Cyber Essentials vs. Cyber Essentials Plus: which certification is right for your business?
In this blog, we will help you understand the differences between Cyber Essentials and Cyber Essentials Plus, and how to choose the right framework for your business.
The Cyber Essentials scheme was developed by the UK government to help businesses protect themselves against the most common cyber threats. Within this scheme, there are two levels of certification: Cyber Essentials and Cyber Essentials Plus. While they share the same core principles, they differ in the depth of their assessments and the level of assurance they provide. Let’s break down these differences.
What is Cyber Essentials?
Cyber Essentials is the basic level of certification. It provides a clear picture of a business’s cyber security level and helps protect against a wide variety of common cyber attacks.
Cyber Essentials Certification focuses on five key controls
1. Firewalls and internet gateways
Ensuring a strong perimeter defence to block malicious traffic.
2. Secure configuration
Setting up systems securely to reduce vulnerabilities.
3. Access control
Ensuring only authorised users have access to systems and data.
4. Malware protection
Ensuring only authorised users have access to systems and data.
5. Patch Management
Keeping software and systems updated to protect against known vulnerabilities.
Cyber Essentials Certification process
To obtain Cyber Essentials, a business completes a self-assessment questionnaire. This questionnaire is then reviewed by an external certifying body. If the answers meet the necessary criteria, the business is awarded the Cyber Essentials certification.
Cyber Essentials Certification cost and effort
Cyber Essentials is relatively low-cost and straightforward, making it accessible for small and medium-sized businesses (SMEs). It provides a basic level of assurance that the business is protected against common cyber threats.
What is Cyber Essentials Plus?
Cyber Essentials Plus builds on the foundation of Cyber Essentials but involves a more rigorous assessment. It includes all the elements of the basic certification but adds an independent technical verification.
1. Self-assessment
Just like Cyber Essentials, businesses begin with the self-assessment questionnaire.
2. On-Site or remote assessment
An external certifying body conducts a detailed on-site or remote assessment. This involves testing the businesses systems to verify that the security controls are implemented correctly and effectively.
3. Technical testing
This includes vulnerability scans, configuration checks, and potentially simulated attacks to ensure defenses are robust.
Cyber Essentials Plus Certification cost and effort
Cyber Essentials Plus is more costly and time-consuming than Cyber Essentials due to the thoroughness of the assessment. However, it provides a higher level of assurance and demonstrates a stronger commitment to cyber security.
Key differences between Cyber Essentials and Cyber Essentials Plus
1. Assessment method:
Cyber Essentials: Self-assessment reviewed by an external certifying body.
Cyber Essentials Plus: Includes the self-assessment plus an independent technical verification by an external certifying body.
2. Level of assurance:
Cyber Essentials: Basic assurance, suitable for businesses looking to cover fundamental security practices.
Cyber Essentials Plus: Higher assurance due to rigorous testing and verification, suitable for businesses needing stronger evidence of their cyber security practices.
3. Cost and effort:
Cyber Essentials: Lower cost and effort, ideal for SMBs.
Cyber Essentials Plus: Higher cost and effort, providing a more thorough evaluation.
Should I choose Cyber Essentials or Cyber Essentials Plus for my business?
Cyber Essentials is ideal for businesses looking to quickly establish a baseline level of cyber security. It’s particularly suited for SMBs or businesses new to cyber security practices. The certification can help in gaining customer trust and demonstrating a commitment to protecting sensitive information.
Cyber Essentials Plus is suitable for businesses that require a higher level of security assurance. This might include businesses handling more sensitive data, those in regulated industries, or those looking to strengthen their cyber defences further. The thorough testing provides greater confidence in the effectiveness of security controls.
Both Cyber Essentials and Cyber Essentials Plus play crucial roles in enhancing an organisation’s cyber security posture. Choosing between them depends on the level of assurance needed and the resources available. By achieving either certification, businesses can significantly reduce their risk of falling victim to common cyber attacks, thereby protecting their data, reputation, and customers.
If your business is looking to achieve Cyber Essentials or Cyber Essentials Plus, get in touch here and we can help you achieve your certification.
