Cyber Essentials Certification
The Cyber Essentials (CE) scheme is a simple, yet effective Government backed framework that will help protect your organisation against a range of the most common Internet-based cyber attacks. It provides a cyber security certification scheme that was developed as a part of the UK Government’s National Cyber Security Strategy. The Cyber Essentials security scheme specifies (5) basic control areas (firewalls, secure configuration, security update management, user access control, and malware protection) that all organisations should address in order to mitigate the risk from common cyber threats and demonstrate a clear commitment to improving their approach to cyber security. The scheme offers two levels of certification, namely ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
The scheme is administered and managed by IASME Consortium (IASME) on behalf of the National Cyber Security Centre (NCSC), a part of GCHQ. URM is an accredited certification body which means we have been trained and licensed to certify against the Government’s and IASME Cyber Essentials Scheme. At the same time, URM is an accredited Assured Service Provider under the NCSC Cyber Advisor scheme, meaning that our team of Cyber Advisors (Cyber Essentials) is able to provide you with practical, cost effective and reliable advice to improve your cyber security and achieve ‘Cyber Essentials’ and ‘Cyber Essentials Plus’ certifications.
Get Your Cyber Essentials Certificate
URM’s Cyber Essentials assessment and support services
CYBER ESSENTIALS ASSESSMENT
In order to achieve Cyber Essentials, your organisation will need to complete a self-assessment questionnaire (SAQ) and a board member will also need to provide a signed declaration. Your completed SAQ will be reviewed by one of URM’s qualified assessors to ensure your organisation is conforming with all the requirements associated with the 5 control areas. Once you have submitted your completed SAQ through the Cyber Essentials portal, you will be notified within 48 hours whether you have passed or not and, if successful, will receive your Cyber Essentials certificate. This certificate is valid for 1 year. To start your Cyber Essentials certification process and access the SAQ, click on the button below.
You may request support with your Cyber Essentials certification using the form provided below.
CYBER ESSENTIALS SUPPORT SERVICES
If your organisation has a simple structure and the person completing the SAQ has a strong technical IT background, you should find the Cyber Essentials application process relatively straightforward. However, some of the questions can be difficult to understand if you are new to Cyber Essentials, do not have a technical IT background or if you have a complex company structure. Some organisations need support in understanding the intent of some questions, what the controls mean to them and how to address them. With this in mind, URM can offer a range of support services and is accredited as an Assured Service Provider under the Cyber Advisor Scheme. This Cyber Advisor Scheme is an initiative from the National Cyber Security Centre (NCSC) delivered in partnership with IASME, which provides small and medium sized organisations with practical, cost effective and valuable support and advice in cyber security. These support services are also suitable for small organisations with limited IT knowledge or technical support who don’t need to obtain the Cyber Essentials certification but would like to gain an equivalent level of security for their organisation.
URM is also an Assured Service Provider under the National Cyber Security Centre (NCSC) Cyber Incident Exercising (CIE) scheme which is administered by IASME. Cyber incident exercising is vital to your organisation’s preparedness as it simulates real-world cyber threats, allowing you to assess, practice and improve your response capabilities. As an Assured Service Provider URM is ideally and uniquely placed to assist you create and facilitate bespoke and structured table top and live play cyber incident exercises.
GAP ANALYSIS
If your organisation is at the very early stages of exploring Cyber Essentials certification and you want to learn what requirements need to be met across the 5 core areas and, more importantly, whether your existing controls meet those requirements, URM’s Gap Analysis is ideally suited to you. As an Assured Service Provider, one of URM’s Cyber Advisors (Cyber Essentials) will walk and talk you through each question that comprises the assessment to clarify the level of expected cyber security, whether your current controls/policies meet the requirements and provide options on how to remediate any non-compliant areas. Following the gap analysis, URM’s Cyber Advisor (Cyber Essentials) will provide you with a formal report documenting the outstanding actions which can then be used to develop a project action plan to address any gaps.
You may request your Cyber Essentials gap analysis using the form provided below.
CYBER ESSENTIALS APPLICATION REVIEW SERVICE
For those organisations which have decided on the scope of their certification, but are looking for reassurance or more detailed interpretation of questions, URM can support you through the process with its Cyber Essentials Application Review Service. This service is also popular with those organisations already certified and are seeking clarification about changes to the SAQ. With this service, you can complete the questionnaire yourself and then have the application checked with URM before you submit it. One of URM’s assessors will perform an offline review of your answers to identify any answers that are missing, incomplete or that may have been misunderstood and that, as a consequence, does not fully satisfy the CE requirements. Following the offline review, the URM assessor will (via a remote session) walk you through each of the identified non-compliant responses and ensure you have interpreted the question correctly and have provided an accurate and appropriate response which will meet the requirements of the Scheme.
