Cyber Essentials and Cyber Essentials Plus – what is the difference?

Jun 15, 2023 | Cyber Essentials

Cyber Essentials is an independently verified self-assessment certification that demonstrates that an organisation has the most important cyber security controls in place.

The annually renewable certification scheme consists of five controls that will reduce the impact of commodity* cyber attacks from the internet.

*Commodity is a term used to describe common, low skill, low sophistication cyber attacks that rely on tools which are widely available on the internet.

The same scheme but a higher level of assurance

Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials and starts with the Cyber Essentials verified assessment questionnaire. The difference is that Cyber Essentials Plus also includes a technical audit of your IT systems to verify that the controls are in place. In this way, it gives more assurance that you are complying with the scheme.

It is also worth noting that the pass bar is set to a slightly higher level for Cyber Essentials Plus. Whereas it is possible to be able to pass the Cyber Essentials verified self-assessment with one or two non-compliances, if this is discovered on Cyber Essentials Plus, then the applicant has 30 days to remediate, but will not be able to pass until it is remediated. This means that even though the technical requirements are the same, the pass bar is set to a higher level. It is an audit of the technical requirements rather than a direct audit of the answers given in your verified self-assessment.

How does the verified self-assessment work?

The Cyber Essentials assessment consists of a verified self-assessment questionnaire which must be answered on the assessment platform after registering for certification. Organisations are encouraged to download the question set from the IASME website to help them understand the questions and prepare their answers in advance before registering for certification. It is possible to cut and paste your answers from the preparation spreadsheet onto the assessment platform, but your completed answers on a spreadsheet will not be accepted for assessment.

Once registered for certification, organisations log onto a secure portal to answer exactly the same questions that are available to be downloaded from the website. The questions address the scope of the assessment and the five core controls. These include user access control, secure configuration, security update management, firewalls and routers, and malware protection.

A senior member of the board must e-sign a document to verify that all the answers are true and then a qualified external Assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.

The Cyber Essentials verified self-assessment questions can be downloaded for free (for preparation only). Certification costs £300 + VAT for a micro-organisation (1-9) employees. Small, medium and large organisations will pay a little more, on a sliding scale that aims to reflect the complexity involved in assessing larger organisations.

How does the Cyber Essentials Plus audit work?

An organisation can complete their Cyber Essentials Plus audit within 3 months of their last Cyber Essentials certification.

The audit can be carried out on site or remotely and includes vulnerability scans of the organisation’s scoped infrastructure. The auditor will also carry out some checks by observing users carrying out every day tasks on a set of sampled devices.

The tests that currently take place are:

An external scan from the internet against each one of the applicant’s public IP addresses. The purpose of this scan is to check for any vulnerabilities or open services that could be publicly discovered and to confirm that access control has been configured securely.

A sample of devices that is representative of the applicant’s infrastructure is tested. This will include servers, desktop computers, laptops, thin clients, tablets and mobile phones. To make sure a full sample is taken, each type of Operating System is required to be tested.

The sampled devices will have the following checks carried out:

  • A full vulnerability scan or manual check against each device to confirm that all installed software is supported and has had all high and critical vulnerability patches applied within 14 days.

  • Where it is in place, a check of malware protection for each device. This will include manual configuration checks or test files being sent via email and through a web browser and observing what happens when the user clicks on the files. (All test files are safe and benign.)

  • A check for account separation where the auditor asks each user from every sampled device to confirm they can not carry out administrator functions on their standard user accounts.

  • A check against all cloud services to confirm that the users of the sampled devices are presented with a multi-factor authentication challenge when trying to log on to all cloud services that they use. (All cloud services need to have at least one standard user and one administrator’s account checked.)

How to get a quote

As the Cyber Essentials Plus assessment needs time from technical experts, it is more expensive than the basic level Cyber Essentials. The cost will depend on the size and complexity of the network.  IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. A quote for Cyber Essentials Plus can be applied for via the IASME website, and the applicant will be emailed quotes from three different Certification Bodies. Alternatively, the applicant can choose a Certification Body and contact them directly for a quote.