Cyber Essentials Plus Scheme Certification
Get compliant. Get secure. Find out more about Cyber Essentials Plus and secure your business with a Cyber Essentials Plus check — your comprehensive guide to cyber protection
What is The Cyber Essentials Scheme?
Cyber Essentials is a UK government-backed Cyber Security certification scheme. It is designed to help organisations of all sizes and sectors to protect themselves against common cyber-threats. The scheme was first launched in 2014 as part of the UK government’s National Cyber Security Strategy.
What is Cyber Essentials Plus?
Cyber Essentials Plus is part of the certification programme endorsed by the UK government. It is the next stage on from the Cyber Essentials self-assessment questionnaire. CE+ provides best practices for how organisations should protect personal information against common cyber threats.
An independent Cyber Security assessor will carry out a technical assessment. This involves checking your systems and controls meet the requirements of the Cyber Essentials Plus scheme.
Equilibrium Security are one of the few Cyber Essentials Certification bodies within the Midlands. We have been working alongside IASME conducting Cyber Essentials and Cyber Essentials Plus assessments since 2016.
Ready to achieve your security goals? We’re at your service.
Whether you are a CISO, an IT Director or a business owner, Equilibrium has the expertise to help you shape and deliver your security strategy.
To chat to our team please call 0121 663 0055, email enquiries@equilibrium-security.co.uk, or start a live chat.
The 5 Key Security Controls
To get Cyber Essentials Plus certified, you must first meet the requirements of regular Cyber Essentials certification. This includes implementing best practice security measures, based on these five security controls:
- Firewalls
- Security Update Management
- Malware protection
- User Access Control
- Secure Configuration
Cyber Essentials vs Cyber Essentials Plus: Which One Do I Need?
Cyber Essentials (Basic) is a self-assessment questionnaire. It’s not externally validated, so it only confirms that you say the right controls are in place. It offers limited assurance but may meet basic supplier or tender requirements—always check the details.
The Cyber Essentials Plus certification provides a higher level of assurance. It includes an independent audit to verify that security controls are in place and working properly. From a security standpoint, CE Plus is the better option, as it offers stronger protection against common attacks.
Note: You must have Cyber Essentials (Basic) before applying for CE Plus.
Summary:
- CE Basic – Self-assessed, minimal assurance
- CE Plus – Independently verified, better protection and reassurance
Cyber Security essentials plus is ideal for reducing risk and showing real commitment to security.
The Cyber Essentials Plus requirements
Once you achieve the standard Cyber Essentials certification, you can apply for Cyber Essentials Plus.
- Technical assessment: To gain Cyber Essentials Plus accreditation, a technical assessment must be completed. This assessment verifies that the implemented controls are effective against common cyber-threats.
- Security tests: The technical assessment typically involves vulnerability scanning and testing of your IT systems, including, websites, web applications and network devices. The assessment identifies vulnerabilities or weaknesses that could be exploited by attackers.
- Remediate and provide evidence: You will then be required to remediate any identified vulnerabilities or weaknesses, and provide evidence that the issues have been addressed.
- Meet the CE+ criteria: The independent assessor will verify that the vulnerabilities have been fixed, and confirm that the requirements of Cyber Essentials Plus have been met.
- Listed on the CE website: Once certified, you will be listed on the Cyber Essentials website and be authorised to display the Cyber Essentials Plus badge. This demonstrates that you have met the high level of Cyber Security required for the Cyber Essentials Plus certification.
- Renewal due in 1 year: The Cyber Essentials Plus certificate lasts for 12 months.
Customer Feedback
What does The Assessment involve?
- An assessor will perform an audit on a sample of computers to ensure they are configured according to the scheme.
- The auditor will conduct a vulnerability scan on these machines to confirm that patching and basic configuration are at an acceptable level.
- An external port scan of your internet-facing IP addresses will be conducted to identify any misconfigurations or vulnerabilities.
- A test will be conducted on your default email/internet browser to confirm its configuration and ability to prevent the execution of fake malicious files.
- Screenshots will be taken as evidence that the system is compliant with Cyber Essentials.
Cyber Essentials Plus checklist
- Multi-factor authentication checks.
- Inbound email binaries and payload test.
- Account separation to confirm standard users do not have administrative privileges.
- Malicious and non-malicious browser file download tests.
- Authenticated and unauthenticated vulnerability and patch verification scans.
- A representative selection of user devices, all internet gateways, and all servers with services that can be accessed by unauthenticated internet users.
Curious About Cyber Essentials Certified Plus In Action?
Learn how a software development company nailed the security basics with Cyber Essentials, making their continuous security journey easier and more manageable.
The Benefits Of CE+
A Cyber Essentials Plus certification is a valuable investment. It helps protect against cyber-threats, demonstrate commitment to Cyber Security and improve reputation and credibility. It is beneficial for any brand.
There are several reasons why you should consider obtaining a Cyber Essentials Plus certificate:
- It can help reduce the risk of common attacks. These include phishing attacks, malware infections, and hacking attempts.
- Implementing security controls as recommended by framework can reduce the risk of security breaches, improve information security and minimise the impact if an attack does occur.
- Cyber Essentials Plus can open up new business opportunities and government contracts. Organisations often require this certification from their suppliers and partners.
- Obtaining a Plus certification shows customers, partners, and other stakeholders that you have implemented basic level security controls and take Cyber Security seriously.
- The certification can enhance your reputation and credibility. It provides an independent validation of your Cyber Security posture.
How do I pass Cyber Essentials plus?
To pass a Cyber Essentials Plus certification, you must fully comply with the CE+ standard criteria.
If your IT infrastructure is well-maintained, achieving Cyber Essentials certification should be a simple process. However, if your infrastructure is not up to par, you will need to either:
- Update the necessary areas within the scope before the assessment.
