Cyber Essentials Assessment for the UK

Cyber Essentials

Cyber Essentials is the foundation level is an independently verified self-assessment. You complete an online assessment questionnaire which is approved by a Senior Executive of your business. Upon submission, we will independently review and confirm your responses. If successful, we will award you the requisite certificate and badge that you can display on your company website. The cost of Cyber Essentials certification is fixed by IASME so beware of those charging higher prices. Cyber Essentials is followed by Cyber Essentials Plus for those who desire to prove a ligher level of security.

The simplest way to think of the Cyber Essentials scheme is to think of it as a Cyber Security MOT for your business or organisation. You have to fulfil specific requirements to pass successfully, and your assessor will confirm whether you meet these.

For Cyber Essentials, that 'assessor' is called a Certification Body. Hedgehog Security is one of those certification bodies approved by IAMSE to deliver Cyber Essentials and Cyber Essentials Plus, as well as the maritime version of Cyber Essentials, the Maritime Cyber Baseline and the Internet of Things (IOT) standard. They have the official qualifications needed to certify you for Cyber Essentials - that is, as long as your organisation ticks all the boxes. A large portion of the assessment is a self-assessment questionnaire, and it is these answers will determine whether you pass or fail. The questionnaire is updated annually, so if you already have your Cyber Essentials certification and you are renewing, don't expect to be able to simply submit the answers from the previous year either.

Once you show you have all the necessary processes, policies, and controls (we have a lot of free to use templates here), you'll achieve the Cyber Essentials certification so you can demonstrate you commitment to Cyber Security to your clients, partners, and suppliers. Most importantly, you'll feel more confident that you're secure and protected.

Certification Bodies are an essential part of achieving your Cyber Essentials certificate. But what exactly are they, and how do you find one? Certification Bodies operate under the IASME Consortium, which became the sole accreditation body on the 1st of April 2020. Before, there were five accrediting bodies with varying methodologies, but the government decided to appoint only one.

IASME works with and oversees several Certification Bodies across the country, including Hedgehog Security, and each Certification Body has qualified assessors who can certify businesses and organisations for Cyber Essentials. You can visit IASME's website to see a complete overview of all the Certification Bodies.

Cyber Essentials Brochure

What Are the Benefits of Cyber Essentials?

Cyber Essentials is run by the UK government and has become the standard by which the UK government holds all of its supply chains to account. You will therefore be aligning your business with the most recognised national standard.

Time, Money and Resources

With a high-level view of your Cyber Security, you can iron out any inefficiencies in your practices and maximise productivity as your team will have more time on their side.

Government Tenders

Cyber Essentials can help you get there if you pursue government tenders and contracts. Cyber Essentials is a minimum certification level requirement for any organisation looking to obtain government contracts (including the Ministry of Defence and Health), especially in the private sector.

Marketing Through Security

Obtaining Cyber Essentials can make a big difference when your organisation tries to get cyber insurance. The brokers will likely be more inclined to offer you a reduced premium as they can see your organisation is cyber safe and making every effort to protect its data.

As much as your business provides a service, you'll also utilise them yourselves - you are a client to someone. With that in mind, think how reassured you'd feel if that service was able to demonstrate to you that they care about looking after your data and keeping it secure. You'd likely appreciate their work even more than you do currently.

You want your clients to know that you take Cyber Security seriously. This begins with letting them know that you're making a conscious effort to protect their information. Before you know it, you'll have built a tremendous amount of trust in your client relationships and enhanced your reputation in your industry. When your clients are happy, they'll tell people about it - and who knows, those people might want to come to you for your services too.

Some organisations do not care about Cyber Security, and they believe it is not a priority or even a concern altogether. It's an unfortunate way of thinking and doesn't stand in this day and age.

With the Cyber Essentials certification, you can quickly demonstrate that you care about data and differentiate yourself from competitors who have yet to prioritise their Cyber Security. By showcasing the Cyber Essentials logos on your website and collateral, you put your organisation amongst businesses that can demonstrate they care about their data.

The UK must comply with GDPR (General Data Protection Regulation), and businesses must abide by this and the UK's own Data Protection Act. It's vital to comply with both of these for numerous reasons. Most importantly, though, your business or organisation could be liable to pay up to 4% of your turnover if breached.

If you are not Cyber Essentials Plus certified, the Information Commissioner's Office (ICO) can very quickly conclude that you did not implement enough measures to protect the data you hold. By having the Cyber Essentials Plus certification, you could be prevented the fine, as they would have been able to see you were trying to protect your data.

Cyber Essentials vs Cyber Essentials Plus

Even by achieving Cyber Essentials Basic, you're taking an essential step to show your clients and stakeholders that you are serious about your Cyber Security and protecting their data. However, since Cyber Essentials Plus officially verifies this, it is even more impactful. Achieving Plus demonstrates that you are going the extra mile to ensure you handle all your essential data in a secure environment.

