Back to Insights

Cyber Essentials Vs Cyber Essentials Plus: Difference?

Compliance 07/15/2020 - 14:05 by Swami Nathan

Difference between Cyber Essentials and Cyber Essentials Plus

Cyber Essentials is a scheme developed by the UK Government that helps companies defend themselves against growing threats to their cyber-security. Certification comes in two different forms: Cyber Essentials and Cyber Essentials PLUS. This article discusses how they vary.

What are Cyber Essentials?

Cyber Essentials checks the IT infrastructure and all computers used by an organization (including desktops, laptops, and handheld devices). That connects to the internet against five baseline checks and is built to be straightforward. The tests are to:

  1. Boundary firewalls and internet access gates
  2. Protect against malware
  3. Managing updates
  4. Secure setup
  5. Controlled access

As well as showing that consumer data protection is essential to you, getting certification will not only help you attract new customers but also improve the chances of winning a government contract where Cyber Essentials certification is now a prerequisite.

The NCSC states that the Cyber Essentials program focuses on “Internet-based attacks using common resources and requiring little expertise.” Those involve guessing passwords to log into protected websites or internal pages, hacking, phishing, and other methods to fool users into downloading a malicious app.

What is Cyber Essentials PLUS?

The certificate on Cyber Essentials Plus has the same requirements as the basic certificate. You need the five controls on technical protection, which are:

  1. Firewalls
  2. Secure setup
  3. Command of User Access
  4. Protect against malware
  5. Patch management

The difference is, that the ‘Plus’ credential requires an independent review of the security tests. It is to verify that there are all five checks in place.

The Cyber Essentials PLUS certificate is often regarded as a more reliable certification because of its external verification measures. It is not just a cyber security declaration; it is evidence of the secrecy of your company.

How do Cyber Essentials and Cyber Essentials PLUS differ?

Since the requirements for both levels are the same, the difference is how Teceze and our Certification Bodies verify that these requirements are met by your organization.

Cyber Essentials is certified by itself. This means that you are asked to provide answers to a questionnaire (with evidence) and one of our certification bodies marks the application through our online portal.

Cyber Essentials Plus includes a scan of an external vulnerability. This means that one of our certification bodies will be visiting your office and will be conducting a test that meets the Cyber Essentials requirements. However, each certification body should have the same testing process – the cost will differ.

Self-evaluation vs External Auditor

If you have a dedicated IT department in your company then self-assessment might be a realistic choice for you, particularly if you have an existing vulnerability management and patching software system in place.

Independent assessors, those providing Cyber Essentials PLUS, have the benefit of going through the same process with several comparable organizations.

They will do a security Vulnerability scan of your IT infrastructure before an independent auditor completes the Cyber Essentials assessment.

The information gathered will direct any remedial measures, ensuring that the organization passes the five basic standards to demonstrate good information governance practice. Since the outside body (authority) functions with your application, you may need to provide documentation to ensure that you satisfy all criteria.

We find that the majority of companies have identified essential vulnerabilities when running security scans and automatically fail the certification after completing the Cyber Essentials certification.

When do you need Cyber Essentials and Cyber Essentials PLUS?

This depends first of all on your motivations to seek these certifications: are you looking to show your customers that you are taking data protection seriously? Are you looking for approval, as a contract/supply chain requirement must be fulfilled? Any motive?

When making a bid for a contract/acquisition/tender

Procurement tenders, particularly if they involve the public sector, would as a minimum ask for Cyber Essentials. If they have not specified which Cyber Essentials level, this usually means that they only require the basic level.

If you figure out your hidden motives

If you want to prove that your organization is compliant with Cyber Security and takes data protection seriously – then the obvious choice is Cyber Essentials Plus. Companies holding sensitive data should always seek PLUS certification, particularly if they are involved in Cyber-attacks frequently subject sectors. It isn’t necessarily cost-effective for SMEs, however, and the basic qualification is appropriate for certain businesses.

As a Managed IT Service Provider

If your customers are asking for help with the Cyber Essentials certification, then your organization should be certified to at least the level in which they are asking for help, especially considering that you may be a gateway to the data of your customers.

How to achieve these Certifications?

Several companies offer to verify your cybersecurity protocols, so finding one that is accredited by the NCSC is essential. They also have a selection of accreditation bodies that keep a list of the certification bodies that you can use.

You may get Cyber Essentials as well as Cyber Essentials PLUS, Teceze will be doing them for you. The scheme has a fee, which starts at about £300 + VAT. The research will happen in a couple of days.

Teceze will check your answers and grant your Cyber Essentials or Cyber Essential PLUS certificate until we are satisfied with everything and have passed the test. Provided to recertify once every 12 months. Teceze also offers a fully controlled Cyber Essentials solution which provides the Cyber Essentials Standard with continuous monitoring of your systems. For this controlled approach, renewal must never be considered because automatic renewals are performed periodically, which ensures that you are continuously opposed to compliance at a single time.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Cyber Essentials vs. Cyber Essentials PLUS. Therefore, the significant divergence between the two 'levels' are that Essentials is very much focussed on.