Cyber Essentials certification
Cyber Essentials Certification
The Cost of Cyber Essentials Certification is low, starting at as little at £295.00. Cyber Essentials is the foundation level and is an independently verified self-assessment. You complete an online assessment questionnaire which is approved by a Senior Executive of your business. Read on to find the cost of cyber essentials.
Cyber Essentials certification
The Cyber Essentials certification was created by the UK Governments National Cyber Security Center. It is an independently verified self-assessment that takes around 3 hours to complete. The cost of cyber essentials certification starts at £295.00 plus VAT. Cyber Essentials Plus certification starts at £1100.00. You complete an online assessment questionnaire which is approved by a Senior Executive of your business. Upon submission, we will independently review and confirm your responses. If successful, we will award you the requisite certificate and badge that you can display on your company website. The cost of the Cyber Essentials certification is fixed by IASME so beware of those charging higher prices. CE is followed by Cyber Essentials Plus for those who desire to prove a higher level of security. We have a guide to Cyber Essentials available here.
The simplest way to think of the CE scheme is to think of it as a Cyber Security MOT for your business or organisation. You have to fulfill specific requirements to pass successfully, and your assessor will confirm whether you meet these. This is why we include the CE assessment within our Cyber Security Health Check service.
How the Cyber Essentials Assessment works
The ‘assessor’ is called a Certification Body. Hedgehog Security is one of those certification bodies approved by IAMSE. We deliver CE and CE+, as well as the maritime version, the Maritime Cyber Baseline, and the Internet of Things (IOT) standard. We have the official qualifications needed to certify you. A large portion of the Cyber Essentials Certification assessment is a self-assessment questionnaire. These answers will determine whether you pass or fail. There are also vulnerability scans to undertake. The questionnaire is updated annually. If you already have your Cyber Essentials certification and you are renewing, don’t expect to be able to simply submit the answers from the previous year either.
Once you show you have all the necessary processes, policies, and controls (we have a lot of free to use templates here), you’ll achieve the Cyber Essentials certification. You can now demonstrate commitment to Cyber Security to your clients, partners, and suppliers. Most importantly, you’ll feel more confident that you’re secure and protected.
Why do I need Cyber Essentials?
Cyber Essentials is the UK governments cyber security baseline scheme supported by the National Cyber Security Centre (NCSC). The scheme sets out five basic security controls to protect organisations against around 80% of common cyber-attacks. The scheme’s certification process is managed by the IASME Consortium. IASME licences all Certification Bodies (CBs) such as ourselves, Hedgehog Security, to carry out Cyber Essentials and Cyber Essentials Plus Certifications. Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security. We keep the cost of cyber essentials low, as we truly believe every business should be able to be certified. With Hedgehog, the cost of cyber essentials starts at £295.00.
There are six main reasons that all businesses or organisations should be certified against the Cyber Essentials standard.
6 Main Reasons for Cyber Essentials
Prevent around 80% of cyber attacks
Correctly implementing five basic security controls will protect your organisation against the most common cyber threats.
Demonstrate supply chain security
Achieving Cyber Essentials certification will help you demonstrate your commitment to data protection and cyber security.
Win new business
Cyber Essentials certification will help boost your reputation and give you a better chance of winning new business.
Reduce cyber insurance premiums
Cyber insurance agencies look more favourably on organisations that have achieved Cyber Essentials certification.
Drive business efficiency
You can focus on your core business objectives while knowing that you are protected from the most common cyber attacks.
Work with the UK government & MoD
Cyber Essentials will permit you to work with the UK government and Cyber Essentials Plus will allow you to work with the MoD.
Talk To A Cyber Essentials Specialist
Book a free consultation with a cyber essentials specialist to discuss your current concerns, the cost of cyber essentials or any particular cyber essentials requirements you may have.
What are the five Cyber Essentials controls?
Firewalls
These are designed to prevent unauthorised access to or from private networks, but a good setup of these devices is essential to be fully effective.
Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.
Although antivirus software helps protect the system against viruses and malware, a firewall helps keep attackers or external threats from getting access to your system in the first place.
The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).
Learn MoreSecure Configuration
Web server and application server configurations play a crucial role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.