You will have the reassurance and peace of mind that you have completed the questionnaire accurately and the service will help to reduce the ‘back and forth’ time involved in correcting a previous submission.
If you are interested in URM’s Review Service, use the form provided below.
CYBER ESSENTIALS PLUS ASSESSMENT
If you are looking to provide stakeholders with greater levels of assurance, you may decide to seek Cyber Essentials Plus certification. This involves a URM assessor conducting a technical audit of the systems that are in scope of the assessment. It includes a review of all Internet gateways and all servers accessible to Internet users, as well as a sample of user devices and internal servers accessible to employees. You will need to complete your Cyber Essentials Plus audit within 3 months of your last Cyber Essentials basic certification. Use the form provided below to register your interest and you will be contacted by URM to discuss your systems and devices in scope and other requirements, following which you will receive a quotation. The cost of a Cyber Essentials Plus assessment will depend on the size and complexity of your network.
STAGES OF ASSESSMENT
Your Cyber Essentials Plus assessment comprises 2 basic stages. The first is an external vulnerability scan of your Internet-facing IP addresses to ensure that no misconfigurations or vulnerabilities can be identified.
The second stage involves testing of a sample (up to a maximum of 5 samples per operating system edition) of end-user devices (workstations and mobile devices including BYOD) and servers to assess if they are configured as per the requirements of the Scheme.
Multiple activities are performed during the second stage as applicable to each sample:
- An authenticated vulnerability scan is performed on these devices to confirm that patching and basic configuration is at an acceptable level.
- A test is conducted on your email client and Internet browsers to confirm how well they are configured in order to prevent execution of unsigned or malicious files.
- The antimalware solution in use is reviewed to make sure it’s updated in line with vendor recommendations.
- Account separation is tested to make sure users are not using administrative accounts for their day to day activities.
- A test is conducted on the cloud services in use by the organisation to make sure MFA is enabled for users and administrators of these services.
Once the assessment has been conducted, URM’s assessor will discuss the findings with you ahead of submitting their report to the portal to ensure there has been no misunderstanding.
CYBER ESSENTIALS PLUS PRE-ASSESSMENT SERVICE
A Cyber Essentials Plus (CE+) assessment involves a technical assessment by a URM assessor of your organisation’s external infrastructure as well as end-user devices and servers. There are several issues that can cause a CE+ assessment to result in a ‘fail’ such as a service on the external infrastructure that exposes non-public data, the presence of an unsupported software installed on a server or user workstation, the lack of multi-factor authentication (MFA) to access a cloud service or the use of administrative users as a day-to-day user account.
If an organisation fails the CE+ assessment, it has up to 30 days* to purchase another CE+ assessment and pass, before it must repeat both the basic CE and the CE+ assessment in order to obtain the CE+ certification.
The Cyber Essentials Plus Pre-Assessment service from URM allows your organisation to perform a technical pre-assessment on a smaller, but still significant set of systems. This will enable you to identify any issues that may cause a ‘fail’ for the CE+ certification, without triggering the 30 days’ time limit and, typically, at a lower cost than a full assessment. Following the pre-assessment, you will receive recommendations to close any gaps with the CE+ requirements, significantly increasing the chances to successfully obtain the CE+ certification. URM is so confident of the value of the pre-assessment service that, if for any reason you don’t pass the official CE+ assessment at the first attempt, we will provide you with a free re-attempt to get certified!
* It may be less if the 30 days go beyond the 3 months period that an organisation has to pass the CE+ certification after obtaining the basic CE certification.
Support request
If you are interested in URM’s support, please specify the subject in the form below.
Please note, we can only process business email addresses.
Why URM?
URM has years of experience both facilitating Cyber Essentials certifications as an accredited certification body, and in supporting organisations to prepare for assessment. Our large team of Cyber Advisors have all passed an independent assessment, measuring their understanding of Cyber Essentials technical controls, competence in providing practical support, and ability to assist small and medium-sized organisations. With our emphasis on a bespoke approach, the advice you receive from us will be tailored to your organisation and the unique challenges it faces.
Alongside our Cyber Advisor capabilities, URM can offer various CREST-accredited cyber security testing services, including vulnerability scanning, social engineering testing, and infrastructure and network penetration testing, to name a few. As such, you can be certain that the advice and support you receive from us is validated by extensive experience and a wealth of knowledge on best practice cyber and information security.
Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever
URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.
URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.
URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.
URM’s blog discusses the best next steps your organisation can take following Cyber Essentials certification to further enhance its security posture.