I’ve Got my Cyber Essentials - Now What?

Mike Emery
|
Senior Security Consultant at URM
|
PUBLISHED on
4 Apr
2024

Passing Cyber Essentials for the first time is an achievement in and of itself.  You’ve been able to explain that your business meets a baseline standard of cyber hygiene – and an external party agrees.  However, security is a journey and while your compliance obligations may have been met, there’s much more you could do to ensure that your organisation is as secure as it could be.

The most obvious next step is to obtain Cyber Essentials Plus, which includes a technical assessment as well as the completion of the questionnaire from Cyber Essentials.  Obtaining this will demonstrate a more robust approach to security to your partners and clients, as well as provide validation that your systems are, in fact, as secure as you say they are!  You may decide to go a step further, and certify against a more holistic security framework, such as ISO 27001, which focuses on the development, implementation, and continual improvement of an information security management system (ISMS).  ISO 27001 certification is generally more time and resource intensive than certification to Cyber Essentials, however it functions as an excellent next step in improving your organisation’s security posture when you reach the appropriate maturity level to meet the Standard’s requirements.  If you would like to learn more about how to achieve ISO 27001 certification, read our blog on 6 Must Do’s When Implementing ISO 27001.

Security Journey

Of course, not all security improvements lead to certification.  While certification is useful to externally demonstrate a commitment to security, the fixed boundaries of such work are sometimes not as valuable as tailor-made engagements.  It can be useful to work with a security consultancy to discuss your organisation and concerns and allow them to formulate a package of work to suit your business requirements.  This could take the form of governance risk and compliance (GRC) consultancy, which looks to improve policy and process, or technical assessments such as penetration tests which identify vulnerabilities and security issues on your systems.  A good security consultancy will seek to group different GRC and technical assessments together in order provide full insight into your organisation’s security – and provide the best recommendations for improvement.

Security is a journey, and it can be useful to consider your long-term destination: do you want your security to be your organisation’s USP? Do you want to do the minimum required to comply with your industry’s expected standards?  Both approaches have benefits and drawbacks, however often these decisions are made without full understanding of their implications.  A security consultancy can undertake work to assess your current security posture, desired future state, and identify improvements which need to be made in order to reach your destination. Work like this can create a roadmap for you organisation – ensuring that your security posture ends up where you want it to be, as opposed to what you currently have.

If you would like to improve the security competencies and capabilities of your internal personnel, you should also consider hiring individuals with industry-recognised security qualifications, and/or upskilling your existing staff by sending them on training courses to obtain security qualifications, such as the Certificate in Information Security Management Principles (CISMP) and the Practitioner’s Certificate in Information Risk Management (PCIRM).  The CISMP is a foundation-level qualification  which  will provide you with the skills and knowledge to manage information and cyber security and address the ever-evolving threats and changes in working practices, e.g. remote working. The PCIRM is a practitioner-level qualification which demonstrates that an individual possesses a hands-on understanding of information risk management.  The PCIRM syllabus covers the identification of threats that could damage key assets and the assessment of vulnerabilities which could lead to those threats arising, as well as the controls and treatment options available to mitigate information security risks (among other things).  As such, the presence of CISMP and PCIRM-certified personnel within your organsiation will help elevate its security posture, as they possess the necessary skills and understanding to reduce the likelihood of security incidents occurring.

As you can see, there are no right answers to answer the question that prompted this blog.  If you’re currently deciding what your next step should be, URM is happy to offer 30 minutes of free consultancy to help you understand what’s right for you.

How URM can Help?

Whether your organisation is currently looking to achieve Cyber Essentials certification or has already certified and would like to further enhance its security posture, URM is ideally-placed to offer advice and guidance to help you protect your organisation against security incidents. Leveraging nearly 2 decades of experience in the security sphere, URM’s large team of consultants can provide you with practical support that is appropriate and tailored to your organisation’s unique requirements.  Our broad range of competencies include assisting with and facilitating Cyber Essentials and Cyber Essentials Plus certification, providing penetration testing services, assisting organisations to achieve ISO 27001 certification, running accredited PCIRM training courses, and much more.  As such, we are able to provide reliable and effective support, regardless of where you currently are in your cyber and information security journey.

Mike Emery
Senior Security Consultant at URM
Mike is an offensive security consultant with URM with over a decade of experience delivering both technically and business driven engagements.
Read more

Do you need any help applying for Cyber Essentials Certification?

URM can offer a range of support services when applying for Cyber Essentials Certification. Check our offer!
Thumbnail of the Blog Illustration
Cyber Security
Published on
15/3/2024
Common Cyber Essentials Challenges and how to Overcome Them

URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
24/1/2023
Cyber Essentials Scheme being Updated on 24 April 2023

On 23 January 2023, NCSC published an updated set of requirements, v.3.1 for the Cyber Essentials scheme....

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
5/3/2024
Complying with Cyber Essentials and Cyber Essentials Plus

URM’s blog answers key technical questions about Cyber Essentials and Cyber Essentials Plus, what’s in scope, CE compliant use of BYOD, and more.

Read more
I know many Cyber Essentials providers are rigid to the point of not understanding the goal of CE, but we haven’t found that with URM. We are extremely happy with the service we’ve received – our Cyber Essentials recertifications are always painless and straightforward. The different assessors we’ve had have all been great and pitch to the right level, as well as having an extremely strong knowledge of the subject matter. The account management side is also excellent. Our Account Manager checks in with us on a regular basis, and is very approachable and credible, with a comprehensive understanding of Cyber Essentials.
CISO at University of Surrey
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.