Created by the National Cyber Security Centre (part of GCHQ), Cyber Essentials is a UK Government scheme aimed at helping you adopt best practice in information security.
There is a self-certification version, Cyber Essentials, but it is best to have your set up independently assessed, which is the Cyber Essentials Plus scheme.
Don’t be put off by thinking it is too complex a thing to do. We aren’t saying it’s simple, but with us doing the bulk of the work for you, including managing the whole process, it is relatively straightforward.
There are really 6 stages to becoming and staying certified to Cyber Essentials Plus:
There is more detailed information below about the various stages you need to go through.
Episode has plenty of experience, and some really helpful tools to deal with most requirements.
As part of any information security project undertaken by Episode, we get our info sec/cyber security expert partner to undertake a detailed audit of your system (using penetration tests, network sniffers, etc.) to identify any issues. If you feel you need their help rectifying issues, they will give you a fixed fee proposal for the work.
Done wrong, absolutely. Too many systems we see have a form or document to cover every aspect of the standard. That’s the easy way to build a system, and an equally easy way to cripple you operationally. You know when this is the case when you spend a month “updating” (i.e. creating false) records, etc. before the auditor next comes.
Done right, as we will make sure it is, the system should be at the core of how you work. Remember, we make ISO work for you, not the other way around.
It is difficult to give precise timescales, as it depends on a number of things such as how complex the business is, how close you are to complying with the scheme already, and so on. We recommend planning for it taking at least 4 to 6 months.
For a fixed cost we will do as much of the work as possible, and guarantee certification. We work onsite as much as possible, so you get the best support possible.
With Cyber Essentials we don’t just tell you what is wrong with the IT infrastructure, we work with you to fix the issues (using our cyber security partner).
Episode has worked with over 40 clients, many of whom have more than one standard they comply with (one has 5). All have been successfully certified and many subsequently ask us to help them maintain certification, and get more out of the system.
There are the following costs that will arise
Episode always gives a fixed fee proposal for a project, and we include guaranteed certification. A typical Cyber Essentials project is about £1,900, but this does depend on the size and complexity of your business.
You will need an external company certify the system as being compliance with the scheme. There many certification bodies that can independently assess (certify) your system against the scheme. We will manage this process for you, and typical costs are £2,000
There may well be IT and other infrastructure work that needs doing, and we will give you a list of requirements as the first stage of any project.
The Cyber Essentials scheme, established by the UK Government was launched on 5th June 2014. It includes an assurance framework and a simple set of security controls to protect information from threats coming from the internet.
It was developed in collaboration with industry partners, including the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI), and is endorsed by the UK Government. It was launched in 2014 by the Department for Business, Innovation and Skills.
At it’s core it has five technical controls you must comply with:
Cyber Essentials guidance breaks these down into finer details. Importantly it only focuses on technical controls, rather than a wider scope encompassing system management, governance, risk and policies, etc.
Organisations can earn two levels of certification:
Annual recertification is required. Certifying Bodies are, in turn, licensed by the National Cyber Security Centre, part of GCHQ.
It was only by utilising the expert guidance and experience of Episode that Thurston Group was able to attain certification within an exceptionally challenging time frame. We therefore offer our thanks to Episode Ltd. For the diligent and professional services provided. We also look forward to working with them again soon and would not hesitate to recommend their services."
Peter Spieight, Senior Divisional Director, Thurston Group, Wakefield
Roger's support was invaluable in terms of gap analysis, recommendations for improvement, and facilitation of the certification process. I would strongly recommend Roger to any organisation wishing to develop or improve its management systems, in a way which minimizes bureaucracy, and focuses on best serving the needs of the organization.
Gary Evans, Flour Corporation, Abu Dhabi
Harvey Mills, Managing Director, Forge Recycling, Leeds.
If Sandy hasn’t already updated you we are delighted to say we passed the transition audit for ISO 9001 and ISO 14001. Sandy did an absolutely fab job and all credit to her, we have loved having both of you here it’s been a pleasure.
I have had a brief chat with Morgan[the CEO] about the next steps and how we manage things going forwards. Morgan will be in touch with you soon about this and getting Episode/Sandy back in on a regular basis. Once again many thanks for everything and especially to Sandy!!
Morag Tearne, HR and Health & Safety Manager, H. Slingsby plc, Shipley
Episode is always prepared to go the extra mile. When in a tight spot the lead consultant carried out an audit for us at very short notice (on a Sunday afternoon) to keep us on track. What is important to us is the advice they give us is practical and tailored to us. The quality of output Episode produces is very high.
This has resulted in us having a multi-year managed service from Episode so as a company we know our ISO 9001, ISO 14001 and ISO 45001 integrated system is up to date and working for us.
Gareth Walters, Financial Controller, Sports Turf Research Institute, Bingley.
When asked by Episode what three things they do well, and what three things they could improve upon, my answers were:
Done well
1. Client Communication, responded to queries very quickly
2. Requirements of the standard were communicated in a simple manner.
3. Assistance from initial implementation to date of assessment was very good.
I can honestly there is nothing I feel they should improve upon.
Paul Hunneybell, Operations Manager, Fenland Fire Contracts Limited, Luton
The consultant worked with the team in Scott Bader Middle East Ltd. to completely re-engineer our Integrated Management System incorporating ISO 9001, ISO 14001 and OHSAS 18001. Until then we were slaves to the ISO audits, with the systems not adding much value beyond certification. Now we have a business management system that really works for us and is truly integrated into our operations. We were also successfully re-certified along the way.
John Kemp, CEO Scott Bader Middle East, Africa and Asia
The consultant really focused on making our systems and processes work better for us, not just help us comply with ISO 9001. He was able to work with Department Heads and Senior Management to shape their strategic thinking about quality and business objectives without telling them what they had to do because the standard says so.
Karim D'Alessandro, HSE Director, Shelf Drilling Inc.