What are the main differences between Cyber Essentials, Cyber Essentials Plus and IASME Governance?

I want to get my company cyber security certified. Which scheme should I go for? And what is the difference?

The Cyber Essentials Scheme is a Government scheme that helps organisations of all sizes to protect themselves against the most common threats from the internet. Being Cyber Essentials certified also signals to other companies and your customers that you take cyber security seriously and can be trusted with their information. The scheme covers five main technical controls which are:

  • Securing your Internet connection (firewalls and routers)
  • Securing your devices and software (secure configuration)
  • Control access to your data and services (access control)
  • Protection against viruses and other malware (malware protection)
  • Keeping your devices and software up to date (software updates)

The Cyber Essentials scheme offers two levels, 1) self-assessed and independently verified, 2) ‘Plus’ level which includes an independent technical audit.

Cyber Essentials

The ‘basic’ level is self-assessed and independently verified. It works in the format of a questionnaire which has eight sections and a total of 70 questions.

You must answer all the questions.  Before you submit your completed assessment, your answers must be approved by a Board level representative, business owner or the equivalent and they need to sign a declaration that all the answers are correct.

Cyber Essentials is suitable for any organisation. Most micro* and small* businesses find the process of preparing for the Cyber Essentials questionnaire intensely educational and many report^ that it leads to increased awareness and permanent behaviour change regarding cyber security.  Larger* organisations are often already implementing many of the security controls detailed in Cyber Essentials, but they might be looking to qualify for a Government contract or to reassure their customers, so seek to demonstrate their cyber security commitment in a highly visible way via this recognised Government approved scheme.

You can see all of the Cyber Essentials questions by downloading the questionnaire from the IASME website free of charge.

If you need some help with the questions and controls, there are several places to get advice.  IASME has a network of Certification Bodies who are skilled information assurance companies and who can provide reasonably priced advice and practical help for you to achieve this certification. Find your nearest Certification Body by visiting IASME’s website.

The Cyber Essentials assessment costs £300 +VAT.

Cyber Essentials Plus

This scheme includes the Cyber Essentials questionnaire but also involves an independent technical audit of your systems to verify that the Cyber Essentials controls are in place.

The audit includes a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. Your assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

You will need to complete the Cyber Essentials self-assessment to be certificated to Cyber Essentials Plus, however, your chosen Certification Body can do the self-assessment at the same time as your Cyber Essentials Plus.  If you already have the self-assessed Cyber Essentials, you will need to complete your Cyber Essentials PLUS audit within 3 months of your ‘basic’ certification.

The Cyber Essentials Plus assessor would normally visit your head office and a representative sample of your other offices in order to carry out the tests. In the current climate, however, the audits are currently all being run remotely.

In general, the organisations that choose to certify with Cyber Essentials Plus report having a greater peace of mind knowing that the controls are all being followed correctly.

The cost of a Cyber Essentials PLUS assessment will depend on the size and complexity of your organisation. You can request a quote from IASME approved Certification Bodies via the IASME website, or, by contacting the Certification Bodies directly.  If choosing to contact the Certification Bodies direct, you can see a full list of IASME licensed companies on our website.  We have marked which Certification Bodies offer Cyber Essentials, Cyber Essentials Plus or both.

IASME Governance 

This certification allows smaller companies to demonstrate their level of cyber security and information governance for a realistic cost.  It indicates that they are taking further steps to properly protect their customers’ information and also meeting the data protection requirements of GDPR.

The IASME Governance standard is aligned to a similar set of controls as ISO 27001* but is more practical, affordable and achievable for small and medium sized organisations to implement.

This standard, complements and builds on Cyber Essentials.  Indeed, it even includes a Cyber Essentials assessment and the GDPR requirements.  Whereas Cyber Essentials checks the technical controls, this standard also includes a check against key governance aspects, such as

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity

IASME Governance has also been mapped against, and is inclusive of, the controls which are recommended in the Government’s Ten Steps to Cyber Security.

Like the Cyber Essentials Scheme, IASME Governance offers two levels.  IASME Governance self-assessed works in exactly the same way as Cyber Essentials self-assessed i.e. a questionnaire format that is independently checked by an IASME approved assessor.

The cost of basic IASME Governance certification is £400 + VAT. Find out more about IASME Governance and apply here.

IASME Governance Audited (or Gold) involves an onsite audit of your governance processes and procedures covered by the IASME Governance standard.  As per Cyber Essentials Plus, an assessor would normally visit your head office and a representative sample of your other offices in order to carry out the checks. In the current climate, however, the audits are currently all being run remotely. You can get a quote for IASME Governance Audited here.

  • *Micro business (A turnover of £632,000 or less, and 10 employees or less)
  • * Small business (A turnover of £6.5 million or less, and 50 employees or less)
  • *Large business (A turnover of over £25.9 million and 250 employees or more)
  • ^Britain Thinks: Cyber Essentials evaluation report on behalf of NCSC. June 2020
  • * ISO 27001 is the internationally recognised best practice framework for an Information Security Management System