Skip to content

What is covered in Cyber Essentials?


What is cyber essentials?

Cyber Essentials is a government-backed cybersecurity certification scheme in the United Kingdom that aims to help organizations protect themselves against common online threats. By implementing a set of basic security controls, Cyber Essentials assists in preventing cyber attacks and enhancing overall cybersecurity resilience. This article will outline the key aspects covered in Cyber Essentials, including the certification process, self-assessment questionnaire, technical controls, vulnerability scans, malware protection, and the importance of obtaining Cyber Essentials certification for organizations seeking government contracts or wanting to strengthen their cybersecurity measures.

Who needs cyber essentials certification?

Cyber Essentials certification is crucial for businesses of all sizes and industries. It is especially important for organizations that handle sensitive customer data or have a significant online presence.

Start-ups and small businesses often lack the resources to protect against cyber threats. Cyber Essentials certification provides them with a framework to implement fundamental security measures and protect themselves against common cyber-attacks.

Medium-sized and large businesses, including those that have government contracts, are increasingly being targeted by cyber criminals. Cyber Essentials certification helps them mitigate the risk of cyber-attacks and demonstrates their commitment to safeguarding sensitive information.

Organizations seeking to improve their cyber security posture can benefit from Cyber Essentials certification. It is an effective way to identify and address vulnerabilities in their systems and applications, reducing the likelihood of successful cyber-attacks.

Businesses that want to participate in government supply chains also need Cyber Essentials certification. This certification is often a prerequisite for bidding on certain government contracts.

Whether an organization chooses to self-assess or opts for a more comprehensive Cyber Essentials Plus certification, obtaining this accreditation demonstrates a commitment to robust cyber security. Accreditation bodies, such as the National Cyber Security Centre in the UK, conduct external vulnerability scans and technical audits to ensure compliance with the Cyber Essentials standards.

In today's cyber threat landscape, Cyber Essentials certification is essential for organizations looking to protect themselves from online threats and safeguard their reputation.

Overview of cyber essentials

Cyber Essentials is a certification scheme that focuses on helping organizations implement fundamental security measures to protect against cyber threats. This certification is particularly beneficial for start-ups and small businesses that may lack the resources to defend against common cyber-attacks. It provides them with a framework to effectively safeguard sensitive information and mitigate the risk of cyber incidents. The certification is also valuable for medium-sized and large businesses, including those with government contracts, as cyber criminals increasingly target them. By obtaining Cyber Essentials certification, these organizations demonstrate their commitment to protecting data and improving their overall cyber security posture. Additionally, Cyber Essentials is an excellent option for organizations seeking to participate in government supply chains, as certification is often a requirement to bid on certain contracts. Whether choosing the basic certification or the more comprehensive Cyber Essentials Plus, this accreditation process helps organizations identify and address vulnerabilities in their systems and applications, reducing the potential for successful cyber-attacks. Accreditation bodies, such as the National Cyber Security Centre, conduct external vulnerability scans and technical audits to ensure compliance with the Cyber Essentials standards. Overall, the Cyber Essentials certification is an effective means of enhancing online security and reducing the risk of cyber threats.

Key principles of cyber essentials

Cyber Essentials is a cybersecurity certification scheme that helps organizations safeguard themselves against common cyber attacks. It is based on a set of key principles that provide a foundation for robust cybersecurity measures.

The first principle is to maintain a secure configuration. This involves ensuring that all devices and software used within the organization are securely configured, with unnecessary services and access points disabled or removed.

The second principle is to have a strong access control policy in place. This means ensuring that only authorized individuals have access to sensitive information, and that access controls are regularly reviewed and updated.

The third principle is to regularly update and patch all software and devices. This is essential in protecting against known vulnerabilities and ensuring that the organization's systems are up to date with the latest security fixes.

The fourth principle is to protect against malware and other malicious software. This involves implementing effective malware protection measures such as anti-virus software, firewalls, and regular scanning for potential threats.

Finally, the fifth principle is to have a robust and secure internet connection. This includes using secure protocols and encryption, regularly monitoring network traffic, and implementing appropriate firewalls and intrusion detection systems.

By following these key principles, organizations can significantly reduce their risk of falling victim to common cyber attacks such as phishing, malware, and network breaches. Cyber Essentials certification demonstrates that an organization has implemented these principles and has the necessary cybersecurity measures in place to protect against such threats.

Benefits of achieving the certification

Achieving the Cyber Essentials certification brings several benefits to organizations in terms of their cyber security posture and business opportunities.

