Why choose Bulletproof as your Cyber Essentials Assessor?
Cost-effective Certification
Great value certification with tailored packages to suit every budget.
Experienced Certified Assessors
Get support from our certified Cyber Essentials assessors.
Security Tools Included
Protect your business with included cyber protection tools.
Helps Grow Your Business
Certification inspires customer trust & helps win new business.
What is Cyber Essentials?
Cyber Essentials is a Government-backed certification scheme, designed to set a strong security baseline and help businesses operate securely online. As a certification standard, Cyber Essentials and Cyber Essentials Plus demonstrate your business’ commitment to cyber security, enhancing your reputation with customers, stakeholders and supply chain partners. Cyber Essentials certification also includes free cyber insurance available to UK companies, if the certification covers the entire organisation (additional conditions apply).
Cyber Essentials is also required for many Government and public-sector contracts, making it a key driver of new sales and business growth. Cyber Essentials Plus is an extended version of Cyber Essentials, with additional security controls, that unlocks more public-sector opportunities.
Here’s what our customers say about us
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Both Cyber Essentials and Cyber Essentials Plus demonstrate that your organisation is taking cyber security seriously and has the five technical controls in place: access controls, firewalls and routers, malware protection, secure configuration, and software updates.
Cyber Essentials is an independently verified self-assessment questionnaire and the goal is to get all questions correct/compliant to obtain a pass.
Cyber Essentials Plus is the next step after Cyber Essentials. It can be thought of as an independent verification of everything that was claimed in Cyber Essentials. This extra level of scrutiny means your Cyber Essentials Plus badge will hold more weight with potential customers.
Whilst Cyber Essentials Plus is the more expensive of the two, it is held in higher regard and much of the work is done by the Certification Body. If you feel a bit overwhelmed and don’t know where to start, don’t worry – we have a range of packages to help you through the process.
What’s involved in Cyber Essentials certification?
With over 80% of UK businesses vulnerable to avoidable security threats, the Cyber Essentials framework has been designed as a strong security baseline for every business in every industry. Mapping against five simple technical controls means it’s easy to achieve Cyber Essentials certification. These include:
- Access control
- Firewalls and routers
- Malware protection
- Secure configuration
- Software updates
Cyber Essentials Questions
Download the latest 2023 Cyber Essentials question set, called ‘Montpellier’. In April 2023 it replaced the previous ‘Evendine’ question set.
How to get Cyber Essentials certification
Whether you’re starting from scratch with your business security, or you’re looking to renew your Cyber Essentials certification, Bulletproof has you covered. The easiest route to Cyber Essentials certification is with consultant-led compliance support. With remote or on-site assistance, tailored policy documents and free retests, it’s never been easier to get Cyber Essentials certification.
Get a fast cyber essentials quote.
One of our expert cyber essentials consultants will get back to you as soon as possible.
Frequently asked questions
- Enhanced security – helps protect your organisation from the most common internet based cyber attacks such as phishing, malware, ransomware, password guessing and network attacks.
- Simple and cost effective – a simple process with a Cyber Essentials certification fee starting from £200.
- Gain and retain business – an increasing number of public, private and third sector contracts are mandating or actively encouraging Cyber Essentials from their suppliers.
- Aligns with GDPR – recognised by the Information Commissioner’s Office as a scheme that can provide security assurances that help protect personal data.
- Flexible scheme – regardless of sector or size, the scheme reviews basic, yet effective, technical controls an organisation has in place. The scheme also recognises that not all organisations have a dedicated IT department, or an in-depth knowledge of cyber security.
You can request support by emailing the request to ce@bulletproof.co.uk at any time after you have been set up. An assessor will be assigned and reach out to arrange a Teams meeting to go over the assessment with you. You are also welcome to reach out to your assessor if you have any further questions throughout the process.
Cyber Essentials focuses on fundamental IT controls, whereas ISO 27001 takes a more holistic approach, incorporating policies and procedures. As ISO 27001 is much more involved, you’ll find it easier to obtain Cyber Essentials/Cyber Essentials Plus certification if you’re already ISO 27001 compliant.
We recommend achieving Cyber Essentials certification in addition to ISO 27001 as it demonstrates your commitment to good security practices, and some business/customers may only look for your Cyber Essentials certification, or not understand the difference between Cyber Essentials and ISO 27001.
