CREST
  1. Home
  2. What Is Cyber Essentials?
    1. Background
    2. How to get your Business Certified
    3. What are Certifying Bodies?
    4. Becoming a Certifying Body
  3. How to buy Cyber Essentials certification
    1. Next Steps
    2. Certifying Bodies
  4. Certified Organisations
  5. Contact
  6. Downloads
Cyber Essentials
Cyber Essentials

How to get your Business Certified

The first stage in the certification process is to decide which level to certify against – Cyber Essentials or Cyber Essentials Plus.  Whichever you choose, you will have to appoint a Certifying Body.  A list of the CREST certifying bodies can be found here.
 

  • Cyber Essentials - organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body
  • Cyber Essentials Plus - tests of an organisation's systems are carried out by an external Certifying Body

Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources.  CREST Certifying Bodies also conduct a remote technical assessment at Cyber Essentials aimed at validating elements of the questionnaire.  

The key differentiator for Cyber Essentials Plus is the inclusion of a technical review of the organisation’s workstations and this additional phase of testing increases the validity of certification considerably by providing evidence of compliance against the following scenarios:
  • Can malicious files enter the organisation from the Internet through either web traffic or email messages?
  • Should malicious content enter the organisation, how effective are the anti-virus and malware protection mechanisms?
  • Should the organisation’s protection mechanisms fail, how likely is it that the organisation will be compromised due to failings in the patching of the organisation’s workstations?
 
Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance.  However, it does come at an additional cost, which will factor into the decision making process.  Ultimately the decision on which level to certify against will be influenced by an organisation’s cyber security stance and those of its business partners, suppliers and stakeholders. 
 
Once an organisation has been assessed against the Cyber Essentials security criteria and passes, they will receive the relevant Cyber Essentials award (badge) based on the level of certification achieved, which demonstrates that they have achieved a fundamental level of cyber security.
 
  1. Background
  2. How to get your Business Certified
  3. What are Certifying Bodies?
  4. Becoming a Certifying Body