Cyber Essentials

Frequently Asked Questions

• What is a "Sample" of our network?

  When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependant on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of devices that make up 90% of the organisation.
  
  A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.
  
  Of each type, a certain amount will be required to be tested.
  
  For example: If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Macbook Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 macbooks, and 3 servers.

• Why should we get a Cyber Essentials certificate?

  The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives. Benefits of the Cyber Essentials scheme include reassuring customers that you take cyber security seriously as well as attracting new business with the assurance that you have cyber security measures in place.

  Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security – all while keeping the approach simple and the costs low. If you supply, or want to supply, larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain. If you want to apply for government contracts, you will need Cyber Essentials certification. The UK Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains. Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).

• What is required for certification to Cyber Essentials?

  Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.

• What is the difference between Cyber Essentials and Cyber Essentials Plus?

  Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.
  
  Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.

• What is the Scope?

  The scope section of the document helps us identify some additional information regarding the network that is to be certified. Whatever is involved in the scope, is the area of devices that are certified under the Cyber Essentials scheme. When filling out the scope section of the document consider the following:
  
  

  • What area of the organisation is to be covered by Cyber Essentials?
  • The whole company?
  • A specific location, for example if you have offices in the US and UK, is it only one site?
  • A specific office or department, for example, finance?
  • What devices are covered in the scope?
  • Additional Network devices such as routers, switches, servers etc.
  • Machines on the network such as laptops, desktops, mobiles.
  • Devices in scope must include their version numbers such as Windows 10 1909.
  • Are there any third-party IT management systems or providers used by the company?
  • Does the company use any cloud systems as part of their operation such as Dropbox, Gmail etc.

• Do I have to obtain the first level of Cyber Essentials before going on to Cyber Essentials Plus?

  Yes, you need to have a Cyber Essentials certificate before you are able to be assessed for Cyber Essentials Plus. However, we can run both assessments side by side.

• Can we still using Windows 7?

  No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).
  
  In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.

• How do I renew?

  You can renew by clicking on the suitable plan above.. Please be aware that the scheme has changed considerably as of January 28th 2022

• Who will conduct the assessments for Cyber Essentials and Cyber Essentials Plus?

  Only certification bodies that have been trained and are currently licensed by IASME to certify against the government's Cyber Essentials scheme can undertake assessments and issue certificates. Hedgehog Security assessors and auditors are IASME trained and Hedgehog Security is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.

• How is the questionnaire assessed?

  Your questionnaire will be marked against the strict criteria set out by IASME Consortium via the online portal by one of our (ID Cyber Solutions) assessors.

• Do I need Cyber Essentials to bid for a UK Government contract?

  Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

• How are Cyber Essentials assessments verified?

  A board member from the organisation signs a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body then evaluates the responses.
  
  In the event that you pass you receive a certificate. If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your cyber security.

• What is required for certification to Cyber Essentials Plus?

  Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.

• How long will it take between submitting our online SAQ and receiving our certificate?

  For Cyber Essentials, it is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment. This will be longer for Cyber Essentials Plus clients, which also need to arrange the on-site visit for the internal security assessment and successfully complete the external scan.

• Do I need Cyber Essentials to bid for a Gibraltar Government contract?

  Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

• Can we still use Windows Server 2008?

  No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).
  
  In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.

• My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?

  Yes, organisations overseas are able to get certificates.