Cyber Essentials logo

Frequently Asked Questions

How much does it cost for a basic level Cyber Essentials Assessment?

Prices start from £300 + VAT for each assessment.

As soon as you have paid we will send you login details for your online assessment portal. You will have 6 months to complete your assessment before your account is archived. Unfortunately we cannot issue a refund if this happens so please do not apply until you think you are ready for the assessment.

 

Pricing Structure

Micro Organisations

0-9 Employees

£300 + VAT

Small Organisations

10-49 Employees

£400 + VAT

Medium Organisations

50-249 Employees

£450 + VAT

Large Organisations

250+ Employees

£500 + VAT

Where can I find the document which describes the full Requirements for the Cyber Essentials Scheme?

You can download the requirements from the UK Government website here.

You can see our overview here.

Which UK government contracts will I need Cyber Essentials certification for?

You can see the note to UK Government Procurement Officers which specifies Cyber Essentials mandated in many cases for suppliers to all central government departments here.

From 1st January 2016 the Ministry of Defence mandated Cyber Essentials for all its new suppliers and also their relevant supply chain. See more here.

In July 2016 the UK Government Department of Health, National Data Guardian (NDG) published  “Review of data security, consent and opt-outs which recommended “All health and social care organisations should provide evidence that they are taking action to improve cyber security, for example through the ‘Cyber Essentials’ scheme. The ‘Cyber Essentials’ scheme should be tested in a wider number of GP practices, Trusts and social care settings.”  We are now seeing an increasing number of health care organisations being required to have Cyber Essentials or Cyber Essentials Plus for NHS contracts.

How much does it cost for a Cyber Essentials Plus assessment?

The Cyber Essentials Plus assessments have to be quoted for individually. You can submit some details via the form here and two Certification Bodies will email a quote to you.

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 %) and then make a decision whether further testing is required.

The audits can be run remotely or in person.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our Certification Bodies aim to minimise the cost to your company.

Is a vulnerability scan required as part of the Cyber Essentials basic level?

The basic level assessment of Cyber Essentials only requires a self-assessment. No additional vulnerability scan, test or third party verification is needed.  However, one of your Board members will have to sign a declaration that all the answers you have entered are true.

Can I see the self-assessment questions before I pay for an assessment?

You can download all the self assessment questions in pdf and excel format here

What is involved in a Cyber Essentials Plus assessment ?

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The Cyber Essentials question set is part of the Cyber Essentials Plus certification process.  If you have achieved the basic level Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.

The full test specification which all the Accreditation Bodies work to can be downloaded (Cyber Essentials Plus Common Test Specification) from the NCSC website here.

 

How many of the questions do I need to get right to pass?

You need to get nearly all the questions right (compliant) to pass the Cyber Essentials assessment. You do need to be controlling all these aspects of your system to be certified. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment, such as Windows 7, will probably fail to achieve Cyber Essentials certification.

If I fail will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a pdf of all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

Where can I get more information about the included Cyber Insurance?

We have a separate set of frequently asked questions and answers about the included insurance here.  For further information contact [email protected] or call +44 (0)1905 21681.

If I fail will I have to pay again (from £300) to take the assessment again?

If you fail we allow you two working days to examine the feedback from the assessor and change any simple issues with your network and policies. You can then update your answers and the assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

If you have any questions about how to meet the Cyber Essentials or IASME Cyber Assurance requirements we have a LinkedIn group called “Cyber Essentials Advice Group” where you can post your questions and we will give you free advice. You can join this group here.

If you need more in-depth help then any of the regional companies we have trained as our assessors (Certification Bodies) are ideally placed to support you. Please contact them for help.

How can I become an Assessor?

To become an IASME Certification Body and Assessor someone from your company will need to attend and pass the relevant assessor courses.  More details about requirements for assessors can be seen here. We work with companies of all sizes.  Micro companies / one man bands are welcome partners.

Where can I find information about securing my company?

You can see links to some excellent websites which will help you here.

How quickly can I get certified to Cyber Essentials?

We always do our best to get the Cyber Essentials assessment results back to you as quickly as possible. It usually takes us 1 – 3 working days from the time you submit your assessment. If you have a tight deadline please let us know and we can try to fast-track your assessment.

How long does the certification last before I have to renew my Cyber Essentials certification?

It is recommended by the UK government that you renew your certification at least annually. We remove companies from our ‘certified organisations’ list if they have not been certified in the past year.

 

From 1st April 2020 Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months.

 

How long will I have to complete and submit my assessment?

You will have 6 months from date of application to complete and submit your assessment. After this time your account may be closed. You would have to apply and pay again if you wanted to be assessed.

How can I remember to re-certify within a year?

We will email you with a reminder roughly a month before you have to be re-certified.

When I re-certify will I have to enter all the information again?

You currently do need to enter all the information again and the questions have been updated and so have changed a bit (hopefully improved). However, you can copy and paste the majority of your answers from last years submission if you have not changed things in your company over the previous year.  Please remember to keep a copy of your answers when you submit so you can work with them when you re-certify the following year.

The IASME Consortium Ltd
Wyche Innovation Centre
Upper Colwall
Malvern
WR13 6PL

Company number: 07897132