First and foremost, the certification provides reassurance to customers and stakeholders that an organization has implemented fundamental cyber security controls. With the increasing number of cyber threats, customers want to ensure their data is protected when working with external partners. The Cyber Essentials certification demonstrates that an organization has taken significant steps to safeguard sensitive information.

The certification also allows organizations to appear on the directory of awarded organizations. This directory is a valuable resource for potential customers and partners looking for trusted and reputable cyber secure organizations to collaborate with. Being listed on this directory can enhance an organization's reputation and credibility in the field of cyber security.

Furthermore, achieving the Cyber Essentials certification can attract new business opportunities. Many companies, both small and large, explicitly require their suppliers to have this certification as a prerequisite for doing business with them. By having the certification, organizations can expand their customer base and tap into new markets.

Lastly, the certification enables organizations to bid for government contracts. The UK government recognizes the importance of cyber security and requires suppliers to adhere to Cyber Essentials as a minimum requirement. The certification opens up doors for organizations to access government contracts, which can be highly valuable and beneficial for growth and stability.

Certification process

The Cyber Essentials certification process involves several steps to ensure that an organization has implemented robust cyber security measures. The first step is to complete a self-assessment questionnaire, which assesses the organization's current security controls and practices. This questionnaire covers areas such as secure configuration, access control, and malware protection.

Once the self-assessment is complete, organizations then undergo an external vulnerability scan. This scan is conducted by an independent certification body and identifies any vulnerabilities or weaknesses in the organization's external network and systems. Following the external scan, organizations also need to conduct an internal vulnerability scan to assess the security of their internal network and systems.

To achieve the Cyber Essentials certification, organizations must demonstrate that they have effectively implemented the necessary technical controls to protect against common cyber threats. This includes having appropriate security updates, secure internet connections, and strong access controls. Organizations must also provide evidence of their commitment to ongoing security measures, such as regular vulnerability assessments and staff training.

For organizations looking for a more comprehensive certification, there is also the option to achieve Cyber Essentials Plus. This higher level of certification includes a technical audit and additional testing conducted by certified cyber security experts.

Self-assessment questionnaire (SAQ)

The self-assessment questionnaire (SAQ) is a crucial component of the Cyber Essentials certification process. It serves as a comprehensive assessment tool that organizations use to evaluate their cyber security measures and identify any areas that require improvement. The SAQ includes a series of questions related to various technical controls and security practices outlined in the Cyber Essentials scheme.

Completing the SAQ involves several steps. Firstly, organizations must review and understand the questions within the questionnaire, which cover important aspects such as secure configuration, access control, malware protection, and secure internet connections. They must then evaluate their existing cyber security systems and procedures to determine if they meet the scheme's requirements.

Expert input is highly recommended before organizations submit their SAQ. Consulting with cyber security professionals ensures that the questionnaire is completed accurately and meets the specific criteria set by the Cyber Essentials scheme. These experts can offer valuable insights and recommendations to enhance an organization's security measures or address any deficiencies identified during the self-assessment process.

By obtaining expert input prior to submission, organizations can increase their chances of achieving the Cyber Essentials certification. This certification is an essential recognition of an organization's commitment to basic security controls and protection against common cyber threats. It also enhances an organization's credibility, making it more attractive to potential clients, suppliers, and even government contracts.

External vulnerability scan (EVS)

As part of the Cyber Essentials certification process, an external vulnerability scan (EVS) plays a crucial role in verifying the absence of obvious vulnerabilities in an organization's internet-facing networks and applications.

The purpose of an EVS is to identify any potential weaknesses or vulnerabilities that could be exploited by cyber attackers. This scan is essential for ensuring the security of an organization's online presence and protecting against common cyber threats.

The process of an EVS involves conducting a thorough examination of an organization's internet-facing systems from an external perspective. This scan is typically performed off-site, using specialized tools and techniques to assess the security of networks, firewalls, routers, and any other devices connected to the internet.

During the scan, cyber security experts examine the organization's online infrastructure for any vulnerabilities, such as open ports, out-of-date software, or misconfigurations. By identifying these weaknesses, organizations can take appropriate action to address them and improve their overall cyber security posture.

By successfully completing an external vulnerability scan, organizations demonstrate their commitment to implementing effective security measures and protecting against potential cyber attacks. This is a crucial step towards achieving Cyber Essentials certification and ensuring the security of internet-facing networks.

Internal vulnerability scans (IVS)

Internal vulnerability scans (IVS) are an integral part of the Cyber Essentials certification process. These scans help organizations identify vulnerabilities within their internal network or system, allowing for timely remediation to enhance cyber security.

