Cyber Essentials FAQs

• Why should we get a Cyber Essentials certificate?
  

  The Cyber Essentials scheme’s five security controls provide the basic level of protection that you need and can protect it from around 80% of cyber attacks, allowing you to focus instead on your core business objectives.

  By properly implementing cyber security controls, you will also drive business efficiency throughout the organisation, saving money and improving productivity.

  A Cyber Essentials or Cyber Essentials Plus badge will enhance your business’s reputation and open up new commercial opportunities by proving to your customers that you take the security of their information seriously and are taking the necessary steps to reduce cyber risks.

  If you supply – or want to supply – larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification demonstrates that you won’t endanger the supply chain.

  Cyber Essentials certification also reduces insurance premiums. A 2015 government report found that the majority of insurers believed Cyber Essentials provides “a valuable signal of reduced risk when underwriting cyber insurance for SMEs”. A number of insurers have “agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant.”

  If you want to apply for government contracts, you’ll need Cyber Essentials certification too. The UK Government now requires “suppliers of most contracts and services to hold a Cyber Essentials certificate.”

  A government report found that the majority of insurers believe “that Cyber Essentials would provide a valuable signal of reduced risk when underwriting cyber insurance for SMEs, allowing them to use a reduced question set and informing their decisions to underwrite” and that “participating insurers operating in the SME insurance sector have agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant.”

• What is required for certification to Cyber Essentials?
  

  In short, the application process entails the following:

  • complete a self-assessment questionnaire;
  • questionnaire is signed off by a senior company representative;
  • the questionnaire is verified by an external certification body.
  • Certification from CREST-approved certification bodies provides the added protection and assurance of an external vulnerability scan and, at IT Governance, this is already included in the pricing and integrated into the process.
• What is required for certification to Cyber Essentials Plus?
  

  Cyber Essentials Plus provides a more advanced level of assurance. In addition to the requirements stated for Cyber Essentials, organisations applying for CE Plus benefit from an additional internal assessment and internal scan, conducted on-site by the certification body.

• Who will conduct the assessments for Cyber Essentials and Cyber Essentials Plus?
  

  Only accredited certification bodies can undertake assessments and issue certificates. IT Governance is a CREST-accredited certification body.

• Can we become Cyber Essentials and Cyber Essentials Plus certified?
  

  Yes.

  Apply for Cyber Essentials certification here.

  Apply for Cyber Essentials Plus certification here.

• How do we determine how many IP addresses we have to test?
  

  Companies applying for certification need to test all their in-scope public-facing IPs. For most smaller, non-telecommunications companies, this is the block of IP addresses they get from their internet service provider (ISP) – for example Virgin Media.

  It also includes IP addresses at all in-scope locations, including data centres and Cloud providers.

  IPs can be excluded from testing, especially those belonging to Cloud providers, if you do not have control of the security configuration of the service.

  If you need advice about how many IP addresses to test, advice is but a phone call away. Purchase a short LiveOnline consultancy session with one of our experts.

• How long will it take between submitting our questionnaire and receiving our certificate?
  

  It is possible, depending on your current security set up and speed of action, to get from application to certification in a couple of days. Experience, however, suggests that most organisations will take around a fortnight to complete the questionnaire, schedule and successfully complete the external scan, and finalise their SAQ. This may be longer for CE+ clients, who will also need to arrange the onsite visit to complete the internal security assessment.

  The timescale is also dependent on the client correctly completing the scope and target details the first time round, and responding to requests on time.

  For clients with more complex requirements, the timeframe may be longer. IT Governance is available to provide additional consultancy support and assistance if needed.

• What can we expect from the Cyber Essentials application process?
  

  The process below describes the Cyber Essentials DIY package, using the CyberComply portal. Step-by-step guidance is contained within the portal.

  1. Purchase the ‘DIY online submission’ option for Cyber Essentials
  2. Receive an automated response email with details to log on to the CyberComply portal
  3. Register on the CyberComply platform
  4. Start the application
  5. Complete the scope
  6. Complete the self-assessment questionnaire
  7. The self-assessment questionnaire is automatically marked and provides an interim result
  8. IT Governance reviews and approves the scope
  9. Schedule the scans via the CyberComply platform
  10. IT Governance approves the scan schedule and conducts the scans
  11. IT Governance reviews the results of the scan and the questionnaire
  12. If all previous activities result in a ‘pass’:
  13. Submit the questionnaire and scan results for certification
  14. The IT Governance assessors review the final submission and compile a report which is then checked by a QA
  15. A certificate is issued to your organisation
  16. The certification process is complete

  For Cyber Essentials Plus, there is an additional step where an on-site visit and internal assessment will be conducted by IT Governance.

• How do we define the scope?
  

  Expert support and guidance is available if you need some help in determining the scope. Simply purchase an hour of LiveOnline consultancy and get the answers you need.

  Here is some further information to help you define the scope:

  The scope should be clearly defined in terms of the organisation or business unit managing it, the network boundary and the physical location(s).

  Regardless of whether the whole or a part of the organisation is subject to certification, the name on the certificate must be consistent with the scope. The scope must be agreed before any testing starts.

