Cyber Essentials Logo

Frequently Asked Questions

How much does it cost for a basic level Cyber Essentials Assessment?

The pricing of Cyber Essentials has a tiered structure based on organisation size. Prices start from $420£320 + VAT€380 + VAT for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of $780£600 + VAT€710 which aims to reflect the complexity involved in assessing larger organisations (see table below).

Pricing Structure

 

Pricing Structure

ce-image

Micro Organisations

0-9 Employees

$420£320 + VAT€380

Small Organisations

10-49 Employees

$570£440 + VAT€520

Medium Organisations

50-249 Employees

$650£500 + VAT€590

Large Organisations

250+ Employees

$780£600 + VAT€710

 

On average, how long does certification take to complete?

It is a good idea to download the question set in advance (available for free from the website here)and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have 6 months to complete your assessment before your account is deleted and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within 3 days.  If you have not been successful, you will then have 2 working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than 3 days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

Where can I find the document which describes the full Requirements for the Cyber Essentials Scheme?

You can download the requirements from the UK Government website here.

You can see our overview here.

Which UK government contracts will I need Cyber Essentials certification for?

Cyber Essentials is now required in a large number of central government contracts and an increasing number of local government contracts.

You can see the document to UK Government Procurement Officers which specifies that Cyber Essentials is required in many cases for suppliers to government departments here.

In particular, Cyber Essentials is required for Ministry of Defence suppliers for all of their supply chain that handles defence information. See more here.

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation’s systems to verify that the Cyber Essentials controls are in place. The audit includes an internal and external vulnerability scan and then focuses on a random selection of user devices, all internet gateways and all servers which are accessible to internet users. The Assessor will test a random sample of these systems (typically around 10 per cent) and then make a decision about whether further testing is needed. 

The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.

How much does it cost for a Cyber Essentials Plus assessment?

As the Cyber Essentials Plus assessment needs more dedicated time from technical experts, it is more expensive than the verified self-assessment. The cost will depend on the size and complexity of the network.  IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. The Cyber Essentials Plus assessment has to be quoted for individually. You can submit some details via the form here or via the IASME website, and you will be emailed quotes from three different Certification Bodies. The audits can be run remotely or in person.

As a rough estimate a Cyber Essentials Plus assessment for a small, simple company will cost in the region of £1,400. Our Certification Bodies aim to minimise the cost to your company.

Is a vulnerability scan required as part of the Cyber Essentials basic level?

The verified self-assessment level of Cyber Essentials does not include any additional test or vulnerability scan. However, one of your Board members will have to sign a declaration to verify that all the answers you have entered are true.

Can I see the self-assessment questions before I pay for an assessment?

You can download all the self-assessment questions in pdf and excel format free of charge here

What is involved in a Cyber Essentials Plus assessment ?

Cyber Essentials Plus involves a technical audit of the systems that are in-scope for Cyber Essentials. This includes: a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The Assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required.

The Cyber Essentials question set is part of the Cyber Essentials Plus certification process.  If you have achieved the verified self-assessment Cyber Essentials certification less than 3 months before certifying to Cyber Essentials Plus you will not need to repeat the self-assessment questions stage.

How many of the questions do I need to get right to pass?

You need to be compliant in nearly all the questions to pass the Cyber Essentials assessment. In particular, you will not be able to attain Cyber Essentials if you are using unsupported software within the scope of the assessment.   

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment, will fail to achieve Cyber Essentials certification.

If I fail will I get feedback about why I failed?

All clients get feedback on any aspect of the assessment which is not fully compliant. You will get a report including all the answers you gave and comments from the assessor against any that were considered non-compliant. If you fail the assessment this feedback should help you improve your security so you can pass in the future.

Where can I get more information about the included Cyber Insurance?

We have a separate set of frequently asked questions and answers about the included insurance here.  For further information contact [email protected] or call +44 (0)1905 21681.

If I fail will I have to pay again to take the assessment again?

If you fail, we allow you two working days to examine the feedback from the Assessor and change any simple issues with your network and policies. You can then update your answers and the Assessor will have another look without any extra charges. However, if you still fail after these two days you will have to reapply and pay the assessment fee again.

I am not sure I understand the questions - where can I get help?

To help organisations get started in understanding their cyber security, IASME, in partnership with the National Cyber Security Centre, have created a free online tool. The Cyber Essentials Readiness Tool is accessible in the form of a set of interactive questions on the IASME website. The process of working through the questions will inform you about your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. You will be directed towards guidance written in plain English based on your answers, and at the end of the process, be presented with a tailored action plan and detailed guidance for your next steps towards certification.

For in depth and bespoke support, you can contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licenced to certify against Cyber Essentials and can offer consulting services to help organisations of all sizes achieve certification.

For simple questions , you can ask the Cyber Essentials LinkedIn advice group.

You can post your questions and receive free advice from the “Cyber Essentials Advice Group”. Join this group here.

How can I become an Assessor?

To become an IASME Certification Body and Assessor, someone from your company will need to attend and pass the relevant Assessor courses.  More details about requirements for Assessors can be seen here. We work with companies of all sizes; micro companies and one man bands are welcome partners.

