Cyber Essentials is an incredibly robust, yet surprisingly accessible, cybersecurity accreditation – though “basic” Cyber Essentials certification is just the start.
If you’re serious about cybersecurity – as serious as your clients and partners will increasingly expect you to be – Cyber Essentials Plus is where the real, audited, cybersecurity assurance lives.
So what makes Cyber Essentials Plus so much more credible? What’s actually involved in the certification process, and is it right for your business?
By the way, Penken Technology have recently achieved Cyber Essentials Plus, so we can speak from experience here!
What is Cyber Essentials?
Cyber Essentials is a cybersecurity certification backed by the UK government, developed to protect businesses, organisations, supply chains, and the general public from cyber harm. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. The scheme is run for the government by an organisation called IASME.
There are five cybersecurity categories that Cyber Essentials focuses on:
- User access control
- Secure configuration
- Security update management
- Firewalls and routers
- Malware protection
Any organisation based in the UK can apply for Cyber Essentials accreditation; there’s no restriction on size, structure, or sector. Any organisation from the largest PLC, the tiniest micro business, or a public authority somewhere in between can apply for and achieve Cyber Essentials or Cyber Essentials Plus.
As long as the organisation uses one or more computers connected to the internet, they are in scope for Cyber Essentials.
However, there is some nuance here for our manufacturer clientele: the programme doesn’t really focus on security related to operational technology (OT), SCADA, and suchlike, so bear that in mind.
What’s the Difference Between Cyber Essentials and Cyber Essentials Plus?
When applying for the “standard” certification, you implement security controls across the five above categories and fill in a self-assessment questionnaire about them. These responses are approved by the appropriate certifying body who (all being well) rubber-stamps your certification.
However, this is the one weakness of “standard” Cyber Essentials: the certifying organisation merely reviews your answers to ensure they are within the accepted standards – they don’t actually test your systems. At the basic level, it’s all really based on trust.
This is how Cyber Essentials Plus becomes a much more robust accreditation. You need to have Cyber Essentials certification to apply for the Plus programme, so you will likely have already implemented the security controls and filled in the self-assessment. But this time, your systems undergo an independent technical audit; an assessor actually reviews your systems and ensures that you answered your questions accurately. This external verification provides proof that you aren’t just marking your own homework.
Here’s a quick comparison:
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Methodology | Self-reported, online self-assessment questionnaire, reviewed by a certifying body. | As per regular CE, though an assessor carries out a technical audit of your systems too, ensuring your answers are in line with reality. |
| Verification | You confirm that you’ve implemented the controls. Honest, guv. | The assessor verifies that the stated security controls have been implemented via an independent technical audit. |
| Credibility | You show that you understand and have implemented the requirements. | You have proof that an independent certifying party has reviewed your systems. |
| Commercial | Required minimum for many public sector contracts. | Often desirable - sometimes stipulated - for higher-stakes public contracts, such as with the NHS or MOD. |
| Insurance | Access to cyber liability insurance available for those accredited. | Access to cyber liability insurance available for those accredited. |
| Renewal | Yearly self-assessment | Yearly self-assessment and technical audit. |
The Benefits of Cyber Essentials Certification
Before we go any further, let’s explore some of the benefits that come with Cyber Essentials and Plus certification:
- Trust Signals: All organisations who have achieved Cyber Essentials are publicly listed on the IASME website and can advertise their certification within marketing materials such as their website, branded stationery, and on social media.
- Public Sector Access: Cyber Essentials is required for many public sector contracts, so if you’re starting to bid for public sector work, you will need at least the standard accreditation.
- Access to Insurance: Certified organisations based in the UK with yearly revenue of less than £20m can also access cyber liability insurance with a total liability limit of £25,000.
- Encourages Good Cyber Habits: When you have a strong, documented cyber baseline and an accreditation that you need to keep to, this can incentivise your team to consistently apply and develop cyber-aware habits.
- Improves Leadership Understanding: According to UK Government figures, 86% of CE-accredited survey respondents said that the scheme has directly strengthened their senior management’s understanding of the risks posed by cyber attacks.
- Improves Security Confidence: The same report states that “most scheme users (91%) also believe that Cyber Essentials has directly improved their confidence in being protected in the event of […] an attack.”
