News & Blog

Read the latest business news, blogs and thought leadership articles from our members, as well as updates on the Edinburgh Chamber of Commerce's work in the city.

News & Blog

What is Cyber Essentials and Cyber Essentials plus?

Posted: 8th March 2022

What is Cyber Essentials and Cyber Essentials plus?

Many businesses approach us for advice about the Cyber Essentials scheme. Knowing when to apply for what level can be confusing. Here we hope to explain the scheme as clearly as possible so that you know exactly when and how to apply.

What is Cyber Essentials?

If your work has had any crossover with the UK government, you will have probably heard the words’ Cyber Essentials’ mentioned. In 2014, the UK government recognised the enormous risk of cyber-attacks to businesses that worked with them.
They also found that most of these risks were avoidable by following basic security measures. In response to this, they launched the Cyber Essentials scheme. Ensuring a standard level of cybersecurity across all suppliers, even small businesses without IT teams dedicated to cybersecurity could be protected. In the last few years, SME (small and medium enterprises) have suffered increasingly crippling cyber-attacks – many could have been prevented with Cyber Essentials compliance.

What are the certification standards?

Cyber Essentials are precisely that. The standard. Every business should take the necessary actions to ensure comprehensive digital security and protection from threats.
The scheme offers SMEs two certification standards to choose from:
Cyber Essentials & Cyber Essentials Plus

Earning a certification demonstrates a commitment to cyber safety to business partners and customers. Let’s take a closer look at the Cyber Essentials scheme as a whole, and explain the difference between the two certifications.

Cyber Essentials

The certification process is the first step to cyber security in the UK. It explains and outlines the security controls organisations must have to protect their data.
The scheme assesses your business on five security controls:
Firewalls and internet gateways: Ensures that your internet connection is secure.
Secure configuration: You have the most secure settings on all company devices.
User access control: You have complete control over who is accessing your data and services.
Malware protection: Protection in place against viruses and malware.
Patch management: ensuring your devices and software are updated with the latest versions.

Once you have these basic controls in place, you must fill out a questionnaire confirming that you have met the criteria. This is a self-assessment which you then sign and submit for review by a certification body.

Cyber Essentials Plus

Cyber Essentials Plus has the same requirements as Cyber Essentials (all five security controls in place) but differs in one crucial aspect.
Cyber Essentials is self-assessed, relying on your word that your company is compliant. However, Cyber Essentials Plus includes an independent assessment that a licensed auditor carries out.
After completing the self-assessment, an auditor will come to your location or remotely access your network. They will check for issues and ensure your assessment is correct. The check includes:
• Testing anti-malware software by sending emails.
• Checking for outdated software on a device.
• Testing how different users access files.

If the auditor body considers your technical controls acceptable, you will be certified and earn a place on the UK government’s directory of Cyber Essentials Plus compliant organisations.
The certification signifies that your company has implemented all the cybersecurity measures necessary to protect customer data.

What are the advantages of Cyber Essentials Plus? At this point, you might be wondering: is there a real benefit to the extra effort of earning Cyber Essentials Plus?

The primary advantage of Cyber Essentials Plus is that it offers absolute assurance that correct controls are in place through the use of an impartial third party. Customers and partners don’t have to take your word that you are cyber secure – they can rely on the expertise of a professional. It demonstrates to both your customers and partners that you are committed to cyber security and protects your company.
Beyond the positive image that comes with certification, compliance ultimately means safety for your business, for your employees, and your customers.

The first step to becoming a secure organisation is to take the time to prepare your company for compliance by implementing firewall protection, secure configurations, user access control, malware protection, and patch management.
Which certification is right for my business?

Which certification is better for you depends on what your goals are. The Cyber Essentials certification can be a solid starting point to show customers that you care about data protection. It is also advisable that companies bidding for contracts or tenders in the public sector achieve the necessary certification.

If you hold any sensitive data, you should consider getting the Plus certification. However, for many smaller organisations, the cost of paying an independent auditor can be steep as costs for travel and expenses can quickly add up. If cybersecurity compliance is integral to your sector, as many sectors more often are, the standard Cyber Essentials certification is a significant first step.

If you’re unsure, start with the Cyber Essentials, and you can always add the Plus version further down the line. However, be aware that to achieve Cyber Essentials Plus, you must have achieved Cyber Essentials within the last three months.
Today, Cyber Essentials certification is required for government contracts and, increasingly, for tender in other fields. But more than that, certification is an investment in the future and security of your business.
Cyber Essentials checklist and Cyber Essentials plus checklist

Download our checklists for the Cyber Essentials and Cyber Essentials Plus scheme.
SoConnect can help you every step of your Cyber Essentials journey, from auditing your security controls and helping you to apply to the scheme. We can also help with ongoing compliance so that your business is always protected. Our partnership with CyberSmart means that we can provide an app installed on all company devices to ensure they are compliant with guidelines 24/7 for the whole year.

Business Comment

Business Comment is the Edinburgh Chamber of Commerce’s bi-monthly magazine. It provides insight on Edinburgh’s vibrant business community, with features on the city’s key sectors, interviews with leading figures and news on new business developments in the capital.
Read more here