Where can I find information about securing my company?

You can see links to some helpful websites here.

How long does the certification last before I have to renew my Cyber Essentials certification?

Cyber Essentials is an annually renewable certification.

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. We remove companies from our ‘certified organisations’ list if they have not been certified in the past year.

How long will I have to complete and submit my assessment?

You will have 6 months from the date of application to complete and submit your assessment. After this time, your account may be closed and you would have to apply and pay again if you wanted to be assessed.

How can I remember to re-certify within a year?

We will email you with a reminder roughly a month before you have to be re-certified. 

When I re-certify will I have to enter all the information again?

You do need to enter all the information each time you certify. This serves as an annual review of your cyber security. Please note, some of the questions may have been updated and changed. Please remember to keep a copy of your answers when you submit so you can refer to them when you re-certify the following year.

Cyber Essentials logo

Frequently Asked Questions

What is the difference between the Cyber Essentials Scheme and the IASME Cyber Assurance Scheme?

The Cyber Essentials Scheme is a Government scheme that helps organisations to guard against the most common cyber threats from the internet and demonstrate commitment to cyber security. It covers five main technical controls which will protect companies against an estimated 80% of common internet threats. The controls are:

  • Secure your Internet connection (Firewalls and routers)
  • Secure your devices and software (Secure configuration)
  • Control access to your data and services (Access control)
  • Protect from viruses and other malware (Malware protection)
  • Keep your devices and software up to date (Software updates)

 

IASME Cyber Assurance certification is aligned to the Government’s Ten Steps to Cyber Security and covers the General Data Protection Regulation (GDPR) and privacy requirements. IASME Cyber Assurance is aligned to a similar set of controls in other international security standards but is more affordable and achievable for small and medium sized organisations to implement.

Cyber Essentials certification is required before undertaking the IASME Cyber Assurance assessment.

Is IASME Cyber Assurance Audited the same as Cyber Essentials PLUS?

No – Cyber Essentials Plus is an audited level of the Cyber Essentials assessment, testing the 5 Cyber Essentials controls only. IASME Cyber Assurance Level 2 is an independent on-site audit of the level of information security provided by your organisation, against the IASME Cyber Assurance standard. It is aligned to a similar set of controls in other international security standards but is more affordable and achievable for small and medium sized organisations to implement. The standard includes GDPR and privacy requirements and adds additional topics that mostly relate to people and processes, for example:

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity

Can I apply to do Cyber Essentials and IASME Cyber Assurance together?

You can apply for Cyber Essentials and IASME Cyber Assurance at the same time. However, you cannot start your IASME Cyber Assurance application until you have successfully achieved Cyber Essentials.

Both standards have a tiered pricing structure and are chargeable separately.

 

Pricing Structure

ce-image

Micro Organisations

0-9 Employees

$420£320 + VAT€380

Small Organisations

10-49 Employees

$570£440 + VAT€520

Medium Organisations

50-249 Employees

$650£500 + VAT€590

Large Organisations

250+ Employees

$780£600 + VAT€710

 

Pricing Structure

ca-image

Micro Organisations

0-9 Employees

$420£320 + VAT€380

Small Organisations

10-49 Employees

$570£440 + VAT€520

Medium Organisations

50-249 Employees

$650£500 + VAT€590

Large Organisations

250+ Employees

$780£600 + VAT€710

Does the price for IASME Cyber Assurance include the price of Cyber Essentials certification?

No.  Both Cyber Essentials and IASME Cyber Assurance Level 1 have a tiered pricing structure as per the tables below and they are charged separately.

Pricing Structure

ce-image

Micro Organisations

0-9 Employees

$420£320 + VAT€380

Small Organisations

10-49 Employees

$570£440 + VAT€520

Medium Organisations

50-249 Employees

$650£500 + VAT€590

Large Organisations

250+ Employees

$780£600 + VAT€710

 

Pricing Structure

ca-image

Micro Organisations

0-9 Employees

$420£320 + VAT€380

Small Organisations

10-49 Employees

$570£440 + VAT€520

Medium Organisations

50-249 Employees

$650£500 + VAT€590

Large Organisations

250+ Employees

$780£600 + VAT€710

How does IASME Cyber Assurance map to other standards including ISO 27001?

We have mapped IASME Cyber Assurance to a variety of standards including ISO 27001. For more information please click here.

IASME Cyber Baseline logo orange circle with a tick

Frequently Asked Questions

What is IASME Cyber Baseline?

IASME Cyber Baseline is an international cyber hygiene certification scheme that tackles the basic, but critical, cyber security protection measures. The scheme is an important first step for many organisations in proving that they are serious about cyber security. It is a pre-requisite to the next step of certifying to the comprehensive risk-based and policy-driven standard, IASME Cyber Assurance.

How do I certify?

The IASME Cyber Baseline assessment consists of a verified assessment questionnaire which must be answered on the assessment platform after registering for certification. A senior member of the board or equivalent from your organisation must e-sign a document to verify that all the answers are true and then a qualified external Assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.

