Cyber Essentials vs Cyber Essentials Plus

Technology

Following on from Bastien Bobes article on Navigating Cyber Essentials, Jordan Schroeder at Barrier Networks discusses the key differences between Cyber Essentials and Cyber Essentials Plus, so organisations know which certification best suits their needs

If any organisation in the UK is looking to enhance its cyber-security credentials, or showcase to customers, partners, or insurers that it is a cyber-resilient business, then the first place they will look is the Cyber Essentials scheme.

The certification is a government-backed program that was launched in 2014 and according to recent figures, over 100,000 Cyber Essentials certificates have been issued since its foundation. The UK government believes this has had a profound impact in improving cyber-security across a range of organisations, which in turn has helped drive a more prosperous and resilient UK.

The program focuses on five key security pillars to help protect organisations against 80% of cyber-attacks, and it is also used to improve operational productivity, increase board involvement in cyber-security, assist with the security of remote working, and educate employees on safe cyber-security habits.

Understanding Cyber Essentials and Cyber Essentials Plus

The scheme consists of two levels of assessments – Cyber Essentials and Cyber Essentials Plus – each of which must be renewed annually to maintain accreditation.

Cyber Essentials is the basic level of accreditation, while Cyber Essentials Plus is the audited version.

Organisations can pursue Cyber Essentials Plus after they have successfully been certified Cyber Essentials. However, the process of achieving each accreditation is very different and requires varying levels of commitment.

So, what are these key differences and what must organisations know before deciding whether to pursue Cyber Essentials Plus?

Cyber Essentials

Cyber Essentials focuses on getting the basics right and it costs between £300 - £500, depending on the size and the complexity of the organisation.

It consists of a self-assessment questionnaire asking about cyber-security processes, which is then checked by a Cyber Essentials Certified Assessor for completeness and correctness.

To achieve accreditation, organisations must confirm they are taking specific steps and processes to protect their assets and complete the information via the written questionnaire. However, because the questionnaire is a self-assessment, it means there are no auditors verifying the answers are true or that the requirements are properly being applied.

The biggest concern with the self-assessment questionnaire is the risks of an internal ‘cyber-security mirage’. With IT and security teams working in the same networks every day, it is easy for them to overlook issues that they have learned to accept which could lead to a breach or network compromise. It can also mean respondents answer questions incorrectly because they believe something is happening, and don’t validate it before answering the questionnaire.

When it comes to filling out the questionnaire, honesty is therefore the best policy. Any inaccurate information could put an organisation at a higher risk of attack, so there is a lot to lose. Furthermore, to prevent inaccurate information being fed into the questionnaire, it’s always best to get the data proofed by multiple colleagues before submitting it to the accreditation body.

Cyber Essentials Plus

Cyber Essentials Plus is an enhanced version of Cyber Essentials that involves an interactive assessment of an organisation’s security controls. The questionnaire remains the same, but an auditor verifies the answers.

The assessment involves a technical audit of systems, which includes a series of internal vulnerability scans, tests of system configurations, plus an external vulnerability scan, all of which are conducted by a certification body.

This audited assessment offers many benefits to businesses because it is an opportunity to have security scrutinised by an expert. The expert will understand and possess firsthand knowledge of the techniques utilised by criminals, so they can provide vital insight to improve cyber resilience.

The Plus certification is more expensive than the basic version as it is far more rigorous, but accredited organisations are much better prepared to defend against and mitigate cyber-attacks.

Selecting the certification to suit your business

In an ideal world, all businesses would achieve Cyber Essentials Plus, as this is better proof of resilience against attacks. However, if this isn’t possible, the initial assessment is still an excellent baseline for businesses wanting to improve their cyber-security posture.

While in some businesses Cyber Essentials will be enough, for a larger enterprises or businesses that store and process high volumes of personal data, the Plus version will likely suit their needs and regulatory requirements better. It is more labour intensive and will require external auditors to examine the organisation’s security implementations and processes, but this in-depth examination will offer significantly increased assurance.

Another important point to note with both schemes is the assessments are based on a point in time, so the biggest risk associated with this comes down to “compliance drift”. This is something businesses must strive to avoid and the best way to achieve this is by running regular internal security checkups to ensure all requirements are being met throughout the year.

Not only will this make it easier when the annual Cyber Essentials assessments take place, but maintaining compliance undisputedly offers the biggest business benefits, while also providing confidence and assurance to customers and partners.

Jordan Schroeder is managing CISO at Barrier Networks

Main image courtesy of iStockPhoto.com