How to fill in the Cyber Essentials certification questionnaire correctly
Cyber Essentials is one of the UK’s most accessible and widely recognised digital security schemes. It was developed by the National Cyber Security Centre (NCSC) to help businesses and organisations to protect themselves against cyber threats and demonstrate their commitment to cyber security. Forensic Control is licensed by IASME to carry out Cyber Essentials and Cyber Essentials Plus certifications.
To achieve Cyber Essentials certification, your business must complete a self-assessment questionnaire consisting of around 80 questions, which may be in a form or a spreadsheet. Essentially, the questions cover the IT devices and services you use and how they have been configured. The simplicity of Cyber Essentials is that it breaks down security compliance into a set of direct questions. Each question asks about a specific piece of the security landscape in your organisation.
The Cyber Essentials requirements are based on the National Cyber Security Centre’s Cyber Essentials: Requirements for IT infrastructure document so make sure that you read this – your path to compliance is all in this document. The document is 22 pages long and written with the end user in mind, making it fairly accessible even if you’re not an IT professional.
The questions are broken down into five areas:
To ensure that only safe and necessary network services can be accessed from the internet.
Secure configuration of your devices
To ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.
User access controls
To ensure user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks
actually required for the user to perform their role.
Security update management
To ensure that devices and software are not vulnerable to known security issues for which fixes are available.
To restrict the execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
About a third of the questions require a yes/no response, while the rest require a few sentences where you describe your processes.
For the yes/no questions, implicit in the question is the correct answer; what this means is that for the vast majority of the questions the correct answer is a positive one. As with any questionnaire, be sure to read and understand each question fully, and resist the temptation to just hit yes on everything!
For the questions requiring a few sentences in response, you need to show the assessor that you understand the question and that you have an appropriate system or control in place.
Forensic Control has customised the Cyber Essentials question set to include example ‘model answers’ which gives our applicants a clear idea of the level of detail and processes needed to provide a compliant answer. If you’re unsure about how to complete a question or want us to take a look at your answer, we’re happy to provide additional help and feedback.
Forensic Control assists by supplying unlimited help and support throughout the six months you have to submit the question set – we make sure you can’t fail.
If you’re interested in the Cyber Essentials accreditation or need more information, take a read of Cyber Essentials Explained or alternatively you can contact us directly.
Do you need help with your Cyber Essentials certification?
We won’t overwhelm you with jargon, just offer workable solutions to minimise the risk of cyber threats. Forensic Control offers simple, step-by-step guidance to ensure that your business meets the required standards.