About the Cyber Essentials Standard
Whether you choose Cyber Essentials or Cyber Essentials Plus, you will have to appoint a Certifying Body. A list of the CREST certifying bodies can be found here.
- Cyber Essentials - organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body
- Cyber Essentials Plus - tests of an organisation's systems are carried out by an external Certifying Body
Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources.
For Cyber Essentials, CREST Certifying Bodies also conduct a remote technical assessment that both validates elements of the questionnaire and also provides additional assurance for you.
If you choose to go for Cyber Essentials Plus, the key differentiator is the inclusion of a technical review of the organisation’s workstations and this additional phase of testing increases the validity of certification considerably by providing evidence of compliance against the following scenarios:
- Can malicious files enter the organisation from the Internet through either web traffic or email messages?
- Should malicious content enter the organisation, how effective are the anti-virus and malware protection mechanisms?
- Should the organisation’s protection mechanisms fail, how likely is it that the organisation will be compromised due to failings in the patching of the organisation’s workstations?
Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance. However, it does come at an additional cost, which will factor into the decision making process. Ultimately the decision on which level to certify against will be influenced by an organisation’s cyber security stance and those of its business partners, suppliers and stakeholders.
Once an organisation has been assessed against the Cyber Essentials security criteria and passes, they will receive the relevant Cyber Essentials award (badge) based on the level of certification achieved, which demonstrates that they have achieved a fundamental level of cyber security.