This will help prevent unauthorised actions from being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.
Learn moreAccess Control
It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker from being presented with open access to your information.
Obtaining administrator rights is a crucial objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data.
Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.
User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.
Learn moreMalware Protection
It is vital that you protect your business from malicious software, which will seek to access files on your system.
The software can wreak havoc by gaining access and stealing confidential information, damaging files, and even locking them and preventing access unless you pay a ransom.
Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) will protect your computer, your privacy and your important documents from attack.
Learn morePatch Management
All devices and software are prone to technical vulnerabilities. Cyber criminals can rapidly exploit vulnerabilities once they’ve been discovered and shared publicly.
Criminal hackers exploit known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.
Updating software and operating systems will help to fix these known weaknesses.
It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.
Learn moreWhat Are the Benefits of Cyber Essentials?
Cyber Essentials is run by the UK government through IASME. It is the standard by which the UK government holds all of its supply chains to account. You will therefore be aligning your business with the most recognised national standard.
Time, Money and Resources
Cyber Essentials allows you to iron out any inefficiencies in your practices and maximise productivity as your team will have more time on their side.
Government Tenders
Certification can help you get there if you pursue government tenders and contracts. It is a minimum certification level requirement for any organisation looking to obtain government contracts. This includes the Ministry of Defense and National Health Service and especially in the private sector.
Marketing Through Security
Obtaining certification can make a big difference when your organisation tries to get cyber insurance. The brokers will likely be more inclined to offer you a reduced premium as they can see your organisation is cyber safe and making every effort to protect its data.
As much as your business provides a service, you’ll also utilise them yourselves – you are a client to someone. Think how reassured you’d feel if that service was able to demonstrate to you that they care about your information. Looking after your data and keeping it secure. You’d likely appreciate their work even more than you do currently.
You want your clients to know you take Cyber Security seriously and that you are protected from the common attacks. This begins with letting them know that you’re making a conscious effort to protect their information. Before you know it, you’ll have built trust in your client relationships and enhanced your reputation in your industry. When your clients are happy, they’ll tell people about it. Those people might want to come to you for your services too.
Some organisations do not care about Cyber Security. They believe it is not a priority or even a concern altogether. It’s an unfortunate way of thinking and doesn’t stand in this day and age.
Cyber Essentials Certification
Through certification, you can quickly demonstrate that you care about data and differentiate yourself from competitors. By showcasing the cyber essentials logos, you put your organisation amongst businesses that demonstrate they care about their data.
The UK must comply with GDPR (General Data Protection Regulation), it is law. Businesses must abide by this and the UK’s own Data Protection Act. It’s vital to comply with both of these for numerous reasons. Most importantly, though, your organisation could be liable to pay up to 4% of your turnover if breached.
Without certification, the Information Commissioner’s Office (ICO) may conclude that you did not adequately protect the data you hold. By having the Cyber Essentials Plus certification, you could be prevented the fine. It proves you were trying to protect your data.
We also encourage all companies to have a Responsible Disclosure statement on their website.
Cyber Essentials vs Cyber Essentials Plus
Even by achieving the Basic level, you’re taking an essential step to show your clients and stakeholders that you are serious about your Cyber Security and protecting their data. However, since Plus level officially verifies this, it has even more impact. Achieving Plus demonstrates that you are going the extra mile to ensure you handle all your essential data in a secure environment. The cost of Cyber Essentials starts at £295.00 and the cost of Cyber Essentials Plus starts at £1100.00.
Many government contracts, including MOD and NHS, require Cyber Essentials Plus, which is likely to pick up even more over the next few years. We recommend that you try and go to Cyber Essentials Plus to make it worth your while if you embark on your journey!
Get Cyber Essentials certified with Hedgehog Security
Our very simple five-step approach to Cyber Essentials Certification:
- Define the scope – Certification can apply to an organisation’s full enterprise IT or just to a subset. Either way, the scope needs to be clearly defined before the certification process can get underway
- SAQ – The next step to certification is to complete the required SAQ. Once the SAQ has been completed, we review this prior to submitting to check it meets the requirements of the Cyber Essentials scheme. Successful applications are issued their Cyber Essentials Certificate.
