The UK Government’s National Cyber Security Centre introduced the Cyber Essentials (CE) scheme back in 2014 as part of its mission to make the UK the safest place to do business online, and to offer businesses a simple and affordable way to tackle cyber security. The Cyber Essentials controls will protect any organisation from the majority of common internet-based cyber attacks and the certification demonstrates their commitment to cyber security.
Cyber Essentials Plus (CE+) is based on the same five technical controls as Cyber Essentials but also includes a technical audit of the IT systems to verify that the controls are in place.
Who are the Certification Bodies?
IASME is the Government’s Cyber Essentials Delivery Partner, and responsible for delivering the scheme. This would be impossible without the network of over 350 Certification Bodies who are located all around the UK and Crown Dependencies.
Certification Bodies or CBs are qualified cyber security companies who are licensed and assured by IASME to offer assessment and certification to Cyber Essentials. All Certification Bodies have to show they meet both security and quality requirements as well as holding certifications themself, for the schemes they wish to deliver (e.g. to be a Cyber Essentials Certification Body you must hold Cyber Essentials certification. To be a Cyber Essentials+ CB you must hold Cyber Essentials Plus)
The Cyber Essentials Assessors
A Cyber Essentials Assessor is a cyber security expert that is trained and qualified to assess Cyber Essentials applications and issue certification. Some Assessors are also qualified to conduct audits for the Cyber Essentials Plus certification. Each Assessor must go through training and pass the relevant assessments and exams.
How do I become a Certification Body?
Any organisation that would like to be appointed as a Certification Body in the Cyber Essential scheme will need to apply to IASME.
Certification Bodies must be domiciled in the UK or Crown Dependencies and a minimum of 70% of their Cyber Essentials certifications must be UK based organisations .
IASME Assessor Roles
All Assessors need to work for a Certification Body to be able to carry out assessments.
The following Assessor roles are recognised by IASME but one person can take on both these roles if they want.
- Cyber Essentials (basic) Assessor
- Cyber Essentials Plus Assessor
Cyber Essentials Basic Assessor
For candidates with less than 3 years experience, please find details about the Trainee Cyber Essentials Assessor pathway at the bottom of this blog.
All Cyber Essentials Basic Assessors must have achieved at least three years’ experience in either an information technology or cyber security role during the five years preceding their application.
In addition, all Cyber Essentials Basic Assessors must complete and pass the IASME Assessor Skills Assessment exam unless they meet option A, B or C below. The exam allows candidates who hold relevant skills and experience but do not hold one of the above certifications or memberships an opportunity demonstrate their skills. The exam contents and marking scheme will be agreed between NCSC and IASME and periodically updated.
Option A
Achieve and maintain one of the following certifications:
- ISC2 Certified Information Systems Security Professional (CISSP)
- ISACA Certified Information Security Manager (CISM)
- ISO27001 Lead Auditor
Option B
Hold and maintain membership of the Certified Professional (CCP) scheme at the following level: SIRA, IA Auditor or IA Architect roles at Practitioner-equivalent level or above
Option C
Hold and maintain UK Cyber Security Council Practitioner, Principal or Chartered professional registration with any specialism.
All new Assessors will be required to meet the above requirements before attending the Cyber Essentials Assessor Training Course.
Cyber Essentials Assessors will need to attend and pass a one day, in-person training course.
Cyber Essentials (basic) training – £580 + vat
Please contact us and we will send you the details: Email us [email protected] or call us 03300 882 752.
Following completion of this course, your company will complete the Cyber Essentials verified self-assessment (if you already have an up-to-date certificate, you will not need to do this again). The cost of this depends on the size of your company.
After passing the Assessor training course, you will be qualified to assess against Cyber Essentials (basic) once you are working for a licensed Certification Body.
Cyber Essentials Plus Assessor
If you want to assess against Cyber Essentials Plus, you will need to already be a Cyber Essentials Assessor and be based in the UK or Crown Dependencies.