The IVS process involves systematically examining an organization's internal systems, including servers, workstations, and applications, for potential vulnerabilities. Scanning tools, such as vulnerability scanners, are utilized to identify weaknesses, misconfigurations, or outdated software versions that could be exploited by cyber attackers.

The frequency of IVS depends on the organization's risk tolerance and the dynamic nature of their environment. It is recommended to conduct IVS regularly to ensure ongoing security.

Once the scan is complete, a thorough report is generated, highlighting the vulnerabilities discovered along with their severity levels. This report plays a crucial role in prioritizing and addressing the identified weaknesses promptly. Organizations can then take the necessary steps, such as patching vulnerabilities, updating software, or adjusting configurations, to remediate the identified risks effectively.

By regularly conducting internal vulnerability scans, organizations can proactively identify and address vulnerabilities within their network or system. This helps in strengthening their cyber security posture and minimizing the risk of potential cyber attacks.

Technical controls assessed by the SAQ and IVS/EVS

The Cyber Essentials certification process includes the assessment of technical controls through the Self-Assessment Questionnaire (SAQ) and Internal Vulnerability Scans (IVS) or External Vulnerability Scans (EVS). These controls play a critical role in ensuring the security and resilience of an organization's systems and networks.

The SAQ evaluates various technical control areas such as firewall configuration, secure system settings, user access controls, malware protection, and regular security update management. A firewall is essential for securing devices connected to the internet by blocking unauthorized access and controlling network traffic. Secure system settings involve configuring devices and software with robust security measures to mitigate potential vulnerabilities.

User access controls restrict unauthorized access to sensitive information and systems, preventing potential security breaches. Protection against viruses and malware attacks is crucial in safeguarding against cyber threats, reducing the risk of data breaches and system compromise. Regular security updates are also essential as they address vulnerabilities and weaknesses in software and devices, ensuring they are fortified against potential exploits.

IVS/EVS scans assess the internal and external security posture of an organization's systems. These scans identify vulnerabilities, misconfigurations, and outdated software versions that cyber attackers could potentially exploit. By regularly conducting IVS/EVS scans, organizations can proactively detect and address security risks, bolstering their overall cybersecurity posture.

Common cyber security threats & measures to mitigate them

In today's digital landscape, organizations face numerous cyber security threats that can jeopardize their sensitive information, compromise their systems, and disrupt their operations. It is crucial for organizations to understand these threats and implement effective measures to mitigate them. By addressing common cyber security threats, organizations can protect themselves against potential breaches, minimize risks, and maintain the integrity of their systems and data. In this article, we will explore some of the most prevalent cyber security threats and the measures organizations can take to mitigate them.

Malware protection & secure configuration of internet connections

Malware protection and the secure configuration of internet connections are crucial aspects of the Cyber Essentials certification process. Malware, or malicious software, poses a significant threat to individuals and organizations alike, as it can compromise the security of devices and spread to other connected devices.

Malware can infiltrate devices through various means, such as email attachments, downloads from untrusted websites, or even physical installation. Once malware infects a device, it can perform a range of harmful activities, such as stealing sensitive information, hijacking the device, or launching further cyber attacks. Additionally, malware has the potential to spread across a network, infecting other connected devices and expanding the scope of the breach.

To prevent and mitigate the risks associated with malware, several key measures should be implemented. Firstly, all devices should have up-to-date antivirus software installed, which can detect and remove known malware threats. It is also important to only use approved applications or software programs from trusted sources, as unverified software may contain hidden malware.

Furthermore, securing internet connections is vital in preventing unauthorized access and the spread of malware. This can be achieved by implementing a firewall, which acts as a barrier between trusted internal networks and untrusted external networks. A firewall monitors incoming and outgoing network traffic, blocking any unauthenticated connections and preventing potential malware from entering the network.

By actively addressing malware protection and the secure configuration of internet connections, organizations can enhance their cyber security posture and reduce the risk of cyber attacks. These measures are essential for achieving Cyber Essentials certification and safeguarding against the ever-evolving threat landscape.

Basic security controls & national cyber security centre (NCSC) guidelines

Basic security controls are essential for protecting against common cyber threats, and the guidelines provided by the National Cyber Security Centre (NCSC) offer a comprehensive framework for implementing these controls.

The NCSC provides guidance on a range of security measures, including secure configuration, access control, malware protection, patch management, and secure internet connection. These controls are designed to address the most prevalent cyber threats and minimize the risk of a security breach.

