Cyber Essentials Basic vs Cyber Essentials Plus

In todays blog article, we’re going to cover the differences between Cyber Essentials Basic vs Cyber Essentials Plus. We’ll briefly cover what each certification does, we’ll touch a little on costs and as well as what is involved from you the applicant.

Now for anyone who doesn’t know what the Cyber Essentials Scheme is all about, Cyber Essentials is a UK based certification which is owned by the National Cyber Security Centre or NCSC and is ran by the IASME Consortium, this certification allows businesses to demonstrate that they are implementing the best practices for cyber security for all internet connected devices.

This certification is a requirement for providing services to UK central government, as well as the Ministry of Defence, the MoD and the National Health Service, NHS. But its also becoming a big part for supply chain requirements.

If you’d like to know more about Cyber Essentials and how we can help you and your business, please don’t hesitate to get in touch with us here.

So let’s get started. When it comes to the Cyber Essentials scheme, there are two levels you can go for, the basic self-assessment, which is Cyber Essentials Basic, as well as the slightly more in depth Cyber Essentials Plus, which will require a valid Cyber Essentials basic certification before certification.

Both the basic and plus certifications last for 12 months and then you have to go through the process and renew again.

So when it comes to Cyber Essentials Basic, there are two ways you can start this process. You can go via the IASME website and then sign up for Cyber Essentials Basic there and complete the process, this process generally comes with no help or support. So you will log onto the portal, fill in the answers and then get your results.

Or you can go via a certification body, like ourselves at InfoSec Governance who will guide you through the process and advice where appropriate and then certify your business, when you successfully meets all the requirements.

When you go to complete the cyber essentials basic certification, you will be setup on a online portal, and you will need to go through and answer all the questions. The time it will take to complete this will depend upon your understanding of your business and what you have in place already and does it meet the requirements. But generally, it make take around an hour to complete for most people.

The National Cyber Security Centre, NCSC, have a document that details the IT requirements which are required for Cyber Essentials. You should read this document before starting the certification process. I’ll put a link to this document in the description below the video.

Then when you are all done, you submit your answers and the certification body, like InfoSec Governance will mark your answers accordingly and hopefully certify you first time.

Upon certification, you will receive an email with your certificate and report and you will get a link to a third-party website – BlockMark, which will allow you to link to your digital logos for your email and website.

When it comes to Cyber Essentials Plus, this is an audited certification. Whereby a certification like ourselves will audit your business and test to make sure what you have said in your basic certification is true.

Because we are auditing against your basic certification, you need to ensure that you have successfully completed the Cyber Essentials Basic certification, you must also ensure that you achieve the plus certification within 90 days of your basic certification date.

If you go past the 90 days, you will have to re-certify your basic certification and restart your plus certification. At additional cost to yourself.

For the plus audit, InfoSec Governance will perform these remotely, generally via Microsoft Teams and perform a show and tell type audit.

As part of the audit, we will look at the following:

  • Make sure that you have a firewall enabled and turned on, on all sample machines that are being audited.
  • Make sure that your sampled machines are all patched and up to date.
  • Make sure that your sampled machines have antivirus installed and are up to date
  • Make sure that account separation is in place and people are not running as a local administrator
  • We’ll check to make sure that all users, using cloud services have multi-factor authentication in place
  • We’ll perform email tests, which means sending user emails and seeing how the clients handle the attachments.
  • Lastly we will perform web browser tests and see how your web browsers handle downloading certain file types.

If your business fails any part of these tests, you will have up to 30 days of the 90 days from the date of your basic certification to get these remediated and certified.

Once you have successfully completed this audit, you will receive your certificate generally either the same day or the next day, along with a findings report for your records.

So now that we know whats involved in bother the basic and plus certifications, what are the costs?

Cyber Essentials is based around business size, for Cyber Essentials Basic, we are looking the following costs, at the time of recording, these are subject to change, so please get in touch if you would like to go ahead.

  • For a Micro business, 1 – 9 people, the cost is: £320 + VAT
  • For a small business, 10 to 49 people, the cost is: £440 + VAT
  • For a medium business, 50 – 249 people, the cost is: £500 + VAT
  • And for large businesses, with 250 or more people the cost is £600 + VAT

For Cyber Essentials Plus, you are looking at the following costs in addition to your basic costs:

  • For a Micro business, 1 – 9 people, the cost is: £1200 + VAT
  • For a small business, 10 to 49 people, the cost is: £1400 + VAT
  • For a medium business, 50 – 249 people, the cost is: £1500 + VAT
  • And for large businesses, with 250 or more people the cost is £2000 + VAT

And there we go, I hope this has been informative for you, if you would like any further help or certification, please do get in touch.