Every Certification Body that offers Cyber Essentials Plus must, at all times, have at least one Cyber Essentials Plus Assessor who holds at least one of the certifications in list A. This person is referred to as the Lead CE+ Assessor.
List A
- CREST Registered Penetration Tester
- CREST Certified Infrastructure Tester
- Cyber Scheme Team Member (CSTM)
- Cyber Scheme Team Leader (CSTL)
- EC-Council Certified Security Analyst (ECSA): Penetration Testing Practical
- EC-Council Certified Penetration Testing Professional (CPENT)
- Offensive Security Certified Professional (OSCP)
- Practitioner, Principal or Chartered Security Tester under UK Cyber Security Council.
For all other CE+ Assessors (not including the Lead CE+ Assessor), they must either hold one of the qualifications from List A or pass the Vulnerability Assessment Plus (VA+) Exam. (This is an exam developed by IASME and NCSC, and delivered by The Cyber Scheme.)
All Cyber Essentials Plus Assessors need to attend and pass the online Cyber Essentials Plus training course.
Cyber Essentials Plus training – £580 + vat
Please contact us and we will send you the details: Email us [email protected] or call us 03300 882 752.
You will also need to attain Cyber Essentials Plus certification for your company. We encourage the attendees on the course who pass to pair up and assess each other against Cyber Essentials Plus once they have become Certification Bodies.
Become a Certification Body
Once the Assessor has successfully completed the training, gained the relevant certification and passed the exams / assessments the company they work for can become a Certification Body.
All Certification Bodies have to show they meet both security and quality requirements. They can do this by holding one of these security certifications:
- Achieving UKAS-accredited ISO 27001 certification
- Achieving IASME Cyber Assurance Level Two certification
They also need to hold one of these quality requirements:
- Achieving UKAS-accredited ISO 9001 certification
- Achieving the IASME Quality Principles alongside an IASME Cyber Assurance (Level Two) certification
- Achieving the QG Quality Fundamentals+ certification
Certification Bodies must also:
- Sign and return the associated contract
- Pay an annual licence fee
- Pay a one off fee to set up the branded assessment portal in order to conduct assessments
- Keep current any certifications that they are assessing against. E.g. Certification Bodies assessing against Cyber Essentials Plus will need to have Cyber Essentials Plus certification themselves
If your company is interested in becoming a Certification Body, please contact us at [email protected]. Your professionalism, expertise and attitude is more important to us than size and we are happy to licence companies of all sizes.
Introducing the Trainee Cyber Essentials Assessor Pathway
The new Trainee Cyber Essentials Assessor program is an entry-level pathway designed is suitable for people with no experience or qualifications in IT or cyber security, or equally those with good qualifications but limited experience. Candidates cannot start working as a Trainee Cyber Essentials Assessor until they are employed by a CB with a current Cyber Essentials Assessor as mentor.
For existing Cyber Essentials Certification Bodies, the Trainee Cyber Essentials Assessor Role, is a new way to help less experienced team members become Cyber Essentials Assessors more quickly. The program aims to equip candidates with the skills, knowledge, and mentorship needed to launch successful careers in the field.
The new route involves the following steps:
- Complete and pass a half day, hands-on, practical assessment, ‘Cyber Basics’ which aligns to the most fundamental cyber security controls.
- Attend the usual one-day Cyber Essentials Assessor training.
- Be employed by a Certification Body and work under the supervision of an experienced CE Assessor who will act as mentor. Build skills and confidence and gain hands-on experience conducting Cyber Essentials assessments.
- Unless they are already on an apprenticeship or have a higher relevant qualification, the Trainee Assessor will usually start a Level 3 IT Apprenticeship. IASME and our partners can advise on this.
- After about eighteen months of being a Trainee Assessor (and marking assessments under the mentor), candidates will usually go through the Assessor Skills Exam and become a full Cyber Essentials Assessor.