Secure configuration involves ensuring that devices and software are securely set up and configured to reduce vulnerabilities. Access control ensures that only authorized individuals have access to sensitive information and systems, reducing the risk of unauthorized access or data breaches. Malware protection is crucial in detecting and preventing malicious software from infiltrating devices and networks. Patch management involves regularly updating software and systems with the latest security updates to address known vulnerabilities. Finally, a secure internet connection is vital in preventing unauthorized access and the spread of malware.

By following the NCSC guidelines and implementing these basic security controls, organizations can significantly enhance their resilience to common cyber threats and safeguard their systems and data. Taking proactive steps to protect against cyber threats is essential in today's digital landscape to avoid potential financial losses, reputational damage, and legal penalties.

Phishing attacks & common attack prevention techniques

Phishing attacks are a common type of cyber threat that aim to trick individuals into revealing sensitive information. Attackers often exploit vulnerabilities in email systems to make their phishing attempts more convincing and successful.

One common technique used in phishing attacks is email spoofing, where attackers impersonate a legitimate organization or individual to gain the trust of their targets. They may create emails that appear to be from banks, online retailers, or even colleagues, which contain links to fake websites or malicious attachments. These emails often employ urgent or alarming language to manipulate recipients into taking immediate action.

To prevent falling victim to phishing attacks, there are several techniques individuals and organizations can employ. First, it is essential to be cautious and skeptical of any unexpected or unsolicited emails, especially those requesting sensitive information. Verifying the authenticity of the email sender by independently contacting the organization or individual through a trusted and verified channel can help identify potential phishing attempts.

Secondly, individuals should avoid clicking on suspicious links or downloading attachments from unknown sources. Hovering the mouse cursor over a link before clicking on it can reveal the true web address, which may differ from the displayed text. Moreover, keeping email systems updated with the latest security patches can help mitigate vulnerabilities that attackers often exploit.

Additionally, educating employees about the risks of phishing attacks and providing training on how to identify and report suspicious emails can further enhance security. By implementing these preventive measures, individuals and organizations can reduce the risk of falling victim to phishing attacks and protect sensitive information.

Cyber risk management & working with cyber security experts

Cyber risk management is a critical aspect of maintaining a secure and resilient organization in today's digital landscape. By effectively managing cyber risks, organizations can identify and mitigate potential threats and vulnerabilities that could compromise their security. This proactive approach helps organizations stay ahead of cyber attacks and safeguard their data, systems, and reputation.

Working with cyber security experts plays a vital role in enhancing an organization's overall security posture. These experts possess in-depth knowledge and experience in implementing effective security controls and protocols. They have a thorough understanding of the latest cyber threats and can provide valuable insights and guidance on how to mitigate these risks.

Collaborating with cyber security experts offers several benefits. One such benefit is their ability to assess an organization's current security measures and identify any gaps or weaknesses. They can conduct comprehensive risk assessments, vulnerability scans, and penetration tests to uncover potential vulnerabilities and recommend appropriate security measures.

Moreover, cyber security experts stay updated with the evolving cyber threat landscape. They continuously monitor emerging threats, new attack techniques, and vulnerabilities. This knowledge helps organizations stay one step ahead and implement the necessary security controls to protect against the latest threats.

By working closely with cyber security experts, organizations can establish a robust cyber risk management program. This program includes implementing robust security controls, conducting regular audits and assessments, training employees on best practices, and maintaining secure configurations throughout the organization's IT infrastructure.

General thought leadership and news

The NIST Cybersecurity Framework: Best practices

The NIST Cybersecurity Framework: Best practices

When it comes to security compliance, the NIST Cybersecurity Framework (NIST CSF) has built a reputation for effectively guiding organizations toward...

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....

Understanding the NIST RMF: Breaking down the 7 key steps

Understanding the NIST RMF: Breaking down the 7 key steps

The NIST Risk Management Framework (NIST RMF) is a flexible framework that can be tailored to your specific organizational profile and regulatory...

Past, present, and future themes in cybersecurity: Are you keeping up?

Past, present, and future themes in cybersecurity: Are you keeping up?

In the ever-evolving landscape of cybersecurity, understanding where we've been, where we are, and where we're going is essential. By examining the...

Why 6clicks is outpacing legacy GRC platforms like Archer, ServiceNow and Diligent

Why 6clicks is outpacing legacy GRC platforms like Archer and more

For years, Archer, ServiceNow, and Diligent were the go-to names in GRC software. Archer’s rich functionality made it a leader, while ServiceNow’s IT...