How to get your Business Certified
The first stage in the certification process is to decide which level to certify against – Cyber Essentials or Cyber Essentials Plus. Whichever you choose, you will have to appoint a Certifying Body. A list of the CREST certifying bodies can be found here.
- Cyber Essentials - organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body
- Cyber Essentials Plus - tests of an organisation's systems are carried out by an external Certifying Body
Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources. CREST Certifying Bodies also conduct a remote technical assessment at Cyber Essentials aimed at validating elements of the questionnaire.
The key differentiator for Cyber Essentials Plus is the inclusion of a technical review of the organisation’s workstations and this additional phase of testing increases the validity of certification considerably by providing evidence of compliance against the following scenarios:
- Can malicious files enter the organisation from the Internet through either web traffic or email messages?
- Should malicious content enter the organisation, how effective are the anti-virus and malware protection mechanisms?
- Should the organisation’s protection mechanisms fail, how likely is it that the organisation will be compromised due to failings in the patching of the organisation’s workstations?