InfoShelter Cyber Essentials Certification Service
15883
page-template,page-template-full_width,page-template-full_width-php,page,page-id-15883,bridge-core-3.0.8,qi-blocks-1.3.3,qodef-gutenberg--no-touch,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode-theme-ver-29.5,qode-theme-bridge,wpb-js-composer js-comp-ver-7.9,vc_responsive

What is Cyber Essentials?

In response to concerns that organisations were not adequately protecting themselves against basic, low-sophistication cyber threats, the UK government launched the Cyber Essentials scheme in June 2014. Developed by the Department for Business, Innovation and Skills, this initiative provides a government-endorsed framework for businesses to improve their cybersecurity posture.

 

The scheme is managed by the National Cyber Security Centre (NCSC), and since April 1, 2020, The IASME Consortium has been the sole accreditation body responsible for overseeing the certification process.

Cyber Essentials is recommended by regulatory bodies such as the Financial Conduct Authority (FCA) and is recognised by the Information Commissioner’s Office (ICO) as a standard for demonstrating good cyber security practices.

 

InfoShelter is an IASME accredited Certification Body delivering Cyber Essentials certification to hundreds of businesses across the country.

Our approach

Cyber Essentials certification is obtained by providing assurance in a self-completion questionnaire, that you have applied the security measures defined in the control framework.

 

The InfoShelter Cyber Essentials certification service will guide you efficiently and accurately through the entire process. Our aim is to get you certified on your first attempt in as quick a time as possible. The process below has been designed to facilitate this.

  • 01

    YOU CREATE A FIRST DRAFT

    We provide you with all the information needed for you to implement the controls and complete a first draft of the self assessment questionnaire.

  • 02

    PRE-ASSESSMENT CALL

    We have a 1 hour call to discuss any gaps and offer information to increase your chances of certification on first attempt.

  • 03

    SECOND VERSION SUBMITTED

    Using feedback obtained form the previous step, you complete the assessment and submit it for our final certification assessment.

  • 04

    QUICK TURNAROUND ASSESSMENT

    We conduct our certification assessment within 24 hours of submission.

  • 05

    CERTIFICATION DECISION

    We will contact you with our certification decision. Our pre-assessment calls often mean you have enough information to pass first time. If for some reason this isn't the case - you have one free re-submission within 48 hours.

Your Cyber Essentials certification needs to be renewed annually. Once you have certified with us once – we will schedule a reminder email so you have plenty of time to complete the process in subsequent years.

What’s involved?

The Cyber Essentials control framework has been designed to provide a foundational layer of cyber security that can help protect organisations from the most common types of attacks. The core technical security measures which make up the framework are:

Why bother? 

Firewalls offer a critical line of defense, preventing unauthorised access to or from private networks. They act as a barrier between the trusted internal network and untrusted external networks, such as the Internet.

 

What’s the ask?

  • Firewalls must be properly configured and maintained.
  • Default administrative passwords should be changed to reduce the risk of unauthorised access.
  • Only necessary services and ports should be allowed through the firewall.
  • All unused or insecure services should be blocked to limit the potential attack surface.

 

What is covered?

This control applies to both boundary firewalls (which separate an internal network from the Internet) and host-based software firewalls (which protect individual devices).

Why bother? 

Ensuring systems are securely configured reduces vulnerabilities that can be exploited by attackers.

 

What’s the ask?

  • Default settings, particularly for new devices or software, must be reviewed and changed as necessary.
  • Remove or disable unnecessary accounts, services, and software.
  • Implement password policies that require strong, unique passwords for each user and device.
  • Enable security features such as encryption and user access control.

 

What is covered?

This control applies to all devices and software used within the organisation, including servers, workstations, and mobile devices.

Why bother? 

Restricting access to systems and data ensures that only authorised users can access sensitive information.

 

What’s the ask?

