Cyber Essentials Cost and FAQs

A strong and secure cybersecurity structure for a business has the potential to be costly, as well as time-consuming, not to mention the specialist expertise and resources required. In 2014 the UK Government launched Cyber Essentials in order to adopt better practices in relation to information security. At a very basic level, the aim of Cyber Essential Certification is to protect companies from any cyber threats. This, however, is a minimal level of diligence, and should not be taken as a comprehensive cybersecurity strategy, the likes of which comes from an independent IT consultant.


FAQs about Cyber Essentials

Below is a list of frequently asked questions relating to Cyber Essentials and its cost.


What is Cyber Essentials?


A Cyber Essentials certification allows businesses across the UK to adhere to a set of cybersecurity principles in order to protect their business and client data. Any business involved in high-value tender requires the Cyber Essentials certification. This scheme is both affordable and well respected within the industry, unlike others which are not backed by the government. Cyber Essentials allows companies to mitigate the threat from phishing attacks, Malware, website links, malicious emails, and hacking weaknesses by exploring vulnerabilities in systems and devices connected to the internet. Any potential risks are identified before the submission of the certificate, giving businesses an opportunity to address these issues.


Two types of Cyber Essential Certification are available, Cyber Essentials Standard and Cyber Essentials Plus. Businesses can only achieve the plus certification after being awarded the standard and both of these certificates are valid for one year. After which they need to re-apply for certification.


A Cyber Essential Certificate is best for companies who:

  • Want to demonstrate Government back IT compliance.
  • Are keen for an improvement on their ISO27001 certificate
  • Are looking to work towards obtaining the Cyber Essentials Plus certification

The Cyber Essentials certification framework


Within the Standard and Plus certification options there a five verified security controls.

  1. Boundary firewalls and internet gateways
  2. A secure configuration
  3. Access control
  4. Protection against malware
  5. Patch management

Risk Mitigation and the business benefits of Cyber Essentials certification


Cyber Essentials clearly identifies risks a business faces when it comes to cybersecurity. In order to gain certification, a company needs to have specific structures and processes in place each year.


Stand-alone assurances

Much broader frameworks such as ISO 27001 give a much different type of protection. Cyber Essentials is a stand-alone assurance program and because of this, it is affordable for companies of any size. Many companies that already have ISO 27001 will also use Cyber Essentials 

Protection from cyber threats


Thousands of companies each year are the victims of cybersecurity attacks which cost a business not only significant money but also time and even the loss of sensitive data. Cyber Essentials certification makes sure that the processes are in place to help prevent such attacks

Data Protection


After the implementation of the EU General Data Protection Regulation (GDPR), companies are not solely responsible for their clients’ data. Cyber Essentials can quickly identify weak points while putting systems into place to protect data.


Customer Reassurance

Numerous high-value tenders now require both ISO 27001 as well as Cyber Essentials, as it demonstrates a recognised starting point which shows strong compliance.


How much does it cost?


The cost of Cyber Essentials depends on the size of your company. But affordable prices are available for both the Standard and Plus packages. 


Should you apply for a Cyber Essentials and ISO 27001 certification?


The demand to have both ISO 27001 and Cyber Essentials is growing quickly, especially for those companies looking to be eligible for large tenders. ISO 27001 is much more process-driven, while Cyber Essentials is technically driven.


The Cyber Essentials certification criteria


Companies need to get a majority of questions correct in each section of the self-assessment questionnaire in order to pass the initial assessment phase. Next up is the vulnerability scan which forms the basis of the Cyber Essentials Plus package.


There is a strict pass criteria outlined by the UK Government, and failing to address all of the tasks highlighted is likely to lead to a fail. An in-depth Cyber Essentials audit done by a third party can outline steps needed to be taken before certification is granted. However, the failure of the following points are likely to lead to an automatic fail.


  1. Using out of date software such as Windows XP or Windows 7
  2. Using weak passwords
  3. Not using an anti-virus.  


How long will it take to audit and certify a company?


The audit itself normally takes with the region of four hours, with successful certification within 2-3 weeks. This includes both the audit and report, but any work needed to make the company compliant is likely to delay completion.    

What is Cyber Essentials Plus?


Cyber Essentials Plus takes things to the next level, with extensive external testing of a company’s cybersecurity. It can only be awarded to business after Cyber Essentials has been awarded but provides significantly higher assurances on security due to its external examination.

Which companies should consider Cyber Essentials Plus?


Cyber Essentials Plus is best suited for companies who fall into the following categories:

  1. Companies looking to tender for large value projects.
  2. Any businesses who work within a highly regulated industry
  3. Companies looking for enhancement on their ISO 27001 certification


About EC-MSP, your Cyber Essentials partner

EC-MSP are one of the most trusted IT support providers in London. If you would like more help advice and support with technology for your business, contact us today to see how we can help.