Cyber Essentials vs. Cyber Essentials Plus
Cyber Essentials in a nutshell ………..
Cyber essentials is a government backed initiative of cyber security standards. It was created to help protect organisations from cyber crime by creating cyber protection standards and guidelines for organisations to follow and subsequently attain the Cyber Essentials Certification.
Essentially the standard has 5 core areas :-
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
The scheme was launched in June 2014 and has 2 standards; Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials vs. Cyber Essentials Plus what’s difference?
In essence the core differences are:-
- Cyber Essentials – you complete a self-assessment questionnaire and present evidence reviewed by an external certifying body.
- Cyber Essentials Plus – You are assessed via a penetration test and onsite testing from a member of the governing body. This vulnerability test will look for unsupported software on your network, open firewall ports, unpatched computers and weakness on your website etc etc.
Both certifications require a questionnaire to be completed. It covers your security controls and the secure configuration of your computing resources.
For Cyber Essentials, CREST certified bodies also provide a remote technical assessment for additional validation and assurance for you; this is why Jupiter IT recommend a Crest governing body when looking to attain the certification. They simple carry more weight and you are not just presented a piece of paper, but have better security as a by-product.
Cyber Essentials Plus does come at an additional cost – but shows you are serious about the security of your systems and the data you hold on your clients and suppliers. You cannot fake Cyber Essentials Plus. If you have it, your systems have been put through their paces.
So what’s right for us, plus or standard?
That depends. If you simply need Cyber Essentials in order to tender or trade with originations that require the standard, then Cyber Essentials will probably suffice. If you are an organisation that holds sensitive data, financial data, then Cyber Essentials Plus is worth the investment, as it shows your organisation are serious about protecting the data it holds.
Either way, having the certification shows potential new clients that you are serious about cyber security and are diligent on the data you hold.
Cyber Essentials is fast becoming a recognised brand, even to non IT savvy board level Directors. It breeds confidence in your brand and can swing tenders in your favour.
Be aware, If all you need is Cyber Essentials (not plus), ensure that whoever helps you in attaining the standard, aren’t just ticking boxes and are actually also improving your cyber security and following the guidelines. As a non crest assessment is self certifying, you could run the risk of having the certification but are by no means cyber safe. If control measures aren’t being introduced into your business and your IT provider has put Cyber essentials in place, questions should be asked. Ask if the certification is via a Crest registered body.
Read more here
Jupiter IT are Cyber Essentials Plus Certified and help other organisation attain the standard.
We are here to help. [email protected] 01482 974444