• Developed as part of the UK’s National Cyber Security Programme;
• Aimed at businesses and organisations of any size to help them achieve a baseline of good cyber security practice;
• Backed by industry specialists;
• Designed to provide an overview of an organisation’s ability to mitigate the risks from Internet-based threats;
• Also applicable to all private and public sector organisations, universities and charities;
• Offers two levels of certification: ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
• It identifies the required controls believed to shield companies from up to 80% of the common threats from the internet;
• UK Government departments now require suppliers bidding for particular contracts to be Cyber Essentials certified;
• Expected to be a major requirement to win business in many other sectors in the future;
• Some Insurance companies now offer incentives for organisations that are Cyber Essentials certified;
• Enables a company to demonstrate to their customers and stake-holders that their data is adequately protected and that they take cyber security seriously.
Requires a company to successfully carry out a verified self-assessment of a series of key cyber security controls: Boundary Firewalls and internet gateways, Secure configuration, Access control, Malware protection and Patch management. Cyber Essentials certification is awarded once this self-assessment has been presented for review, along with relevant supporting evidence, to an approved Certification Body. The company’s submission should be approved by a senior executive such as the CEO.
Includes the criteria for basic Cyber Essentials compliance, but introduces a higher level of assurance through the external testing of the organisation's cyber security approach. This typically requires conducting a vulnerability assessment and penetration testing, before certification can be awarded.