  • Implement user authentication to verify identities before granting access.
  • Use the principle of least privilege, ensuring users only have access to the information and resources necessary for their role.
  • Admin accounts should be separate from normal user accounts to minimise the risk of privilege escalation.
  • Regularly review and update user access rights.

 

What is covered?

This control applies to all user accounts within the organisation, including employees, contractors, and external partners.

Why bother? 

Protects against malicious software that can disrupt operations, steal data, or allow unauthorised access.

 

What’s the ask?

  • Install anti-virus and anti-malware software on all devices.
  • Ensure that malware protection software is regularly updated with the latest definitions.
  • Use application whitelisting to control which applications can run on your systems.
  • Configure settings to scan files automatically and block or quarantine detected malware.

 

What is covered?

Applies to all devices, including workstations, laptops, and mobile devices.

Why bother? 

Regularly applying updates and patches helps fix vulnerabilities in software and hardware that could be exploited by attackers.

 

What’s the ask?

  • Ensure all devices and software are kept up-to-date with the latest security patches.
  • Enable automatic updates where possible.
  • Apply critical and high-risk patches as soon as they are released.
  • Regularly review systems to ensure all updates have been applied and no devices are running outdated software.

 

What is covered?

Applies to operating systems, applications, and firmware used across the organisation.

How will this help my company?

As with most security projects, there are commercial as well as protective reasons behind companies achieving certification.

 

Having the Cyber Essentials certification demonstrates that your company is committed to cyber security and has taken essential steps to protect against common threats. This can lower premiums when applying for Cyber Insurance. In fact, if certain criteria is met, ISAME offers  Cyber Liability Insurance as part of successful certification.

 

Importantly for many businesses, Cyber Essentials certification is often sought in order to work with new clients. It is a prerequisite for bidding on UK government contracts, particularly those involving sensitive or personal information.

Along with these valid commercial benefits, the scheme is proving its efficacy too. The NCSC reports in its 2023 Annual Review

80% fewer cyber insurance claims are made when Cyber Essentials is in place.

NCSC Annual Review 2023

While Cyber Essentials is not a comprehensive solution against all cyber threats, it provides an essential baseline that significantly reduces the risk of common cyber attacks.

What risks will it help with?

While Cyber Essentials is not a comprehensive solution against all cyber threats, it provides an essential baseline that significantly reduces the risk of common cyber attacks such as…

Phishing Attacks - CHANGE

These attacks use deceptive emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial data.Cyber Essentials helps mitigate this risk by enforcing strong user access controls, secure configuration practices, and malware protection, making it harder for phishing attacks to succeed.

Password Attacks (e.g., Brute Force)

Automated attempts to guess passwords can lead to unauthorized access. Strong password policies, multi-factor authentication, and secure configuration help protect against these attacks by making it harder for attackers to gain access.

Exploitation of Software Vulnerabilities

Attackers exploit unpatched software vulnerabilities to take control of systems or data. Cyber Essentials emphasises the importance of timely security updates, ensuring that software and systems are regularly patched to close known vulnerabilities.

Phishing Attacks

These attacks use deceptive emails or messages to trick individuals into revealing sensitive information, such as login credentials or financial data. Cyber Essentials helps mitigate this risk by enforcing strong user access controls, secure configuration practices, and malware protection, making it harder for phishing attacks to succeed.

Network Attacks

These involve exploiting weaknesses in network configurations to gain unauthorised access or disrupt services. Proper firewall configuration and secure network settings help prevent unauthorised access and protect against external threats.

Insecure Configurations and Default Settings

Default settings or insecure configurations can expose systems to attacks. The scheme requires companies to review and change default settings, disable unnecessary services, and configure systems securely to minimise risks.

Interested?

CYBER ESSENTIALS CERTIFICATION FEES (+VAT)

Micro sized company (1-9 employees)
£450
Small sized company (10-49 employees)
£550
Medium sized company (50-249 employees)
£600
Large sized company (250 + employees)
£700