“Am I A Strong Candidate for Cyber Essentials Plus?”
Well this is the million-dollar question, though thankfully achieving Cyber Essentials Plus is a lot cheaper than that.
There are three core questions to ask yourself here:
- How sensitive is the data you handle? (Exploring your risk profile)
- How regulated is the sector/supply chain you operate in? (Exploring your regulatory landscape)
- Are you aiming for contracts where Plus is preferred or required? (Exploring the commercial value or returns that accreditation might provide)
Let’s explore a few sector-specific scenarios:
Strong Candidates for Cyber Essentials Plus (Seriously, Consider It!)
Solicitors & Law Firms
Law firms handle vast amounts of highly sensitive client information, and have to abide by stringent SRA scrutiny to even exist. The external validation afforded by Cyber Essentials Plus provides undeniable assurance to clients in the know – particularly lucrative corporate clients who will likely already be familiar with the framework.
Financial Services & FinTech
Any kind of financial service provider has a lot of highly sensitive data in their orbit, and has to maintain that data within strict FCA rules. Larger, corporate clients, and individuals in the know, will likely appreciate the aspect of externally validated digital security.
Manufacturing Firms Chasing Public Sector Work
Having “standard” Cyber Essentials is the entry level baseline for public sector suppliers. However, achieving Plus certification might paint you in a better light for particularly competitive bids, or for public sector bids where there is an element of data sensitivity, financial sensitivity, or national security in the mix.
What Does Achieving Cyber Essentials Plus Look Like?
If you’re considering Cyber Essentials Plus (or even just standard Cyber Essentials) here are a few practicalities to bear in mind.
Preparation
Standard accreditation requires you to understand and implement the five categories of security control (as listed above) and ensure that they are functioning correctly, ready to be documented. You will need to achieve standard Cyber Essentials certification first before you apply for Plus, though they can be carried out together.
The online self-assessment is required for either level of accreditation, though Plus will also require the independent technical audit. This audit can be conducted on-site or remotely, depending on the scope of your IT systems.
On the subject of scope, you will need to define the scope/boundaries of your Cyber Essentials assessment. However this scope needs to represent a genuine picture of your operating environment, not a cherry-picked subset of data and devices that might make certification easier.
Timelines
Once you submit your self-assessment, it can take up to a week for an assessor to review your answers and ensure it meets all requirements. Once the accrediting body is happy, your certificate is issued instantly. The main time variable is your own preparation time before you even get to the self-assessment.
In order to achieve Plus accreditation, the external audit needs to be carried out within three months of your basic Cyber Essentials certification. The audit itself typically takes a few hours to a day depending on the complexity of your IT systems.
Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months and require annual renewal. In the case of Plus certification, this will mean another independent audit every 12 months too. So keep in mind that you will need ongoing capability to maintain compliance annually – so you might want to set it up so audit time falls during a quieter time of year!
Ready to Start – or Advance – Your Journey with Cyber Essentials?
If you’re weighing up whether Cyber Essentials or Cyber Essentials Plus is right for your business or you want to go ahead with help from a reliable IT provider who knows the ropes, let’s talk!
When you seek certification through an IT provider like Penken Technology, you aren’t on your own. You have access to our expertise to get you – and keep you – compliant, year after year.
Penken Technology has recently achieved Cyber Essentials Plus, so we know exactly what’s involved. And what’s more, our compliance management support serves to keep you compliant year-round, not just at audit time.
Penken Technology – Cyber Essentials Pricing
Our fees, inclusive of the accrediting body’s own pricing, is as follows:
Cyber Essentials Pricing
| Users | Monthly (12-month term) | Annual |
|---|---|---|
| 1-9 | £103 | £1,025 |
| 10-19 | £134 | £1,340 |
| 20-49 | £229 | £2,285 |
Cyber Essentials Plus Pricing
| Users | Monthly (12-month term) | Annual |
|---|---|---|
| 1-9 | £145 | £1,450 |
| 10-49 | £165 | £1,650 |
| 50-99 | £205 | £2,050 |
You’ll notice there is a slight saving if you wish to pay annually. All prices exclude VAT.