Affordable and achievable cyber security certification
Cyber Essentials is a UK Government scheme developed by the National Cyber Security Centre (NCSC) to help organisations guard against common cyber threats and demonstrates their commitment to cyber security. It has been designed to be affordable, simple to implement, and to accommodate organisations of any size.
The certification process is managed by IASME who license certification bodies, such as Forensic Control, to carry out Cyber Essentials and Cyber Essentials Plus certifications.
Why certify with Forensic Control?
- We provide a complete service, hand-holding help at every step
- Competitive pricing. For what we provide, our price isn’t beaten
- Expertise and experience. We’ve been around since 2008, and have certified dozens of organisations from the smallest to some of the best known organisations in the UK.
- Our feedback. Don’t just take out word for it, see what our clients have to say about us
CYBER ESSENTIALS
£1,000
Includes £300 certification fee
A hand-holding service, including unlimited phone & email support
Guided questionnaire with examples of “model” answers
£25,000 of free cyber insurance cover, if required and if qualifying
Cyber security advice for 12 months; up to 30 minutes of phone/email support per month
*Price does not include VAT.
CYBER ESSENTIALS PLUS
£1,750
A hand-holding service, including unlimited phone & email support
Qualified external assessor auditing your security controls
Tests of a set of user devices, firewalls & servers
On-demand vulnerability testing on external IP addresses for 12 months
Cyber security advice for 12 months; up to 30 minutes phone/email support per month
*Price does not include VAT. Price may differ for organisations with a mix of operating system versions/builds.
BEST VALUE
CYBER ESSENTIALS & CYBER ESSENTIALS PLUS
£2,500
Includes £300 certification fee
Includes everything from both our Cyber Essentials and Cyber Essentials Plus plans at a £250 discount over purchasing them separately
*Price does not include VAT. Price may differ for organisations with a mix of operating system versions/builds.
WHAT OUR CLIENTS SAY
“Highly recommended Forensic Control. From the very start of our CE+ journey, Jonathan was providing tremendous service to us in order to ensure we had all the necessary information and advice specific to our company. They were consistently providing clear and helpful guidance in order for us to best succeed with our certification and as such had a great outcome! Big thanks to Jonathan and Forensic Control..”
Christopher Price, Tech. Operations Officer, Faculty AI
“We are a small company that relies on the security of our data. Forensic Control has been perfect at keeping us protected and up to date with all the latest trends. Very efficient when we have needed help. Thank you.”
Andy Bibby, CEO, 87%
“Forensic Control came in to support us at very short notice. From the get-go, the service was professional, slick, to-the-point and constructive. The net effect was that we successfully achieved our CE+ certification but did so as a meaningful basis for growth and cultural change – this is due, in no small part, to the technical leadership, guidance and objectivity that Forensic Control brought to this project. I would actively look to work with and engage Forensic Control on future projects.”
Christopher Crowther, CIO, Spectra Analytics
Cyber Essentials requirements – the five key areas
Cyber Essentials assesses how organisations protect themselves from cyber attacks by checking five key areas. It identifies whether the necessary controls are in place and how they are managed. Forensic Control offer simple, step-by-step guidance to help companies comply with each of these areas.
Please note, these controls apply to all internet-connected devices that access your data, including those not owned by your organisation (BYOD). If all devices that access your data meet these requirements it is likely that you would be a good position to certify to Cyber Essentials
Securing your perimeter
You will need to ensure that your office firewalls, and Wi-Fi routers for home workers, are secure. Other requirements include changing default passwords on network equipment (here’s some good advice you can show to your users) and ensuring that these devices are supported and their firmware updated.
Securing your devices
Requirements to securely configure devices include removing software and user accounts which are no longer in use, and ensuring passwords are strong. Contrary to common advice, it is no longer considered secure to require users to regularly change passwords.
Updating your devices
It is important that all apps and operating systems are supported by their manufacturers and are kept updated. This ensures that they are protected against known vulnerabilities. Use of an MDM (mobile device management) tool can help put you in control of patching on your network.
Controlling access to your data
Everyone needs a unique user account to access your organisation’s data. You must also ensure that users only have access to the data they need according to their role. Data access permissions must be managed when a user changes roles, while the use and provisioning of administrative accounts must be controlled.
Protection against malware
Protection against malware is required on all devices where it is available, including for Macs. The anti-malware software needs to check for updates at least once every 24 hours, and it must protect against malicious websites. Mobile devices must not be compromised by jail-breaking or rooting.
Cyber Essentials – frequently asked questions
What will Cyber Essentials do for us?
- It will protect you from the majority of non-targeted cyber attacks
- It shows current and potential clients that you take cyber security seriously
- You will be listed on the NCSC Cyber Essentials register
- It gives you a clear picture of your organisation’s cyber security level
- Government contracts require Cyber Essentials certification
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment demonstrating a company’s ability to protect itself against common cyber attacks. It provides guidance on how to securely configure your devices and the accounts used to access them.
Cyber Essentials Plus offers additional integrity, requiring an external body, such as Forensic Control, to conduct a technical verification of the security of your devices.
What devices are in scope for Cyber Essentials?
Any device accessing your data, email or services (including services such as Microsoft 365 or Google Workspace) or remote desktop services, (e.g., Citrix, VDI, RDP) is in scope and must comply with the Cyber Essentials standard. This includes devices owned by the organisation and devices owned by staff (BYOD). Devices which don’t directly connect to the internet are not in scope.
How long will it take for us to get certified to Cyber Essentials?
It largely depends on how quickly you can respond to our requests for information, and your lead time in making any required configuration changes. We aim to reply to your emails/calls on the same day. We’ve found that applicants take anywhere between 1 week and a couple of months to certify to Cyber Essentials.
Are contractors and temp staff in scope?
Cyber Essentials seeks to protect an organisation’s data by securing the devices which access that data. The employment status of the people who use devices to access your data doesn’t matter, whether employed, contractors, interns or temps. If they access your data then their devices will be in scope and will need to be secured to the Cyber Essentials standard.
We usually work from the office but are now working from home…
Cyber Essentials is a point in time certification – it assesses your organisation as it is on the day that you submit your responses. If staff are currently home based then they will be considered as home workers.
Are the routers of home workers in scope for Cyber Essentials?
Home routers are not in scope if all access to organisational data is routed through the company firewall via a VPN. If this is not the case, then home routers are in scope, though they will not be subject to checks; their compliance can be achieved with a home working policy
Will we need to renew Cyber Essentials?
Cyber Essentials and Cyber Essentials Plus certifications are valid for 12 months. By re-certifying annually, this ensure that organisations are still secure against emerging cyber threats.