Cyber Essentials and Cyber Essentials Plus Certification
In considering IT secuirty for any organisation and also looking at recognised standards applicable to security. There is a UK government endorsed base standard for IT security in businesses (specifically by the National Cyber Security Centre) which represents a good baseline for security and ensuring that there is no low hanging fruit so far as attack surface in IT within your organisation goes.
A good approach would be to pursue this standard and certification, which forms a base certification and could be a stepping stone to higher level certification such as the gold standard of ISO27001 security and controls.
The process for achieving Cyber Essentials certification is relatively straightforward, and in many areas you may already comply with required measures; though these still need to be demonstrated, documented and communicated where relevant.
There are two levels of the Cyber Essentials certification – the first is a self certification (remote assessment of the questions and , and the second is an externally audited certification. These are awarded as Cyber Essentials and Cyber Essentials Plus certifications respectively.
Onega staff are happy to work with you to achieve both levels of the certification.
- Assess the points of the standard and help make changes to technical measures such as might be required to achieve a passing assessment
- Write any relevant policies that need to be incorporated into a staff manual for compliance with the standard.
- Do such work as needs to be done to get you to a state where we can confirm the standard on a ‘self certified’ basis. This achieves the ‘Cyber Essentials’ certification.
- If we need to implement any new systems or technical aspects for good certification ability, then we will install and configure these as part of the process.
- Upon completion of the self certification phase, we will then liaise with a certification body so that the work can be independently assessed and audited such that Cyber Essentials Plus certification is achieved.
- You will need to cover the cost of any products or services (enhanced malware defence or third party product utilities) purchase and/ or subscription costs such as may be required to bring things up to spec. These will of course be discussed and agreed as options where identified.
- Co-operate with inserting the relevant updates or new sections on security into such company manuals as might be appropriate and communicate these changes internally.
- Facilitate such staff training as might be required relating to the measures and standards put in place to ensure compliance and staff vigilance on security.
Time / Investment:
Certification by a competent certifying body on the self assessment basis is approx. £500 ex VAT
Once the above is achieved, the Essentials Plus Certification can be done which is the external audit (with onsite visit) part.
Certification by a competent certifying body with onsite audit to Cyber Essentials Plus Certification is approx. £1500 ex VAT
Time on behalf of Onega staff to run through the process depends on organisational scale and complexity, but typical engagements for a smaller organisation might represent approximately three to six days of work over a period, which equates to roughly £2,040 to £4,080 ex VAT which allows for sufficient time to document, liaise and conduct against technical work such as might be required to achieve certifictation as well as liaison with the onsite assessor when that comes to the case.
There may be costs for bringing any failing systems up to date. Ie if a third party system in use in your organisation needs to be supported but is out of date then it may need support renewals / subscription renewals etc. These (if any) will come to light during the process of the initial self-certification.
Overall this is a very worthwhile process to complete and ensure your IT is fully aligned with the standards baseline.
Stage 1: Cyber Essentials Certification
Stage 2: Cyber Essentials Plus Certification
General – You will have been confirmed as having a good baseline security configuration for IT and though continued vigilance is required it does mean that core security areas are covered to reduce risks.
Sleep a little easier.