Cyber Essentials is a UK Government scheme developed by the National Cyber Security Centre (NCSC) to help organisations guard against common cyber threats and demonstrates their commitment to cyber security. It has been designed to be affordable, simple to implement, and to accommodate organisations of any size.
The certification process is managed by IASME who license certification bodies, such as Forensic Control, to carry out Cyber Essentials and Cyber Essentials Plus certifications.
£1,000
Includes £200 IASME application fee
A hand-holding service, including unlimited phone & email support
Guided questionnaire with examples of “model” answers
£25,000 of free cyber insurance cover, if required and if qualifying
Cyber security advice for 12 months; up to 30 minutes of phone/email support per month
*Price does not include VAT.
£1,750
Includes £200 IASME application fee
A hand-holding service, including unlimited phone & email support
Qualified external assessor auditing your security controls
Tests of a set of user devices, firewalls & servers
On-demand vulnerability testing on external IP addresses for 12 months
Cyber security advice for 12 months; up to 30 minutes phone/email support per month
*Price does not include VAT. Price may differ for organisations with a mix of operating system versions/builds.
£2,500
Includes £400 IASME application fee
Includes everything from both our Cyber Essentials and Cyber Essentials Plus plans at a £250 discount over purchasing them separately
*Price does not include VAT. Price may differ for organisations with a mix of operating system versions/builds.
“Highly recommended Forensic Control. From the very start of our CE+ journey, Jonathan was providing tremendous service to us in order to ensure we had all the necessary information and advice specific to our company. They were consistently providing clear and helpful guidance in order for us to best succeed with our certification and as such had a great outcome! Big thanks to Jonathan and Forensic Control..”
Christopher Price, Tech. Operations Officer, Faculty AI
“We are a small company that relies on the security of our data. Forensic Control has been perfect at keeping us protected and up to date with all the latest trends. Very efficient when we have needed help. Thank you.”
Andy Bibby, CEO, 87%
“Forensic Control came in to support us at very short notice. From the get-go, the service was professional, slick, to-the-point and constructive. The net effect was that we successfully achieved our CE+ certification but did so as a meaningful basis for growth and cultural change – this is due, in no small part, to the technical leadership, guidance and objectivity that Forensic Control brought to this project. I would actively look to work with and engage Forensic Control on future projects.”
Christopher Crowther, CIO, Spectra Analytics
Cyber Essentials assesses how organisations protect themselves from cyber attacks by checking five key areas. It identifies whether the necessary controls are in place and how they are managed. Forensic Control offer simple, step-by-step guidance to help companies comply with each of these areas.
Please note, these controls apply to all internet-connected devices that access your data, including those not owned by your organisation (BYOD). If all devices that access your data meet these requirements it is likely that you would be a good position to certify to Cyber Essentials
You will need to ensure that your office firewalls, and Wi-Fi routers for home workers, are secure. Other requirements include changing default passwords on network equipment (here’s some good advice you can show to your users) and ensuring that these devices are supported and their firmware updated.
Requirements to securely configure devices include removing software and user accounts which are no longer in use, and ensuring passwords are strong. Contrary to common advice, it is no longer considered secure to require users to regularly change passwords.
It is important that all apps and operating systems are supported by their manufacturers and are kept updated. This ensures that they are protected against known vulnerabilities. Use of an MDM (mobile device management) tool can help put you in control of patching on your network.
Everyone needs a unique user account to access your organisation’s data. You must also ensure that users only have access to the data they need according to their role. Data access permissions must be managed when a user changes roles, while the use and provisioning of administrative accounts must be controlled.
Protection against malware is required on all devices where it is available, including for Macs. The anti-malware software needs to check for updates at least once every 24 hours, and it must protect against malicious websites. Mobile devices must not be compromised by jail-breaking or rooting.
Cyber Essentials is a self-assessment demonstrating a company’s ability to protect itself against common cyber attacks. It provides guidance on how to securely configure your devices and the accounts used to access them.
Cyber Essentials Plus offers additional integrity, requiring an external body, such as Forensic Control, to conduct a technical verification of the security of your devices.
Any device accessing your data, email or services (including services such as Microsoft 365 or Google Workspace) or remote desktop services, (e.g., Citrix, VDI, RDP) is in scope and must comply with the Cyber Essentials standard. This includes devices owned by the organisation and devices owned by staff (BYOD). Devices which don’t directly connect to the internet are not in scope.
It largely depends on how quickly you can respond to our requests for information, and your lead time in making any required configuration changes. We aim to reply to your emails/calls on the same day. We’ve found that applicants take anywhere between 1 week and a couple of months to certify to Cyber Essentials.
Cyber Essentials seeks to protect an organisation’s data by securing the devices which access that data. The employment status of the people who use devices to access your data doesn’t matter, whether employed, contractors, interns or temps. If they access your data then their devices will be in scope and will need to be secured to the Cyber Essentials standard.
Cyber Essentials is a point in time certification – it assesses your organisation as it is on the day that you submit your responses. If staff are currently home based then they will be considered as home workers.
Home routers are not in scope if all access to organisational data is routed through the company firewall via a VPN. If this is not the case, then home routers are in scope, though they will not be subject to checks; their compliance can be achieved with a home working policy
Cyber Essentials and Cyber Essentials Plus certifications are valid for 12 months. By re-certifying annually, this ensure that organisations are still secure against emerging cyber threats.