- On-site assessment – Organisations seeking certification to Cyber Essentials Plus will be required to go through a technical audit which includes a series of internal vulnerability scans and internal vulnerability tests of the system(s) in scope, and the SAQ.
- External scan – The external vulnerability scan of your Internet-facing networks and applications is used to verify that there are no obvious vulnerabilities. As the tests are external, they are be performed offsite.
- Certification (Plus) – Once the remote audit, internal vulnerability scan and external vulnerability scan have been successfully completed and approved, you will be issued with your Cyber Essentials Plus Certificate.
Why choose Hedgehog as your Cyber Essentials partner?
- One-stop shop – We provide all tools and resources needed to achieve certification at both levels of the Cyber Essentials scheme.
- End-to-end support – We deliver all the technical tests and assessments, conducted by our experienced technical testers.
- Tailored solutions – We have various packaged solutions available to support organisations with different levels of experience through the Cyber Essentials or Cyber Essentials Plus certification process.
- Unrivalled expertise – Having led ISO 27001 implementations since the inception of the Standard, we have the knowledge and insight to help you take the next steps beyond Cyber Essentials.
Talk To A Cyber Essentials Certification Specialist
Book a free consultation with a cyber essentials certification specialist to discuss your current concerns, the cost of cyber essentials certification or any particular requirements you may have.
Frequently Asked Questions
How much is Cyber Essentials?
This is a question that we get asked a lot of the time. The first thing to state is that the cost of Cyber Essentials is set by IAMSE and the NCSC and is based on the number of employees in your organisation. Payment for Cyber Essentials is upfront. Assessment can not take place until the payment has been received. This is simply because IAMSE must be paid prior to the assessment. Now, the pricing is very simple and pricing matrix is show below.
| Micro organisations (0-9 employees) | £295 +VAT |
| Small organisations (10-49 employees) | £395 +VAT |
| Medium organisations (50-249 employees) | £425 +VAT |
| Large organisations (250+ employees) | £495 +VAT |
So the answer to the question of how much is cyber essentials depends on the size of your organisation. For the majority of organisations it is just a case of purchasing the assessment. You are simply filling out the questionnaire and getting the result. However, should there be an issue with the answers, you only have 48 hours in which to rectify the issues and resubmit before an over all failure is issued. Once an overall failure is issued then you would need to purchase the assessment again and resubmit your answers.
For organisations who require a little help through the assessment, we offer assistance in the form of hourly blocks. Hourly blocks can be purchased online at the same time as your Cyber Essentials assessment. Once purchased, one of the consulting team will work with you to determine how best to use the time. It may be coaching you through the assessment, or it may be going through your answers prior to submitting them. Our consulting team working closely with our auditors every day, so they will be best placed to help.
The short answer is Yes. It does not matter where your business, charity or organisations is based in the world. Regardless of your location, even if you are based overseas or you are a nomadic entity. You will be able to be assessed against the Cyber Essentials standards and if you are assessed to be compliance then a certificates will be issued.
For nomadic entities, it is important to know which country your entity is based within. For example, if you are cruising the world on a yacht, then the designated flag country would be used to establish your base country. For land based nomadic entities, then the country of registration of your company would be used.
No, Windows 7 went End of Life 14/01/2020).
In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissible as technically the software is supported.
Windows Server 2008 went End of Life 14/01/2020).
In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissible as technically the software is supported.
When you finish your online questionnaire and click on the submit button, a job is raised within our audit team to assess your questionnaire. The assessment will typically take place within a business day of completing it. We will review your questionnaire submission and it will be marked against the strict criteria set out by IASME Consortium and the NCSC. Where we feel we need more information in order to be able to pass you for a particular question, we make set an answer to “needs more information” and send it back to you. Where this happens all you need to do is expand on the information. The auditor will have put helpful notes on the report to you can understand exactly what they are looking for. Where the answer is a fail, we will talk to you about the issue and work out a way to move forwards.
Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.
Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.
When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependent on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of devices that make up 90% of the organisation.
A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.
Of each type, a certain amount will be required to be tested.
For example: If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Mac-book Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 mac-books, and 3 servers.
Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.