Prepare – Register – Pay – Complete – Certify

You can download the assessment questions free of charge before you certify. It is a good idea to prepare your answers in advance on a working document or spreadsheet which you can copy onto the assessment platform when you are ready. When you wish to apply, register for certification and make a payment.

Download the IASME Cyber Baseline assessment questions
Apply Now for IASME Cyber Baseline

Once your application and payment have been received, you will receive your online assessment portal log-in details so that you can enter your answers into the on-line assessment platform.

It is possible to cut and paste your answers from the preparation spreadsheet onto the assessment platform, but your completed answers on a spreadsheet will not be accepted for assessment. The questions address the scope of the assessment and the cyber security measures around 8 themes. These include organisation structure, asset management, secure architecture, people management, access control, technical intrusion, back up and restore and resilience. You do not have to complete all of your answers at once – you can save them as you go along.

Please note there is a time limit of 6 months from when you purchase your assessment account to completing the assessment. Once you have submitted your assessment for marking, your Assessor may send you feedback. You then have 2 working days to address any feedback.

Once you submit your answers, it will usually take 2 – 3 days to get the result back to you. If you have a tight deadline for certification, then please let us know and we will do our best to help you meet it.

How much does it cost?

The pricing of IASME Cyber Baseline has a tiered structure based on organisation size. Prices start from $390£300 + VAT€360 for an assessment for micro-organisations. Small, medium and large organisations pay a little more, on a sliding scale up to a maximum of $650£500 + VAT€590, which aims to reflect the complexity involved in assessing larger organisations (see table below).

 

Pricing Structure

cb-image

Micro Organisations

0-9 Employees

$390£300 + VAT€360

Small Organisations

10-49 Employees

$520£400 + VAT€470

Medium Organisations

50-249 Employees

$590£450 + VAT€530

Large Organisations

250+ Employees

$650£500 + VAT€590

How do I pay?

At the checkout you can pay via card or your PayPal account using the PayPal platform, or alternatively, you can request an invoice be sent to you so you can pay via bank transfer (BACS).

How long will it take me?

It is a good idea to download the question set in advance (available for free from the website here) and prepare the answers before applying. By doing this, you can ensure that there are no unexpected aspects that may take a significant amount of time to comply with. As soon as you have paid, we will send you login details for your online assessment portal.  You will have 6 months to complete your assessment before your account is deleted and unfortunately, we cannot issue a refund if this happens.

If you have prepared your answers in advance, filling out the self-assessment might only take about an hour. Once the questions have been submitted, most Assessors will aim to get the results back to you within 3 days.  If you have not been successful, you will then have 2 working days to address the issues, update your answers and resubmit.  The Assessor will then aim to take no more than 3 days to remark the assessment. If you have not included enough information for the Assessor to be able to mark a question, they will return it to you asking for more information.  This step will also take a few days.

How long does certification last?

IASME Cyber Baseline is an annually renewable certification.

How do I prepare?

It is a good idea to prepare your assessment answers early using a working document or spreadsheet. The current assessment question set is available to download from the link below as either a pdf or an excel spreadsheet.  

Download the IASME Cyber Baseline assessment questions here.

Who can help me?

Certification Bodies

IASME has a network of trained and licensed cyber security consultants which we call, Certification Bodies or CBs. These experts, located all over the world can support your organisation in preparing and certifying against IASME Cyber Baseline. 

Further questions

Contact a member of the IASME team via email: [email protected]

Or phone: 03300 882 752

or via our website: https://iasme.co.uk/contact-us/ 

How will I get my assessment results and certificate?

IASME ensures that its certificates and badges are secure, transparent and verifiable by using BlockMark digital certificates. Your IASME Cyber Baseline certificate will be a digital BlockMark certificate.

You will first receive an email informing you of your assessment results, following that, you will receive a second email with an attachment of your certificate as a PDF. Within the second email, you will receive a link to create an account on BlockMark that will allow you to access and download your certificate as a digital badge and certificate.  You will be able to embed your badge in your email and website footer as verifiable proof you hold certification.  Your badge should only be used in accordance with the branding guidelines which you can see when you access your account to download your certificate.

 For more information about BlockMark certificates and accounts, please read our user guide here.

What is IASME Cyber Assurance?

IASME Cyber Assurance is a comprehensive risk based standard that covers 13 cyber security themes that include data privacy and policies and procedures. IASME Cyber Baseline allows organisations to start their cyber security journey focusing on 8 of the 13 themes and is a pre-requisite to certifying to IASME Cyber Assurance. 

Can I do IASME Cyber Baseline and IASME Cyber Assurance all in one go?

You can apply for IASME Cyber Baseline and IASME Cyber Assurance at the same time. However, you cannot start your IASME Cyber Assurance application until you have successfully achieved IASME Cyber Baseline.

Both standards have a tiered pricing structure and are chargeable separately.

How do I become an IASME Cyber Baseline Assessor or Certification Body?

To become an IASME Certification Body and Assessor, someone from your company will need to attend and pass the relevant Assessor courses.  More details about requirements for Assessors can be gained by emailing our Training Team on [email protected]
We work with companies of all sizes; micro companies and one person organisations are welcome partners.

Find Out More

Have an enquiry? Leave a message with our team.