Cyber Essentials Plus Testing & Certification

Cyber Essentials certification for medium-sized businesses up to 250 employees

Free Cyber Security Insurance if turnover <£20M

Fixed cost £600

Cyber Assurance is a comprehensive, flexible and affordable cyber security standard. This provides assurance that an organisation has put in place a range of important cyber security, privacy and data protection measures. It aligns directly with the UK Government’s 10 steps to Cyber Security with additional Data Privacy controls and offers smaller companies within a supply chain a ‘right sized’ approach to show their level of information security for a realistic cost.

Important cyber security measures are included such as assessing and managing risk, training people and setting practical policies and procedures. Key resilience strategies are covered and include backing up data, business continuity planning and incident response. Legal and regulatory requirements are also addressed such as your country’s implementation of GDPR (in the UK this is the Data Protection Act). Furthermore, the IASME Cyber Assurance standard was developed over several years during a government funded project. This was in order to create an affordable and achievable alternative to the international standard, ISO 27001. You must have Cyber Essentials first in order to achieve Cyber Assurance.

At Level 2, Cyber Assurance maps well to ISO27001 for Cyber Resilience. A separate page describes this product, and the path to ISO27001.

Cyber Security Awareness Training is probably the first real step towards cyber resilience (after becoming aware that you need cyber awareness training that is!). To be resilient, an organisation not only needs to be able to defend against cyber attacks, but also to recover effectively and quickly if a system problem emerges.

We consider Cyber Essentials to be the obvious next step, because the 5 technical controls harness the power of software that will already be on the system to automatially protect, with assistance of course from users who are aware (e.g. passwords). The cost of getting these controls working effectively could well be minimal! Once achieved, Cyber Essentials certification comes with free cyber liability insurance (up to £25000). You may wish to also get audited (Cyber Essentials plus). No further training is required for that, but you do need to allow an NCSC-approved vulnerability tester into your system.

Once those five technical controls are working effectively, other standards should be considered that use morte robust user controls, and management controls. This can be achieved through Cyber Assurance, PCI-DSS, or ISO27001.

If an organisation is only at the awareness level, do not be too worried... the fact that you are thinking about improving awareness puts you ahead of many other organisations who have yet to even take that first step.