Achieving certification to the Cyber Essentials Scheme

There are two types of certification: Cyber Essentials, which relies on self-assessment and an external verification by a certification body, and Cyber Essentials Plus, which relies on a more rigorous onsite assessment and internal scan by a certification body (as well as the requirements of Cyber Essentials).

What type of verification will be conducted?

Once an organisation has successfully passed an assessment against either level of the scheme’s requirements it will be awarded the relevant Cyber Essentials award or 'badge'.

Cyber Essentials

• First, the scope (i.e. the Internet-facing systems to be covered) is defined by the organisation.
• The organisation answers the Cyber Essentials self-assessment questionnaire to demonstrate its level of compliance with the requirements for basic cyber security. The questionnaire is signed by an authorised signatory from the organisation to confirm its accuracy, and is then sent to the certification body to be reviewed.
• All CREST-accredited certification bodies will conduct an external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.

Cyber Essentials Plus

• All CREST-accredited certification bodies will conduct the necessary verification for Cyber Essentials as stated above, followed by a more thorough, internal scan and on- site assessment of a sample of relevant devices that are connected to the Internet and/ or capable of receiving emails.

In both cases, certification reflects the state of an organisation’s cyber security only at the time of assessment. It is no proof of the ongoing effectiveness of an organisation’s cyber security.

Solutions for CE certification

IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.

View the 3 solutions to certification >>