- Consider having the certification body perform a pre-assessment to pinpoint and improve any weak areas, and increase your chances of passing the certification.
If the assessor discovers vulnerabilities or weaknesses during the assessment, you must provide proof that they have been dealt with before meeting the requirements to pass Cyber Essentials Plus.
It is important to:
- Prepare for the technical assessment and ensure all necessary security controls have been implemented and tested beforehand.
- Provide clear documentation and evidence of the security controls and their implementation.
It is recommended that you hire a Cyber Security service provider with experience. They can guide you through the certification process and provide support in implementing and testing security controls.
How long does it take to get Cyber Essentials plus certified?
Obtaining a Cyber Essentials Plus certification may take different lengths of time.
This depends on factors like:
- The size and complexity of your IT systems.
- The current state of security controls.
- The availability of internal resources to provide access, information and implement/ test the required security controls.
- How thoroughly you implement the technical pre-requisites which prepare your systems for the remote assessment.
Typically, the process for obtaining Cyber Essentials Plus certification involves the following steps:
- Self-assessment- (Allow ample time for amendments and team input when completing the self-assessment questionnaire, as certain answers may require more details or feedback).
- Security tests and vulnerability assessment
- Remediation
The time it takes to complete these steps can vary. Typically an assessment will only take a day or two. But, preparation, remediations, and retesting could extend the process to several weeks.
Start the certification process early. This will give you enough time to fix any problems that arise and finish the process before any critical deadlines.
The Cyber Essentials Plus Audit Process
Before we can provide a quote or proceed with the assessment we need to understand your environment so that we can fully define the technical scope of what the test will cover.
You can then move onto populating the online questionnaire. Before this is submitted, our consultants will review your answers to check they meet the scheme’s criteria. If changes are required, we provide detailed guidance on areas which need improvement. Once successful, you will be issued with a Cyber Essentials certificate for 12 months.
Our experts will remotely conduct external and internal vulnerability tests, as well as a series of other security checks to test the information obtained in your Cyber Essentials questionnaire.
If vulnerabilities are discovered, or other areas of non-compliance, we will provide detailed remediation guidance which needs to be applied within 30 days of the Cyber Essentials Plus assessment.
Once you have followed all remediation steps, we will conduct a retest to check you comply with the CE+ criteria, you will then be awarded your CE+ certificate for 12 months.
How much does Cyber Essentials Plus cost?
The cost of Cyber Essentials Plus certification can vary depending on several factors. Such as the size and complexity of your infrastructure, the level of support required, and the chosen certification body.
A Cyber Essentials Plus audit is not a one-time cost. You will need to renew your certification on an annual basis to maintain compliance and demonstrate ongoing commitment to Cyber Security best practices.
Whilst the cost may appear large, it is a much smaller investment than the possible cost of a cyber-attack.
Looking for a top Cyber Essentials certification body near you? It’s recommended to reach out to an accredited certification body like Equilibrium Security to get a quote based on your specific requirements.
To chat to our team about pricing please call 0121 663 0055, email enquiries@equilibrium-security.co.uk or start a live chat.
- Yearly cost to renew.
- Pricing can vary based on level of support required and the size of company.
- Consider pre-assessment and remediation costs.
- Quality comes at a price - the most trustworthy and capable certification body may not be the cheapest.
- The pricing will be tailored to meet your specific requirements.
Frequently Asked Questions
Equilibrium is a Certification Body for The IASME Consortium, the Cyber Essentials Partner to the National Cyber Security Centre (NCSC). We have been certifying businesses since 2016, which means we are well versed with the schemes criteria.
As a certification body we can help you achieve:
- Cyber Essentials
- Cyber Essentials Plus
- IASME Cyber Assurance
- GDPR Readiness Assessments
If you would like to find out more about our Cyber Essentials pricing please arrange an expert call or call us on 0121 663 0055.
The simple answer is no. Before you can move onto the Cyber Essentials Plus, you must first pass the Cyber Essentials basic certification, as the Plus audit assesses the information provided in your Cyber Essentials questionnaire. Once CE basic is achieved, you must pass your CE+ within 90 days.
Find out more about whether you can achieve Cyber Essentials Plus without Cyber Essentials Basic.
Cyber Essentials basic is a self-assessed and independently verified questionnaire. The assessment has 70 questions which qualify that your current approach to securing your business is in-line with the CE framework. Cyber Essentials Plus provides a higher level of assurance, it involves us auditing your systems utilising many vulnerability tools to test the effectiveness of the security measures in place.
Find out more about the difference between Cyber Essentials Scheme and CE Plus.
Cyber Liability Insurance is provided as part of the Cyber Essentials certification package on an ‘opt-in’ basis. The cyber insurance is available for businesses with an annual turnover of under 20 million, conditions apply.
Find out more about how to sign up for Cyber Essentials Liability Insurance.
Yes, Cyber Essentials and Cyber Essentials Plus certificates are due for renewal after 12 months. If you choose not to renew, your business will be removed from the NCSC’s ‘certified organisations’ list, you will also lose your cyber insurance and ability to work with public sector companies.
Cyber Essentials is a Cyber Security certification scheme that has been developed to help organisations protect themselves from common cyber threats.
It provides a robust framework for improving Cyber Security practices in the UK and has been developed to be accessible for businesses of all sizes. It provides a thorough and structured approach to Cyber Security that significantly mitigates risk.
Learn more about what is Cyber Essentials here.
Any organisation that uses digital technology and handles potentially sensitive data should consider securing Cyber Essentials certification. It’s widely used across government bodies and is essential for any organisation looking to bid for certain government or military contracts.
Find out more about who should have Cyber Essentials here.