ISO 27001 | Cyber Essentials | |
---|---|---|
What is it | An international standard that sets out the requirements of an Information Security Management System to manage information security risk in a systematic way. The standard isn’t mandatory however many contracts/tenders do stipulate it as a requirement. | An NCSC backed UK assurance scheme addressing five technical security controls to help businesses address the most common cyber security vulnerabilities. Cyber Essentials is mandatory for government contracts. |
Risk | ISO 27001 adopts a risk-based approach where organisations set their risk acceptance criteria and risk methodology. This determines how risks are addressed. | Cyber Essentials aims to address the most common vulnerabilities found in organisations. It is not a risk-based approach. |
Recognition | ISO 27001 is an international standard recognised around the world. | Cyber Essentials is a UK based scheme and is not well known worldwide. |
Time to implement | Months | Days – weeks |
Certification process | Certification is provided by a Certification Body. This involves a Stage 1 and Stage 2 audit, and annual surveillance audits. Certification lasts for 3 years, as long as the organisation passes the audits. | Complete a self-assessment questionnaire (or undergo vulnerability scans and a workstation assessment if taking Cyber Essentials Plus) and be assessed by a IASME Cyber Essentials Assessor. Certification must be repeated annually. |
Costs | Med/High | Low |
Scope | Scope is defined by the organisation but the standard encompasses the business and is not just focused on IT. | Focuses on 5 key areas (shown below) and is more IT focused.
|
Applicability | Aimed at all businesses. | Aimed at all businesses, but particularly targets smaller businesses that may have not previously considered cybersecurity. |
No, in the absence of a physical office space you list just one home network, ideally directors’ network e.g., ‘Director’s network in London’. You will then need to add a small back up statement such as ‘all staff are currently working from home based in the UK’.
Further questions around networks and managing networks will relate to the main network and all homeworkers.
Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.
Yes, you must ensure that you use separate administrator accounts from the standard user account, such as when installing software. Using administrator accounts all-day-long exposes the device to compromise by malware.
No, all operating systems in scope of your Cyber Essentials must be up to date and in support. Failing to do so will not be compliant.
No, you must still provide processes and descriptions where asked. When a third party manages your IT, you should confirm with them all processes to ensure that they are meeting the standards required for Cyber Essentials.
Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should ensure that contractors meet your security standards, the standards that will allow you to pass your Cyber Essentials assessment.
Yes, we can. You will want to ensure you have remote support so we can discuss this in a call. There is also guidance in the IT infrastructure document. For the avoidance of doubt, the scope should include any internet facing devices, including mobiles and anything considered as part of a BYOD.
Once you have your logins you will be able to access the IASME portal and be able enter your answers.
Once you have completed your answers, please submit the assessment. We will then assign an assessor and you will be scheduled for marking. Once marked you will get your results from the IASME portal, you will either pass, fail, or get asked for more information.
If you fail or get asked for more information you will have a chance to review your answers and update them using the guidance notes the assessor leaves for you.
You can then resubmit and once again you will be scheduled for marking with hopefully a pass being the result. You may get asked for more information again which will require you to readdress it, if you fail twice though that would mean you would have to repurchase Cyber Essentials to be able to retry.
We aim to mark an assessment within 48 hours of it being submitted, not including weekends or bank holidays. This can vary depending on how many assessments we have at one time.
You will still be under the same guidelines as above, if you require your certification by a specific date, you must take this into consideration. Start your assessment in good time to allow enough time to, complete, submit, be marked, remediate, resubmit, and pass!
No, you just need to list the equipment of your provided office network. You must then confirm under network equipment if your home workers connect to the network using a VPN. Any commercial VPN (e.g. NordVPN) is not acceptable. The solution must be an enterprise/corporate product that secures all connections between EUDs and the Internet. If you do not have a VPN, you must confirm that your workers have their software and/or hardware firewalls enabled.
Yes, all questions presented in Cyber Essentials are applicable whether you are a single person company or a company of 200+ employees. When answering those questions, you should take into consideration the “what if?” scenarios.
Yes, the standard protection provided by Apple devices does not meet the standards of Cyber Essentials and additional software should be installed to provide adequate protection.
No, to meet compliance you must ensure that all critical updates are applied within 14 days of release. If this is not possible you would not be compliant with Cyber Essentials.
Yes, all devices that access company data and/or the company network would be considered in scope of Cyber Essentials. This includes mobile devices. You should track these devices to ensure your staff are using supported models and operating systems are up to date.
The certificate will be part of a public register. You can display the Cyber Essentials and Cyber Essentials Plus badge on your website and/or in your email signatures.