SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 11 - 22 minutes)
You have already read 0%

Cyber Essentials Certification - Introduction


Cyber Essentials 1

Previously, in many episodes, we’ve mentioned Cyber Essentials Certification as a way to demonstrate a level of cyber security controls. But what is it and how does an SMO get it, can they get it working on their own or do they need an expert? This is the first of our seven-part series on How to Certify in Cyber Essentials Basics, without paying someone else to do the work for you.

This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.


This is the first in a series of seven episodes focused entirely on Cyber Essentials (CE) and of a Virtually Informed campaign to help SMOs get more secure. We would like to see as many SMOs as possible to take up the challenge and be more secure and be security conscious than ever before.

Before we look at some of the specific areas of controls that the Cyber Essentials Scheme concentrates on – which we’ll do in future episodes, in this episode we look at some of the high-level pointers and preliminaries that will help any organisation get started in the right way. But let’s start with understanding the background and provide some context as to why the Certification came about.

This episode is based on our years of past experience of having previously helped other organisations like banks, insurance companies, start-ups and other SMOs as a Certifying Body, and achieving it for the organisations we have worked for.

Introduction to Cyber Essentials

There’s a lot of information out there on CE, let’s just clear up some of the basics here that we need to cover relevant to understanding the Scoping aspect we look at later.

  • Cyber Essentials is a UK Government Certification Scheme, which originates from the Government’s commitment to both cyber security in its supply chain and working with smaller organisations. The requirement was for a scheme that would ensure that small organisations are protected from the most common attacks and where they would be able to implement a set of controls without too much effort.
  • The Scheme is owned by the National Cyber Security Centre (NCSC) which is the UK Government’s technical authority and is contracted out to the IASME as the Accreditation Body, which oversees the certifications through a network of Certifying Bodies.
  • The CE certification is an organisation certification rather than a product or technical certification, which is primarily aimed at small organisations; though it's good for any organisation regardless of size.
  • There are two levels of it:
  • Cyber Essentials Basic – which is the entry level, self-evaluation certification and intended for organisations to be able to complete the Certification on their own, without the need or use of an external consultant. But because many of the Certifying Bodies are actually consultancies, there is a tendency to assume that it is not possible to complete it without a consultant; which is completely wrong, and that is what we are attempting to help with today. Any organisation that wants to undertake the plus, but complete the CE Basic first. The five areas of controls that self-evaluated here are: Secure Internet Connections (Firewalls and routers); Secure devices and software (Secure configuration); Controlled access to data and services (Access control); Protection from malware (Malware protection), and; Keeping devices and software updated (Software updates). We’ll explore each of these control areas in more detail in the next few episodes.
  • Cyber Essential Plus – this is achieved through a technical review and testing the areas of controls that are assumed in CE Basic by a Certifying Body. This will include a proportion of end verification of a certain number of end point devices, the internal network and the outward facing network. The CE Plus is outside the topic we are going to cover, especially since we cannot demonstrate how SMOs can undertake to complete the project without a Certifying Body.
  • The UK Government has made CE Basic a minimum mandatory Certification for all outsourced suppliers – which means that if an organisation has ISO 27001, they don’t need to undertake CE Basic or Plus.
  • The cost of the CE Basic Certification is £300+ VAT, where a consultant is not employed. However, for small organisations, it is worth bearing in mind that within the price there is a small element of cyber insurance cover during the period that the organisation is certified Both CE Basic and Plus last for one year from the date of Certification and renewal will be required.

The sources to go for further information are: NCSC and IASME, as they are able to provide impartial information on the Scheme.

What’s most Confusing about Cyber Essentials Basic

There are a few points that are worth clarifying, where we have seen confusion, sometime accidently and other times intentionally.

  • There are many types of certifications in cyber security, which include:
    • Organisational certifications – of which CE (both Basic and Plus) and ISO 27000 series are examples. The purpose of the organisational certifications are to be able to provide assurance that the organisation has implemented the required set of controls.
    • Technology certifications – examples of these include those for encryption and Wi-Fi. They provide vendors with the specification that must be met on the one hand and the assurance for customers that the requirements are being met.
    • Product certifications – examples of these include certifications for the security of IoT products (IASME and UL both have certifications for IoT products).
  • Cyber Essentials is an organisational certification, not a product certification. There are some product vendor businesses out there who achieved the Certification and their marketing teams have called it the highest level of product certification. This is wrong. Remember, this is an organisational certification, and it enables an organisation to show that they have got the right processes at the very basic level to be secure.
  • CE Basic is a self-assessment Certification – it can be completed without the use of a paid consultant or a Certifying Body. Only the CE Plus requires the use of a Certifying Body.
  • If the purpose is to be able to undertake work with the UK Government, most services will only require CE Basic, where CE Plus is required, it will be stated. Where there is a requirement for any technology or product certifications, they too will be stated.
  • Other certifications that may be offered include the IASME Governance Certification, the UK Police Digitally Aware Certification. The value that either of these, and the many other certifications is outside what we cover here. There may be value in these depending on what the organisation is trying to achieve from gaining the Certification.
  • Finally, the CE Certifications must be renewed yearly. For those organisations which require certifications, they want to know that what was done to achieve the certification was just a one of exercise, but that the work has continued since then.

We hope that within these seven Blogs we can encourage as many SMOs as possible to complete the whole CE Basic Certification themselves, just as it was intended when it came out.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Follow-on Information

Follow-on activities for you:

  • Share the content you found useful on social media, using the above links
  • Review our FAQ's.
  • Let us know what you would like to see included in future FAQ's
  • Participate in our polls and see what other businesses like yours think.
  • Review our "'Let Us Show You How" articles.
  • Subscribe to our newsletter(s).
  • Join us on a Webinar.

About the Authors

Sarb Sembhi

Sarb Sembhi, Virtually InformedSarb is the Chief Technology Officer and Chief Information Security Officer for Virtually Informed. 

He writes and speaks about:

  • Strategic issues in Smart Environments and related technologies;
  • Digital Safety Skills for anyone not working in Cyber Security, and; 
  • Business / security challenges for small businesses and start-ups.
Nick Ioannou

Nick is Director of Boolean Logic Limited, a blogger, an author and public speaker.

Nick has authored:

  • 'Internet Security Fundamentals',
  • 'A Practical Guide to Cyber Security for Small Businesses' and
  • 'A Practical Guide to GDPR for Small Businesses',
  • as well as contributing to three 'Managing Cybersecurity Risk' books and 'Conquer The Web'.