In response to concerns that organisations were not adequately protecting themselves against basic, low-sophistication cyber threats, the UK government launched the Cyber Essentials scheme in June 2014. Developed by the Department for Business, Innovation and Skills, this initiative provides a government-endorsed framework for businesses to improve their cybersecurity posture.
The scheme is managed by the National Cyber Security Centre (NCSC), and since April 1, 2020, The IASME Consortium has been the sole accreditation body responsible for overseeing the certification process.
Cyber Essentials is recommended by regulatory bodies such as the Financial Conduct Authority (FCA) and is recognised by the Information Commissioner’s Office (ICO) as a standard for demonstrating good cyber security practices.
InfoShelter is an IASME accredited Certification Body delivering Cyber Essentials certification to hundreds of businesses across the country.
Cyber Essentials certification is obtained by providing assurance in a self-completion questionnaire, that you have applied the security measures defined in the control framework.
The InfoShelter Cyber Essentials certification service will guide you efficiently and accurately through the entire process. Our aim is to get you certified on your first attempt in as quick a time as possible. The process below has been designed to facilitate this.
We provide you with all the information needed for you to implement the controls and complete a first draft of the self assessment questionnaire.
We have a 1 hour call to discuss any gaps and offer information to increase your chances of certification on first attempt.
Using feedback obtained form the previous step, you complete the assessment and submit it for our final certification assessment.
We conduct our certification assessment within 24 hours of submission.
We will contact you with our certification decision. Our pre-assessment calls often mean you have enough information to pass first time. If for some reason this isn't the case - you have one free re-submission within 48 hours.
Your Cyber Essentials certification needs to be renewed annually. Once you have certified with us once – we will schedule a reminder email so you have plenty of time to complete the process in subsequent years.
The Cyber Essentials control framework has been designed to provide a foundational layer of cyber security that can help protect organisations from the most common types of attacks. The core technical security measures which make up the framework are:
Why bother?
Firewalls offer a critical line of defense, preventing unauthorised access to or from private networks. They act as a barrier between the trusted internal network and untrusted external networks, such as the Internet.
What’s the ask?
What is covered?
This control applies to both boundary firewalls (which separate an internal network from the Internet) and host-based software firewalls (which protect individual devices).
Why bother?
Ensuring systems are securely configured reduces vulnerabilities that can be exploited by attackers.
What’s the ask?
What is covered?
This control applies to all devices and software used within the organisation, including servers, workstations, and mobile devices.
Why bother?
Restricting access to systems and data ensures that only authorised users can access sensitive information.
What’s the ask?
What is covered?
This control applies to all user accounts within the organisation, including employees, contractors, and external partners.
Why bother?
Protects against malicious software that can disrupt operations, steal data, or allow unauthorised access.
What’s the ask?
What is covered?
Applies to all devices, including workstations, laptops, and mobile devices.
Why bother?
Regularly applying updates and patches helps fix vulnerabilities in software and hardware that could be exploited by attackers.
What’s the ask?
What is covered?
Applies to operating systems, applications, and firmware used across the organisation.
As with most security projects, there are commercial as well as protective reasons behind companies achieving certification.
Having the Cyber Essentials certification demonstrates that your company is committed to cyber security and has taken essential steps to protect against common threats. This can lower premiums when applying for Cyber Insurance. In fact, if certain criteria is met, ISAME offers Cyber Liability Insurance as part of successful certification.
Importantly for many businesses, Cyber Essentials certification is often sought in order to work with new clients. It is a prerequisite for bidding on UK government contracts, particularly those involving sensitive or personal information.
Along with these valid commercial benefits, the scheme is proving its efficacy too. The NCSC reports in its 2023 Annual Review…
NCSC Annual Review 2023
While Cyber Essentials is not a comprehensive solution against all cyber threats, it provides an essential baseline that significantly reduces the risk of common cyber attacks.
While Cyber Essentials is not a comprehensive solution against all cyber threats, it provides an essential baseline that significantly reduces the risk of common cyber attacks such as…
These attacks use deceptive emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial data.Cyber Essentials helps mitigate this risk by enforcing strong user access controls, secure configuration practices, and malware protection, making it harder for phishing attacks to succeed.
Automated attempts to guess passwords can lead to unauthorized access. Strong password policies, multi-factor authentication, and secure configuration help protect against these attacks by making it harder for attackers to gain access.
Attackers exploit unpatched software vulnerabilities to take control of systems or data. Cyber Essentials emphasises the importance of timely security updates, ensuring that software and systems are regularly patched to close known vulnerabilities.
These attacks use deceptive emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial data. Cyber Essentials helps mitigate this risk by enforcing strong user access controls, secure configuration practices, and malware protection, making it harder for phishing attacks to succeed.
These involve exploiting weaknesses in network configurations to gain unauthorised access or disrupt services. Proper firewall configuration and secure network settings help prevent unauthorised access and protect against external threats.
Default settings or insecure configurations can expose systems to attacks. The scheme requires companies to review and change default settings, disable unnecessary services, and configure systems securely to minimise risks.