Cyber Essentials is part of the UK's National Cyber Security Programme. The Cyber Essentials scheme aims to encourage UK businesses of any size to take steps towards achieving a baseline of cyber security.
Up to 80% of UK businesses are vulnerable to common threats from the internet. By implementing the required controls for Cyber Essentials, the level of risk will be reduced to an acceptable level for most UK businesses.
Cyber Essentials is becoming a major advantage, and in some cases a requirement, to winning business. This is true when dealing with government departments. It is now mandatory for suppliers bidding for information handling contracts for the UK Government to be Cyber Essentials.
Why you need Cyber Essentials
With Cyber Essentials, you can focus on your core business objectives, knowing that you're protected from the vast majority of common cyber attacks. You will also be able to drive business efficiency, save money and improve productivity by streamlining processes.
Achieving certification will also help you to address other compliance requirements such as the EU General Data Protection Regulation, the Payment Card Industries Data Security Standard (PCI-DSS), the Nation Health Services Information Governance Program and many others.
Cyber Essentials Pricing
We offer a number of options for your Cyber Essentials and Cyber Essentials Plus assessments
- Simple Questionnaire
- External Vulnerability Scan
- Failure Report in 24 hours
- Rapid Certificate for Passes
CE Pass Program
- As per CE, and:
- Free retests until you pass
- Assistance from our senior staff
- Advise on vulnerability fixes
- Remote CE Plus Assessment
- TeamViewer or VPN access required
- Up to 4 workstation reviews
- Internal Vulnerability Scan
- Secondary sites @ lower rate
Frequently Asked Questions
- What are the Cyber Essentials and Cyber Essentials PLUS schemes and how can they help my business?
The Cyber Essentials scheme is a cyber-security standard, which your organization can be assessed against and certified to. It identifies the security controls that you must have in place within your IT systems, in order to have confidence that you are addressing cyber-security effectively and mitigating the risk from internet-based threats.
The scheme focuses on five essential mitigation strategies within the context of the 10 Steps to Cyber Security guide. It provides you with clear guidance on implementation as well as offering independent certification for those who require it.
The adoption of standards and certification for cyber-security can enable your organization, and all stakeholders, to have greater confidence in your ability to measure and reduce basic cyber risks, as it demonstrates that you have been independently assessed.
You are likely to need Cyber Essentials if you are involved in any of the government's procurement processes. However, if you are not, this scheme and Cyber Essentials PLUS can help prevent attacks on your IT systems from outside or inside your company and could give your stakeholders peace of mind.
- What does Cyber Essentials involve?
You will need to complete a self-assessment questionnaire which BSI will grade, and then undergo and pass a vulnerability scan for Cyber Essentials. The full scheme requirements are available from the UK Government website.
- Is Cyber Essentials a mandatory requirement for working with the UK Government?
The Cabinet Office's note to Procurement Officers is available here - this specifies where the Cyber Essentials certification in mandated.
It is noted that an increasing number of government and commercial organizations are requiring this certification of their suppliers, even though they are not mandated to do this through the Procurement Policy Notice. In his speech on the 23rd June 2015, Ed Vaizey from the Department of Culture, Media & Sport urged all organizations to “adopt Cyber Essentials so they can protect and promote themselves online to all stakeholders”. Read more here.
- What is the cost for Cyber Essentials certification?
Cyber Essentials, for just the assessment alone, is £ plus VAT. We also offer a pass plus option which will allow you to attempt the assessment until you pass for £. Cyber Essentials Plus costs £ plus VAT and you will need to have passed the Cyber Essentials assessment first.
- Is a vulnerability scan or penetration test required for Cyber Essentials?
At Hedgehog, a vulnerability scan is required for Cyber Essentials. We, along with our governing body CREST, feel that a vulnerability scan provides a greater level of security and confidence in your organisation and will increase the peace of mind for all stakeholders.
- How quick is the Cyber Essentials certification process?
We can turn applications around quite quickly. Once we have received your signed quote, we can issue you with the official self-assessment questionnaire and can schedule the vulnerability scan. The quicker you return the fully populated self-assessment questionnaire to us, the quicker we can progress with the evaluation and vulnerability scan.
- Can you send me the self-assessment questionnaire before I sign up?
No, we can only provide you with a link to the questionnaire once it has been purchased via our website. Please contact us for details, or visit the CESG website and type “Questionnaire” into the search bar for a generic questionnaire.
- Do I need 100% to pass?
You need to get 70% of the questions correct in each section of the self-assessment questionnaire to pass that part of the Cyber Essentials assessment. Passing the self-assessment questionnaire section will enable you to move onto the vulnerability scan.
You will need to demonstrate that the controls for all the aspects of and risks to your system are in place and addressed to achieve Cyber Essentials certification. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you should try and change your processes to meet the requirement.
- Are there any automatic fail questions?
Any company using unsupported or out-of-date software in the scope of the assessment, such as Microsoft XP, will probably fail to achieve Cyber Essentials certification.
- Do failed assessments receive feedback?
We will issue clients with a report detailing the answers in the self-assessment questionnaire and feedback from the assessor on any areas or issues that were deemed non-compliant. If you fail the assessment or the vulnerability scan, this feedback will help you to re-focus your efforts so that you can put in place the required actions to enable you to pass next time.
- Is the questionnaire a tick box Yes/ No or will it require lengthy details?
The questionnaire requires answers to all questions – most of these questions will require brief notes to enable us to understand your company and the information security controls that you have in place. By providing full details in the questionnaire you will reduce the time required for certification as we will have all the information we need up front.
- What does Cyber Essentials PLUS involve?
After you have achieved Cyber Essentials certification (organizations need to achieve Cyber Essentials before progressing on to Cyber Essentials PLUS) a demonstrably competent assessor will visit your premises to complete a work station construction assessment as well as some technology auditing. The assessor will require internet enabled access devices for all your different software builds to complete this assessment.
- How much does it cost for a Cyber Essentials PLUS assessment?
The Cyber Essentials PLUS assessments can be quoted for at the same time as Cyber Essentials. This assessment involves a work station construction assessment of your IT equipment, and so will depend on the complexity and number of software builds your inventory contains and the number of sites your company is located across.