewalls create a "buffer zone" between your organisation's network/device and external networks. Make sure that opening/closing of ports are authorised and documented, and that firewalls are enabled on end user devices.
The default settings for a network, device, or software cannot be considered safe as they often use an administrator account with a default password that anyone can find. Have all unnecessary software and user accounts been uninstalled and disabled? Computers and network devices should be set up to ensure maximum security for the organisation.
Managing user accounts, especially those with special access privileges, prevents misuse and unauthorised access. Do you review admin accounts regularly and enforce user permissions policies? Accounts should only be assigned to authorised individuals with minimum access to applications, computers, and networks.
Manufacturers and developers regularly release new updates and features that might address any identified security risks. Are all operating systems and mobile devices up-to-date? Applying these updates is known as "patching", and setting up your systems to update automatically ensures your system is protected the instant a new update is made available.
Organisations should install malware software on all devices with internet connectivity. Malware is intentionally created and spread to perform unauthorised activities on systems.
Some examples of malware sources are malicious email attachments, downloads, and unauthorised software installations. Check that malware protection and antivirus software are regularly updated.
The Cyber Essentials readiness toolkit helps you assess your readiness for Cyber Essentials. It relates to the 5 controls mentioned above, which, as of 24th January 2022, has been expanded to consider Bring Your Own Device (BYOD) policy, cloud services and home/remote working.
Assessing your readiness ensures that your organisation is on track to complying with Cyber Essentials, and is mandatory to ensure your organisation is safeguarded against cyber threats.
On average, 80% of cyberattacks can be prevented with airtight cybersecurity and a Cyber Essentials certification. Some examples of preventable cyberattacks are:
Being Cyber Essentials certified also demonstrates to your customers that your organisation is committed to data protection and cybersecurity, boosting your reputation and attracting new business. Once certified, your organisation will be listed on the NCSC’s website for a period of 12 months, as a public testament of your data protection commitments.
The cost of getting certified in Cyber Essentials depends on the size of your organisation and can range from £300 to £500 + VAT. Additionally, the cost of Cyber Essentials Plus certification can range from £1,900 and £4,000 + VAT.
Being Cyber Essentials certified also permits you to work with the UK Government. Should you choose to pursue a Cyber Essentials Plus certification, your organisation will be eligible to work with the UK Ministry of Defence.
Let us take a quick look at how the two certifications differ.
At first glance, the two certifications may seem similar. Both offer a limited number of resources that set the benchmark for cybersecurity, but there are some key differences that set Cyber Essentials apart from Cyber Essentials Plus:
|
Cyber Essentials |
Cyber Essentials Plus |
|
Covers the basics of cybersecurity |
Extends to ethical hacking techniques |
|
Certification requires an independent review of your organisation’s self-assessment |
Certification requires an audit of your organisation |
|
Required for all organisations looking to secure government contracts |
Required for all organisations pursuing MOD contracts, specifically |
Cyber Essentials Plus expands on the basic Cyber Essentials certification with a detailed audit of your organisation with more assurance of compliance. However, the basic Cyber Essentials SAQ is a valuable tool in assessing the state of your organisation's cybersecurity, and it's necessary to have the basic certification for three months before pursuing Cyber Essentials Plus.
Reviewing your organisation’s existing cybersecurity measures is the first step to pursuing Cyber Essentials certification. Use the free Cyber Essentials checklist included in this article to assess your organisation’s readiness for the certification and decide whether you will benefit from the certification as well. Protect your organisation from malware and phishing attempts, and demonstrate a strong commitment to cybersecurity.
Cyber Essentials requirements tie in very closely with the ISO 27001 framework for information security, and the latter guides the requirements for an organisation’s Information Security Management System (ISMS). If you wish to learn more about the ISO 27001 standard and begin strengthening your organisation's infosec strategy, check out our article on becoming ISO 27001 compliant.
Got more questions? Reach out to us, we'd be happy to consult on how yo can strengthen your organisation's cybersecurity.