Cyber Essentials: The Changes

Whether you’re an existing Cyber Essentials or Cyber Essentials Plus certificate holder or not, you may be aware that the certification process is going through some changes – these are almost exclusively related to the accreditation process rather than the actual elements of the certification and framework – we’ll walk you through all of it. Firstly though:

What is the Cyber Essentials Certification scheme?

The scheme is a government-backed, industry-supported initiative. From the government perspective, it is a joint enterprise with the Department for Digital, Culture, Media & Sport (DCMS) and the outward-facing arm of GCHQ – The National Cyber Security Council (NCSC). At its core, is a cyber security framework that aims to ensure organisations have five robust technical controls in place with the aim of helping you to:

  1. Secure your internet connection
  2. Secure your devices & software
  3. Control access to your data & services
  4. Protect from viruses and other malware
  5. Keep your devices and software up to date

This is achieved via a self-assessment questionnaire, the key to its success is that a company member of director-level status has to sign-off that the information contained within the questionnaire is 100% valid & true. In effect, this director-level employee is owning the veracity of the certificate and will be liable should it be ascertained that any of the information entered was incorrect.

There are two levels of certification: Cyber Essentials (CE) and Cyber Essentials Plus (CE Plus).

CE Plus uses the same self-certification questionnaire as CE but has the additional element of a third-party assessment against the questionnaire, this is actioned by the Certifying Body (more about Accreditation Bodies & Certifying Bodies later) either via an on-site visit or remotely.

The numerous benefits for attaining CE or CE Plus certification include:

  • It’s a cost-effective method to demonstrate your company has the essential elements of cyber-security covered
  • It is a requirement when bidding for some government contracts
  • It gives you a clear picture of your business’s cyber security stance
  • Verification by independent experts (when achieving the CE Plus certification)

What has changed with Cyber Essentials then?

When it launched back in 2014 the certification was accredited by five Accreditation Bodies (AB’s) these were: APMG International, CREST, IASME Consortium, IRM Information Risk Management and QG Management Standards. These AB’s then partnered with a number of Certification Bodies (CB’s). Risk Crew, via our parent company Risk Factory Ltd. have been a CB for QG Management Standards since 2015. The job of a CB, as an independent Cyber Security Specialist, is to facilitate & assist organisations in the certification process and to provide independent verification with regards to CE Plus.

Once the process has been finalised by the CB it is sent to the AB for verification and a certificate pass or fail is declared. A core component of the scheme is that by utilising the expertise of the CB’s the AB should, in theory, be rarely failing any requests for certification.

As time passed it became apparent that different AB’s were interpreting the framework & questionnaire in different ways, therefore, to harmonize the certification process it was decided that just one AB would be used. This has various benefits in addition to making it the same across the board it also meant that having one AB would mean a more streamlined and collaborative partnership between the IASME Consortium (the chosen AB) and the NCSC. Risk Crew have remained a Certification Body and are working with IASME to smoothly transition across. Officially this came in to effect on April 1st 2020 but there is built-in flexibility to make the experience as positive and smooth as possible for organisations going through the process during and in the immediate months following the transition.

The key changes are:

  • Questionnaires will now be completed online via a dedicated CB portal that is underpinned by IASME infrastructure
  • CE certification now comes complete with Cyber Insurance (if your company turns over less than £20 Million per annum) up to £25,000 coverage (more details available on request)
  • Certificates will now have an official expiry date
  • Those wishing to achieve CE Plus will first need to achieve CE, previously some AB’s allowed CE Plus to be attained on its own (the CE Plus must be achieved within 3 months of CE)
  • Two new questions have been added to the questionnaire set – these are simply in relation to tracking and quantifying the motives behind why companies want the certificate rather than being a technical change

Hope that helps. As usual, Risk Crew is on hand to help with any queries or question you might have. Don’t hesitate to get in contact with us.

Risk Crew