Cyber Essentials vs Cyber Essentials Plus: Everything Businesses Need to Know
Jordan M. Schroeder
Managing CISO
Suppose any organisation in the UK is looking to enhance its cybersecurity credentials or showcase to customers, partners, or insurers that it is a cyber-resilient business.
In that case, the Cyber Essentials scheme is the first place they will look.
The certification is a government-backed program launched in 2014, and according to recent figures, over 100,000 Cyber Essentials certificates have been issued since its foundation. The UK government believes this has had a profound impact in improving cybersecurity across various organisations, which in turn has helped drive a more prosperous and resilient UK.
The program focuses on five key security pillars to help protect organisations against 80% of cyberattacks, and it is also used to improve operational productivity, increase board involvement in cyber, assist with the security of remote working, and educate employees on safe cyber habits.
Understanding Cyber Essentials and Cyber Essentials Plus
The scheme consists of two levels of assessments, which must be renewed annually to maintain accreditation :
Cyber Essentials
Cyber Essentials Plus
Cyber Essentials is the basic level of accreditation, while Cyber Essentials Plus is the audited version.
Organisations can pursue Cyber Essentials Plus after they have successfully been certified Cyber Essentials. However, achieving each accreditation is very different and requires varying levels of commitment.
So, what are these fundamental differences, and what must organisations know before deciding whether to pursue Cyber Essentials Plus?
Cyber Essentials
Cyber Essentials focuses on getting the basics right, and it costs between £300 - £500, depending on the size and the complexity of the organisation.
It consists of a self-assessment questionnaire asking about cyber processes, which a Cyber Essentials Certified Assessor then checks for completeness and correctness.
Organisations must confirm they are taking specific steps and processes to protect their assets and complete the information via the written questionnaire to achieve accreditation. However, because the questionnaire is a self-assessment, auditors need to verify that the answers are accurate or that the requirements are correctly being applied.
The biggest concern with the self-assessment questionnaire is the risks of an internal ‘cybersecurity mirage’. With IT and security teams working in the same networks daily, it is easy for them to overlook issues they have learned to accept, which could lead to a breach or network compromise. It can also mean respondents answer questions incorrectly because they believe something is happening and don’t validate it before answering the questionnaire.
When filling out the questionnaire, honesty is, therefore the best policy. Any inaccurate information could put an organisation at a higher risk of attack, so there is a lot to lose.
Furthermore, to prevent erroneous information from being fed into the questionnaire, it’s always best to get the data proofed by multiple colleagues before submitting it to the accreditation body.
Cyber Essentials Plus
Cyber Essentials Plus is an enhanced version of Cyber Essentials that involves an interactive assessment of an organisation’s security controls. The questionnaire remains the same, but an auditor verifies the answers.
The assessment involves a technical audit of systems, which includes a series of internal vulnerability scans, tests of system configurations, plus an external vulnerability scan, all conducted by a certification body.
This audited assessment offers many benefits to businesses because it allows security to be scrutinised by an expert. The expert will understand and possess firsthand knowledge of the techniques utilised by criminals so they can provide vital insight to improve cyber resilience.
The Plus certification is more expensive than the basic version as it is far more rigorous, but accredited organisations are much better prepared to defend against and mitigate cyberattacks.
Selecting the certification to suit your business
In an ideal world, all businesses would achieve Cyber Essentials Plus, as this is better proof of resilience against attacks. However, if this isn’t possible, the initial assessment is still an excellent baseline for businesses wanting to improve their cyber posture.
While in some businesses, Cyber Essentials will be enough for larger enterprises or businesses that store and process high volumes of personal data, the Plus version will likely suit their needs and regulatory requirements better. It is more labour-intensive and will require external auditors to examine the organisation’s security implementations and processes, but this in-depth examination will offer significantly increased assurance.
Another essential point to note with both schemes is the assessments are based on a moment in time, so the most significant risk associated with this comes down to “compliance drift”. Businesses must strive to avoid this, and the best way to achieve this is by running regular internal security checkups to ensure all requirements are being met throughout the year.
Not only will this make it easier when the annual Cyber Essentials assessments occur, but maintaining compliance undisputedly offers the most significant business benefits while providing confidence and assurance to customers and partners.
Barrier is licensed by the national accreditation body IASME to assess and certify against the Government’s Cyber Essentials scheme requirements. We also offer consulting services to help you achieve Cyber Essentials or Cyber Essentials Plus certifications. We are also a Trusted Partner of the Scottish Business Resilience Centre for Cyber Essentials.