Cyber Essentials +

Created by the National Cyber Security Centre (part of GCHQ), Cyber Essentials is a UK Government scheme aimed at helping you adopt best practice in information security.

There is a self-certification version, Cyber Essentials, but it is best to have your set up independently assessed, which is the Cyber Essentials + scheme.

How do I get Cyber Essentials Plus

Don’t be put off by thinking it is too complex a thing to do. We aren’t saying it’s simple, but with us doing the bulk of the work for you, including managing the whole process, it is relatively straightforward.

There are really 6 stages to becoming and staying certified to Cyber Essentials Plus:

  1. Establish a system that complies with the standard
  2. Complete the questionnaire, which in essence is detailing how you address the requirements of 5 main technical controls
  3. Make everyone aware of the system and any changes in ways of working that have come about
  4. Operate the system to
    a. Make sure it works efficiently
    b. Build evidence of compliance with the requirements of the standard
    c. Get staff familiar with it
  5. Appoint a “certification body” to independently assess whether you comply with the requirements
  6. Keep using the system once it has been certified (to keep the certificate)

There is more detailed information below about the various stages you need to go through.

Your Cyber Essentials + certification journey

Group 161

Getting Started

  1. Set a timetable and stick to it
  2. Provide a comprehensive briefing on what Cyber Essentials Plus requires, in simple to understand language
  3. Help select a certification body to independently assess your compliance with the requirements
  4. Begin completing the questionnaire the chosen certification body uses
  5. Decide what you want covered by the certificate – which sites, products and services. You can exclude some if you prefer
  6. Put the right resources in place
  7. Establish a dedicated client portal on our collaboration and document sharing platform
Group 162

Implementing

  1. Establish a detailed project plan in our online project management platform (and stick to it)
  2. Map out your business processes and the data/information flows involved
  3. Conduct cyber security tests such as penetration testing and network security testing with our Cyber Security partner
  4. produce a detailed report of what needs to be addressed.
  5. If you don’t have resources to fix the issues, they can provide a fixed fee proposal for doing the work for you
  6. Appoint an accredited certification body and apply for certification
Group 163

Certification

  1. Return application document, including completed questionnaire
  2. Certification body undertakes remote review of the completed questionnaire and onsite checks
  3. Address any findings from the assessment
  4. Re-submit documentation for final sign-off and certificate issue.

FAQ’s

What if I haven’t got IT or info sec expertise in the business?

Episode has plenty of experience, and some really helpful tools to deal with most requirements.

As part of any information security project undertaken by Episode, we get our info sec/cyber security expert partner to undertake a detailed audit of your system (using penetration tests, network sniffers, etc.) to identify any issues.  If you feel you need their help rectifying issues, they will give you a fixed fee proposal for the work.

Will it create red tape and take too much time?

Done wrong, absolutely. Too many systems we see have a form or document to cover every aspect of the standard. That’s the easy way to build a system, and an equally easy way to cripple you operationally. You know when this is the case when you spend a  month “updating” (i.e. creating false) records, etc. before the auditor next comes.

Done right, as we will make sure it is, the system should be at the core of how you work. Remember, we make ISO work for you, not the other way around.

How long will it take?

It is difficult to give precise timescales, as it depends on a number of things such as how complex the business is, how close you are to complying with the scheme already, and so on. We recommend planning for it taking at least 4 to 6 months.

Why should I choose Episode?

For a fixed cost we will do as much of the work as possible, and guarantee certification. We work onsite as much as possible, so you get the best support possible.

With Cyber Essentials we don’t just tell you what is wrong with the IT infrastructure, we work with you to fix the issues (using our cyber security partner).

Episode has worked with over 40 clients, many of whom have more than one standard they comply with (one has 5). All have been successfully certified and many  subsequently ask us to help them maintain certification, and get more out of the system.

How much will it cost?

There are the following costs that will arise

  1. External consultants

Episode always gives a fixed fee proposal for a project, and we include guaranteed certification. A typical Cyber Essentials project is about £1,900, but this does depend on the size and complexity of your business.

  1. Certification costs

You will need an external company certify the system as being compliance with the scheme. There many certification bodies that can independently assess (certify) your system against the scheme. We will manage this process for you, and typical costs are £2,000

  1. Internal business costs.

There may well be IT and other infrastructure work that needs doing, and we will give you a list of requirements as the first stage of any project.

To speak to an expert to discuss your requirements call us on 0113 801 9001

What is quality management and Cyber Essentials +?

The Cyber Essentials scheme, established by the UK Government was launched on 5th June 2014.  It includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.

It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government.  It was launched in 2014 by the Department for Business, Innovation and Skills.

At it’s core it has five technical controls you must comply with:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

Cyber Essentials guidance breaks these down into finer details. Importantly it only focuses on technical controls, rather than a wider scope encompassing system management, governance, risk and policies, etc.

Organisations can earn two levels of certification:

  • Cyber Essentials: Organisations self-assess their systems, and this assessment is independently verified.
  • Cyber Essentials Plus: Systems are independently tested, and Cyber Essentials is integrated into the organisation's information risk management.

 
Annual recertification is required. Certifying Bodies are, in turn, licensed by Accreditation Bodies, which have been appointed by UK government.

When done correctly, gaining and maintaining ISO certification is not as complicated as most think. Trust Episode to make ISO work for you, not the other way around.

Contact us today on 0113 8019001 or click here to email us

Testimonial

It was only by utilising the expert guidance and experience of ‘Episode Ltd.’ That Thurston Group was able to attain certification within an exceptionally challenging time frame. We therefore offer our thanks to Episode Ltd. For the diligent and professional services provided. We also look forward to working with them again soon and would not hesitate to recommend their services."

 

Peter Spieight, Senior Divisional Director, Thurston Group, Wakefield

Roger's support was invaluable in terms of gap analysis, recommendations for improvement, and facilitation of the certification process. I would strongly recommend Roger to any organisation wishing to develop or improve its management systems, in a way which minimizes bureaucracy, and focuses on best serving the needs of the organization.

Gary Evans, Flour Corporation, Abu Dhabi