Many government contracts, including MOD and NHS, require Cyber Essentials Plus, which is likely to pick up even more over the next few years. We recommend that you try and go to Cyber Essentials Plus to make it worth your while if you embark on your Cyber Essentials journey!

Secure Your Business Now
Pick a Plan.

Micro Small Medium Large

AUDIT ONLY CYBER ESSENTIALS

Simply the Audit Only
Price
£ 300 350 400 500

Up to 10 50 250 >250 Users
- Online questionnaire
- Marked within 4 hours of submission
- External Vulnerability Scan
ASSISTED CYBER ESSENTIALS

Assisted Questionnaire + Audit
Price
£ 900 1100 1400 1800

Up to 10 50 250 >250 Users
- Assistance from Start to Finish
- Online questionnaire
- Marked within 4 hours of submission
- External Vulnerability Scan
- Three retests
MANAGED CYBER ESSENTIALS

Guided, Guaranteed Certification
Starting at
£ 2000 3500 7500 10000 +

Up to 10 50 250 >250 Users
- CE and CE Plus
- Includes at least 5 days of Consulting
- CE audit and Gap Analysis
- Peter completes your questionnaire
- Marked by the team within 1 hours
- External Vulnerability Scans
- Internal Vulnerability Scans
- No need for retests

Downloads

Cyber Essentials Brochure Guide to Cyber Essentials

Frequently Asked Questions

Who will conduct the assessments for Cyber Essentials and Cyber Essentials Plus?
Only certification bodies that have been trained and are currently licensed by IASME to certify against the government's Cyber Essentials scheme can undertake assessments and issue certificates. Hedgehog Security assessors and auditors are IASME trained and Hedgehog Security is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.
What is the Scope?
The scope section of the document helps us identify some additional information regarding the network that is to be certified. Whatever is involved in the scope, is the area of devices that are certified under the Cyber Essentials scheme. When filling out the scope section of the document consider the following:
- What area of the organisation is to be covered by Cyber Essentials?
- The whole company?
- A specific location, for example if you have offices in the US and UK, is it only one site?
- A specific office or department, for example, finance?
- What devices are covered in the scope?
- Additional Network devices such as routers, switches, servers etc.
- Machines on the network such as laptops, desktops, mobiles.
- Devices in scope must include their version numbers such as Windows 10 1909.
- Are there any third-party IT management systems or providers used by the company?
- Does the company use any cloud systems as part of their operation such as Dropbox, Gmail etc.
Why should we get a Cyber Essentials certificate?
The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives. Benefits of the Cyber Essentials scheme include reassuring customers that you take Cyber Security seriously as well as attracting new business with the assurance that you have Cyber Security measures in place.
Cyber Essentials is designed to help organisations of any size demonstrate their commitment to Cyber Security – all while keeping the approach simple and the costs low. If you supply, or want to supply, larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain. If you want to apply for government contracts, you will need Cyber Essentials certification. The UK Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains. Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).
How do I renew?
You can renew by clicking on the suitable plan above.. Please be aware that the scheme has changed considerably as of January 28th 2022
Do I need Cyber Essentials to bid for a Gibraltar Government contract?
Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.
How are Cyber Essentials assessments verified?
A board member from the organisation signs a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body then evaluates the responses.

In the event that you pass you receive a certificate. If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your Cyber Security.
How long will it take between submitting our online SAQ and receiving our certificate?
For Cyber Essentials, it is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment. This will be longer for Cyber Essentials Plus clients, which also need to arrange the on-site visit for the internal security assessment and successfully complete the external scan.
My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?
Yes, organisations overseas are able to get certificates.
What is required for certification to Cyber Essentials Plus?
Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.
What is required for certification to Cyber Essentials?
Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.
How is the questionnaire assessed?
Your questionnaire will be marked against the strict criteria set out by IASME Consortium via the online portal by one of our (ID Cyber Solutions) assessors.
Do I have to obtain the first level of Cyber Essentials before going on to Cyber Essentials Plus?
Yes, you need to have a Cyber Essentials certificate before you are able to be assessed for Cyber Essentials Plus. However, we can run both assessments side by side.
Can we still using Windows 7?
No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).

In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.
Can we still use Windows Server 2008?
No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).

In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.
Do I need Cyber Essentials to bid for a UK Government contract?
Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.

Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.
What is a "Sample" of our network?
When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependant on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of devices that make up 90% of the organisation.

A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.

Of each type, a certain amount will be required to be tested.

For example: If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Macbook Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 macbooks, and 3 servers.

Certification

Hedgehog Security places great emphasis on the quality, reliability, and security of the services it offers. We are fully regulated by CREST, the Council for Regitered Ethical Security Testers and are authorised to deliver Cyber Security Consulting along with Penetration Testing, Vulnerability Scanning and IT Health Checks.

Cyber Essentials