In 2022, 40% of UK companies identified a cyber-attack. It is alarming statistics like this which is why initiatives such as the cyber essentials accreditation are popular.
If you have encountered these schemes and found yourself considering what they represent, this is the article for you. At Creative Networks, we are experts in both the cyber essentials and cyber essentials plus certifications. Our services help companies achieve the level of operating excellence needed to demonstrate full compliance with all the pillars included.
What is the difference between both of these cyber security risk assessments and compliance measures? Continue reading to find out.
What Is the Cyber Essentials Certification?
Cyber essentials was first launched in 2014 by the UK government with full support and input from the National Cyber Security Centre.
As the first stage of safeguarding on offer from the government, the scheme promotes professional levels of cyber security management by organisations of all sizes. The five core pillars are designed to give companies all the tools needed to improve security feasibly.
These areas that are included are as follows:
- User control settings are required to maintain safe access and data operations. Secure settings may include access content, MFA passwords, or more complex measures. Human error is responsible for as many as 82% of data breaches, so giving employees and supply chain professionals the tools to access data safely is essential.
- Patch Management protects against any access made via third-party programmes, which we know are essential for all business forms.
- Firewalls protect against incoming and outgoing data. This relates to known and unknown data, which companies will deal with daily. Cyber essentials measures ensure that effective firewalls are in place and are regularly updated to ensure they can deal with the most intelligent of modern cyber risks.
- Security software is also monitored through this certification. As well as having the right tools in place, compliance ensures that they have been professionally mapped across an IT network.
- Malware protection is the last component that is managed via the cyber essentials certificate. Malware can prevent many attacks aimed at protecting sensitive items such as data and passwords. As with the other software measures, cyber essentials ensure that the correct measures are in place and are suitable for modern threats.
Click here to learn more about the Creative Networks cyber essentials service.
What is the Cyber Essentials Plus Certification?
Cyber Essentials Plus is the follow-on system from the popular Cyber Essentials programme.
The scheme includes the same content pillars in the original essential’s certification but with more significance placed on external vulnerabilities. The same compliance is applied to this certification but with slightly different monitoring measures, which we will discuss later in the article. This is because it follows up on the controls put in place to ensure they are working correctly. Having the controls is enough to be Essentials certified, but a deeper alignment to the procedures is required for the Cyber Essentials Plus award.
The Cyber Essentials Plus certification requires an external security scan to be carried out for a successful award to be given. It should also be noted that only those who already have the cyber essentials certificate can apply for the plus certification.
Click here to learn more about the Creative Networks cyber essentials plus service.
What Are the Differences Between Cyber Essentials and Cyber Essentials Plus
Whilst the premise of both the cyber essentials and cyber essentials plus certifications are the same, a few distinct differences set them apart.
Both offer a way for a company to adopt a cyber security toolkit encompassing all the support needed to mitigate risk significantly.
The differences between the two certifications are as follows:
The Awarding Process
To achieve the cyber essentials certificate, a self-assessment is required.
The applying company must provide evidence of each of the markers having been met, and the submission document needs to be signed by a board member. By doing this, they declare that all the information is accurate and assign themselves responsible should any issues arise.
If successful, the certificate will be emailed based on this and will be valid for 12 months. This is the same process that should be followed with each application.
As the essentials plus certificate requires a deeper level of compliance alongside an external scan, an auditor will be responsible for managing the awarding process. They will also need confirmation of the approved cyber essentials certificate, which must have at least three months remaining at the time of application.
External Vulnerability Testing
Another difference is that an external vulnerability scan is completed for the cyber essentials plus certification. This is important as its tests the strength of the existing security measures that make up the compliance for the essentials certificate.
This involves trying to access a company in the same way that hackers would do so.
As this is carried out before the auditor visits, it comprises the first of two application phases associated with this award. The company will receive a full audit result whether they pass or not. If this phase is not passed, it could also affect the current essentials certificate as it represents that the compliance is not robust enough for modern security threats.
What are the Benefits of Cyber Essentials and Cyber Essentials Plus?
Although cyber essentials and cyber essentials plus are not mandatory in the UK, we recommend that companies adopt them as the benefits are plentiful.
By showcasing an adherence to the essentials and the plus certificate, competitors, employees, suppliers, and customers can see just how seriously the company takes its cyber security.
Some of these benefits include the following:
- Demonstrating compliance with these standards makes the contract and procurement process much simpler when tendering for new business. For some public sector contracts, this award will be essential. For others, when this certification is not specially asked for, it offers a way to show the robustness of a security plan efficiently.
- Being compliant also supports IT teams with their ongoing tasks associated with company safety. The compliance encourages the right processes to be implemented, which maintain long-standing adherence and safety.
- Improvements to internal processes can also be a witness. By having a clear process to follow, teams ensure that aspects such as decision making can take place much more easily.
Which Companies Are Eligible for Cyber Essentials and Cyber Essentials Plus?
Both certifications are eligible globally, meaning anyone can apply for this accreditation. If the business demonstrates compliance, it can successfully pass the application process.
As we have mentioned, only essential holders can apply for the plus award, making that the only stipulation for those who can apply. Otherwise, the process is made accessible to everyone.
It costs between £300 – £500+vat for companies to achieve the cyber essentials award, and between £1,900 – £4,000+vat for the essentials plus certification.
How Can Creative Networks Help My Business Achieve Cyber Essentials and Cyber Essentials Plus Status?
Alongside our official cyber essentials and cyber essentials plus services, we also offer a range of supporting products which make achieving the certifications possible.
Comprising the core pillars, we offer cyber security, server and network management, penetration testing, and user awareness training to name just a few services. By helping companies fine-tune each element, we ensure they have a better chance of passing the first time. We can also offer bespoke packages which support during any stage of the process to ensure that when your application is submitted, it contains only authentic information. This also includes ongoing support to maintain long-term compliance.
To find out more, please get in touch.
Want to find out more about our expertise within the cyber security sector? Check out some of our recent blogs:
Cookies & Cybersecurity: How are they connected?
What do IT Support Companies Do?