Skip to main content

Understanding the Difference Between Cyber Essentials and Cyber Essentials Plus

12 August 2024
jigsaw pieces

Robust cyber security measures are no longer a luxury but a necessity for all businesses. As cyber threats continue to evolve, organisations must ensure they have the right protections in place to safeguard their sensitive data and maintain customer trust. The UK government-backed Cyber Essentials scheme offers two levels of certification designed to help businesses enhance their cyber security defences: Cyber Essentials and Cyber Essentials Plus.

While both certifications aim to protect against common online threats, they differ significantly in their approach and level of assurance. In this article, we will explore the key differences between Cyber Essentials and Cyber Essentials Plus, helping you determine which certification is the best fit for your business's cyber security needs.

cybr2

What Is the Cyber Essentials Scheme?

The Cyber Essentials scheme was introduced back in 2014 by the National Cyber Security Centre (NCSC). This certification scheme is mandatory for suppliers to the central UK government, but many other businesses in other sectors use this scheme as a way of demonstrating their commitment to cyber security. 

The Cyber Essentials scheme is concerned with five key controls:

  • Boundary Firewalls & Internet Gateways: Protect network boundaries to prevent unauthorised access.
  • Secure Configuration: Ensure systems are configured securely to reduce vulnerabilities.
  • Access Control: Implement strict access controls to ensure only authorised users have access to systems and data.
  • Malware Protection: Utilise antivirus and anti-malware solutions to protect against malicious software.
  • Patch Management: Keep software and systems up-to-date with the latest security patches to prevent exploitation of vulnerabilities.

Defining Cyber Essentials & Cyber Essentials Plus

Cyber Essentials

Cyber Essentials is a foundational cyber security certification, developed by the UK government. It aims to help businesses of all sizes protect themselves against a wide range of common online threats. Businesses complete a self-assessment questionnaire covering basic cyber security practices, which is reviewed by an external verifying body (this does not involve hands-on testing).

Cyber Essentials Plus

Cyber Essentials Plus is an advanced level of certification within the Cyber Essentials scheme. It provides a higher level of assurance because an independent auditor conducts hands-on technical testing (this is explained later in more detail) to verify the effectiveness of cyber security controls, as opposed to just a self-assessment. Cyber Essentials Plus aims to provide a higher level of assurance by independently verifying that a business’s cyber security measures are not only in place but that they are also functioning effectively against real-world threats.

How Do Cyber Essentials and Cyber Essentials Plus Contrast?

While they share a common goal, these two certifications differ significantly in their approach, cost, and level of assurance. Let’s take a look at their main contrasts:

Assessment Methodology

  • Cyber Essentials involves the completion of a self-assessment questionnaire, relying on the business’ honesty and accuracy. Responses are reviewed by an external body. The self-assessment questions can be downloaded for free (for preparation only).
  • Cyber Essentials Plus is more technical and hands-on, conducted by an external auditor. This provides an additional layer of validation through practical testing of the implemented controls.

Pass Threshold

  • Cyber Essentials verification (via the self-assessment) can be passed with one or two minor non-compliances.
  • Cyber Essentials Plus has a much stricter threshold to pass. Any non-compliances have 30 days to be remediated. Otherwise, they will not pass.

Target Audience

  • Cyber Essentials is ideal for smaller businesses looking for a cost-effective way to demonstrate basic cyber security measures.
  • Cyber Essentials Plus is more suitable for organisations that require a higher level of assurance, due to the nature of their business or regulatory requirements.

Cost Implications

  • Cyber Essentials is generally more affordable since it involves a self-assessment without the need for external testing. 
  • Cyber Essentials Plus typically costs more due to the additional requirements of independent testing and technical audits.

Level of Assurance

  • Cyber Essentials offers a basic level of assurance, based on the business’ self-reported implementation of cyber security measures. 
  • Cyber Essentials Plus provides a higher level of assurance, offering greater confidence to stakeholders that cyber security measures have been rigorously tested. 

Which Certification Should You Choose?

This greatly depends on the size of your business and the kinds of customers you regularly deal with. For example, those who provide a service for government-based organisations may opt for Cyber Essentials Plus, due to the greater need for critical data protection and the greater threats associated with government data breaches. Many of these contracts will require Cyber Essentials Plus as a minimum. On the other hand, small and medium enterprises (SMEs) that only need to demonstrate basic cyber security measures to clients or businesses with a smaller IT resource budget may prefer Cyber Essentials. 

What Are the Benefits of Becoming “Verified”?

Becoming Cyber Essentials verified offers several benefits for businesses, enhancing their cyber security posture and providing numerous strategic advantages. Research by the NCSC found that 93% of businesses feel confident they are “protected against common, internet-based cyber attacks”. 

Other benefits include: 

  • Ensures GDPR compliance through robust data protection
  • Provides greater confidence in your supply chain
  • Establishes trust in your business’ online operations
  • Provides ongoing evaluation of cyber security controls
  • Improves defence against common and rising threats
  • Ensures eligibility for government tenders and contracts
  • Offers greater preparation for advanced certifications
  • Reduces insurance premiums

How Can You Prepare for the Cyber Essentials Plus Certification?

check list

Achieving Cyber Essentials Plus certification involves more than just implementing cyber security controls; it requires thorough preparation and an understanding of the certification process, expanding beyond the standard Cyber Essentials certification. Here are some key steps to help you prepare for Cyber Essentials Plus certification:

  1. Understand the Requirements: Ensure you have a strong understanding of the five key technical controls for Cyber Essentials, (for example, malware protection) and have successfully achieved the basic Cyber Essentials certification. 
  2. Conduct a Self-Assessment: Perform a self-assessment, using the Cyber Essentials questionnaire, to identify any gaps or weaknesses in your current cyber security practices. Ensure all policies, procedures, and configurations are well-documented and align with Cyber Essentials requirements.
  3. Implement Necessary Changes: Rectify any gaps identified during the self-assessment; this might involve updating configurations, deploying additional security measures, or refining policies. Ensure all operating systems are up-to-date with the latest security patches and configurations, and verify that access controls are properly implemented. 
  4. Perform Internal Testing: Conduct internal vulnerability scans to identify and address potential security weaknesses. If possible, perform internal penetration testing to simulate potential attack scenarios and verify the effectiveness of your security controls.
  5. Prepare for the On-Site Assessment: Engage an accredited certifying body and prepare up-to-date documentation for the auditors. Inform relevant staff members about the upcoming assessment, ensuring they are prepared to assist the auditors and make sure all systems are functioning as intended. 
  6. Conduct the On-Site Assessment: The certifying body will conduct on-site technical testing, which includes vulnerability scans and verification of security controls. Facilitate the auditors’ work by providing access to necessary systems and information, and be prepared to answer questions.
  7. Address Findings and Reassess: If the auditors identify any issues, address them promptly. This may involve additional configuration changes, updates, or other remedial actions. If required, undergo a reassessment to verify that all issues have been resolved satisfactorily.

Our Cyber Essential Experts Are Here to Help

If you need assistance with Cyber Essentials certification, our experts at ReformIT are here to assist you. We will tailor our approach towards your individual needs, specific to your IT infrastructure and applications. Get in touch with us to discuss how we can help!

Contact Us