  The scope statement will appear on your Cyber Essentials certificate; the description will be used to verify that the scope, questionnaire responses and subjects of the scan are consistent.

  Determining the scope to which Cyber Essentials applies can be a complex task, especially if your organisation is large or has an intricately structured network or network segmentation.

  A simple way to determine this:

  • If you are using SaaS (Software as a Service) then it is out of scope.
  • With PaaS (Platform as a Service) then in all likelihood it will also be out of scope, depending on the application that must be configured.
  • If it is Infrastructure as a Service (IaaS) then it will be in scope as you will be responsible for configuring the platform.
  • If you have VPNs connecting sites together, then, depending on the technology, the public IP address of the VPN connection is in scope even if you are using internal private addressing and route all internet traffic through the VPNs to a central egress point.

  If you use a private MPLS VPN then there may not be public IP addresses.

  Example scope description:

  The Internet-facing infrastructure consists of the email server, SharePoint and three firewalls. Company mobiles are out of scope as they only connect to a guest wireless network that connects straight out of the Internet and has no connection to the corporate network. External hosted systems include a custom ERP platform, which also connects to our infrastructure over the Internet and is in scope. Our externally hosted web servers are out of scope as they are wholly managed by third parties. We also use Google Docs and ShareFile cloud based services, which are also out of scope.

  Also see this page on defining the scope for further information.

• What should we do if we have more than 16 IP addresses?
  

  Purchase additional IP addresses here.

• What happens if we fail the tests or scans?
  

  Certification is valid on the date of passing the tests. In reality, you can pass both elements (questionnaire and scan) within a two-week period and achieve a valid certificate. If you fail either element of the CE process, and then successfully repeat the failed element within two weeks of the passed element, you will still pass – although there will be some retesting fees. View our repeat testing fees here.

  If the gap between successful activities is longer than two weeks, then the overall process will result in a fail.

• I need more guidance about the certification process.
  

  IT Governance offers the basic ‘DIY’ package for Cyber Essentials and Cyber Essentials Plus for companies that don’t need any additional assistance or support when applying for certification. For companies that require additional assistance, we offer additional support. View our packages here.

• Should we apply for a CE badge in addition to our ISO 27001 certification?
  

  Although ISO 27001 is seen as a more comprehensive level of assurance, a CE badge might ought to be seen as a core indicator of cyber security. It might also be required by certain clients as well as ISO 27001 certification.

• Which should we start first: (1) the CE scheme, (2) ISO 27001:2013, or (3) both?
  

  It will be more efficient to start both at the same time – IT Governance can help you with an integrated approach. However, depending on your current resources, time commitments and budget, you could start with the CE scheme, which will give you an introduction to the world of certification, and then continue to ISO 27001:2013 when you are ready.

• Why do some certification bodies require an external scan in addition to the self-assessment questionnaire?
  

  CREST-accredited certification bodies know that their clients place greater value on independently verified claims of security and therefore use an additional level of independent assurance in the form of a technical vulnerability scan. This scan is mandated by CREST in order to demonstrate another level of independent assurance, instead of only the self-assessment questionnaire. This approach is known as an independently verified approach.

• Why are there two approaches to gaining CE certification (one with vulnerability scanning requirements and one without)?
  

  Although the UK Government does not mandate the use of a technical verification in the form of a vulnerability scan, CREST has taken the decision to mandate this form of verification among its accredited certification bodies in order to include an additional form of independent assurance, rather than relying only on a self-reported questionnaire. Many large organisations prefer their suppliers to have this form of certification.

• Must we have vulnerability scans/pen tests provided by a third party?
  

  The scans are conducted to a common standard, as mandated by CREST. This guarantees the integrity and correctness of the scans. By including the scans as part of the certification process, the application process works out to be more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• Can we use our existing vulnerability scanning/pen testing company?
  

  No. Only appointed certification bodies (e.g. CREST-accredited certification bodies) can conduct vulnerability scans for CE certification.

  The scans are conducted to a common standard, as mandated by CREST. This guarantees the integrity and correctness of the scans. By including the scans as part of the certification process, the application process works out to be more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• Can we self-certify and carry out our own vulnerability scans and pen tests?
  

  No. All assessments must be done independently by an external certification body as part of the certification work.

  The scans are conducted to a common standard, as mandated by CREST. This guarantees the integrity and correctness of the scans. By including the scans as part of the certification process, the application process works out to be more efficient and cost-effective. For this reason, the scans can only be provided by a CREST-accredited certification body as part of the certification work.

• What is the difference between the types of scans and assessments that will be conducted by the certification body for Cyber Essentials and Cyber Essentials Plus?
  

  Cyber Essentials:

  • A review of the self-assessment questionnaire.
  • An external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.

  Cyber Essentials Plus:

  • A review of the self-assessment questionnaire.
  • An external vulnerability scan of the Internet-facing networks and applications to verify that there are no known vulnerabilities present.
  • A test of the security and anti-malware configuration of each device type/build using malicious email attachments and web-downloadable binaries, including an on-site assessment.

Solutions for CES certification

IT Governance is a CREST-approved member and accredited Cyber Essentials scheme certification body. IT Governance offers three unique solutions to certification that will enable you to achieve certification to either Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.

View the three solutions to certification >>