A primary objective of the UK Government’s National Cyber Security Strategy is to make the UK a safer place to conduct business online and from 1 October 2014 all suppliers must be compliant with the new Cyber Essentials controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services.

Cyber Essentials is the minimum requirement an organisation needs to implement to bid for public sector and MOD contracts.

Once a decision has been reached to proceed with a Cyber Essentials certification, a certifying body needs to be approved.

How to get your Business Certified

• The first stage in the certification process is to decide which level to certify against, either Cyber Essentials or Cyber Essentials Plus.
• Cyber Essentials – organisations complete a self-assessment questionnaire which is reviewed by an external Certifying Body.
• Cyber Essentials Plus – tests of an organisation’s systems are carried out by an external Certifying Body and help you achieve the required certification by providing guidance and feedback on your IT infrastructure.
• Both Cyber Essentials and Cyber Essentials Plus include a questionnaire which relates to security controls and the secure configuration of an organisation’s computing resources. Certifying Bodies also conduct a remote technical assessment at Cyber Essentials aimed at validating elements of the questionnaire.
• Cyber Essentials Plus is a more thorough assessment of the organisation and, as a result, may provide greater security assurance. However, it does come at an additional cost, which will factor into the decision making process. Ultimately the decision on which level to certify against will be influenced by an organisation’s cyber security stance and those of its business partners, suppliers and stakeholders.

Once an organisation has been assessed against the Cyber Essentials security criteria and passes, they will receive the relevant Cyber Essentials award (badge) based on the level of certification achieved, which demonstrates that they have achieved a fundamental level of cyber security. The process is very straightforward and should only take a few days.