Cyber Essentials FAQs

What is Cyber Essentials? Find answers to frequently asked questions here...

What are the Cyber Essentials and Cyber Essentials PLUS schemes and how can they  help my business?

The Cyber Essentials scheme is a cyber-security standard, which your organization can be assessed against and certified to. It identifies the security controls that you must have in place within your IT systems, in order to have confidence that you are addressing cyber-security effectively and mitigating the risk from internet-based threats.

The scheme focuses on five essential mitigation strategies within the context of the 10 Steps to Cyber Security guide. It provides you with clear guidance on implementation as well as offering independent certification for those who require it.

The adoption of standards and certification for cyber-security can enable your organization, and all stakeholders, to have greater confidence in your ability to measure and reduce basic cyber risks, as it demonstrates that you have been independently assessed.

You are likely to need Cyber Essentials if you are involved in any of the government’s procurement processes. However, if you are not, this scheme and Cyber Essentials PLUS can help prevent attacks on your IT systems from outside or inside your company and could give your stakeholders peace of mind.

What does Cyber Essentials involve?

You will need to complete a self-assessment questionnaire which BSI will grade, and then undergo and pass a vulnerability scan for Cyber Essentials.

The full scheme requirements are available from the UK Government website.

Is Cyber Essentials a mandatory requirement for working with the UK Government?

The Cabinet Office’s note to Procurement Officers is available here - this specifies where the Cyber Essentials certification in mandated >

It is noted that an increasing number of government and commercial organizations are requiring this certification of their suppliers, even though they are not mandated to do this through the Procurement Policy Notice. In his speech on the 23rd June 2015, Ed Vaizey from the Department of Culture, Media & Sport urged all organizations to “adopt Cyber Essentials so they can protect and promote themselves online to all stakeholders”. Read more >

What is the cost for Cyber Essentials certification?

Please contact us for a free quote, or simply get in touch with our team by calling +44 (0)345 080 9000, or emailing product.certification@bsigroup.com.

Is a vulnerability scan or penetration test required for Cyber Essentials?

With BSI, a vulnerability scan is required for Cyber Essentials. We, along with CREST, feel that a vulnerability scan provides a greater level of security and confidence in your organization and will increase the peace of mind for all stakeholders. 

How quick is the Cyber Essentials certification process?

We can turn applications around quite quickly. Once we have received your signed quote, we can issue you with the official self-assessment questionnaire and can schedule the vulnerability scan. The quicker you return the fully populated self-assessment questionnaire to us, the quicker we can progress with the evaluation and vulnerability scan.

Can you send me the self-assessment questionnaire before I sign up?

No, we can only send the BSI questionnaire once a quote has been agreed. Please contact us for details, or visit the CESG website and type “Questionnaire” into the search bar for a generic questionnaire.

Do I need 100% to pass?

You need to get 70% of the questions correct in each section of the self-assessment questionnaire to pass that part of the Cyber Essentials assessment. Passing the self-assessment questionnaire section will enable you to move onto the vulnerability scan.

You will need to demonstrate that the controls for all the aspects of and risks to your system are in place and addressed to achieve Cyber Essentials certification. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you should try and change your processes to meet the requirement.

Are there any automatic fail questions?

Any company using unsupported or out-of-date software in the scope of the assessment, such as Microsoft XP, will probably fail to achieve Cyber Essentials certification.

Do failed assessments receive feedback?

BSI will issue clients with a report detailing the answers in the self-assessment questionnaire and feedback from the assessor on any areas or issues that were deemed non-compliant. If you fail the assessment or the vulnerability scan, this feedback will help you to re-focus your efforts so that you can put in place the required actions to enable you to pass next time.

Is the questionnaire a tick box Yes/ No or will it require lengthy details?

The questionnaire requires answers to all questions – most of these questions will require brief notes to enable us to understand your company and the information security controls that you have in place. By providing full details in the questionnaire you will reduce the time required for certification as we will have all the information we need up front.

What does Cyber Essentials PLUS involve?

After you have achieved Cyber Essentials certification (organizations need to achieve Cyber Essentials before progressing on to Cyber Essentials PLUS) a demonstrably competent assessor will visit your premises to complete a work station construction assessment as well as some technology auditing. The assessor will require internet enabled access devices for all your different software builds to complete this assessment.

How much does it cost for a Cyber Essentials PLUS assessment?

The Cyber Essentials PLUS assessments can be quoted for at the same time as Cyber Essentials. This assessment involves a work station construction assessment of your IT equipment, and so will depend on the complexity and number of software builds your inventory contains and the number of sites your company is located across.

Please contact us for a free quote or simply get in touch with our team by calling +44 (0) 345 080 9000, or emailing product.certification@bsigroup.com.