Cyber Essentials Plus: The Gold Standard for UK Cyber Security [according to the Government at least]
Andrew Cardwell
Security Leader | CISSP | CISM | CRISC | CCSP | GRC | Cyber | InfoSec | ISO27001 | TISAX | SOC2 | 23k Followers
Cyber threats are growing more sophisticated daily, making robust cyber security measures essential for organisations of all sizes.?
I wrote an article about ISO27001 and how it can protect organisations from threats. Several people gave their opinion on Cyber Essentials Plus, which, to be honest, I’ve never held in high regard as a security standard.? ?
It’s been a few years since I first looked at it, so I agreed to review it again to see if my opinion had changed. Whilst I did, I thought I’d write a brief guide and try to cover everything you may need to know about the Cyber Essentials / Cyber Essentials Plus scheme, including:
?Hopefully, you’ll understand how Cyber Essentials Plus helps protect your organisation against cyber-attacks and if it’s the right fit for your security strategy.
Cyber Essentials and Cyber Essentials Plus have emerged as the “definitive” UK government-backed cyber security certification schemes to help organisations guard against a wide range of common threats.?
?
What are Cyber Essentials??
Cyber Essentials is a simple but effective government-backed scheme and certification process created by the UK’s National Cyber Security Centre (NCSC), a part of GCHQ. It clarifies the basic controls all organisations should have to guard against the most common cyber threats.
The controls cover five key areas:
There are two levels of certification:
Achieving Cyber Essentials or Cyber Essentials Plus is supposed to assure customers, investors, insurers, and stakeholders that your organisation takes cyber security seriously and has implemented baseline controls to prevent the most common internet-based threats.
?
Cyber Essentials Plus Requirements
Obtaining Cyber Essentials Plus certification involves meeting requirements across all five control themes, which comprise:
Firewall Devices:
Secure System Configuration:
Managing User Privileges:??
Malware Protection:
Patch Management:
The critical addition with Cyber Essentials Plus is an external vulnerability scan by an independent Certification Body. This:?
?
Achieving Cyber Essentials Plus Certification
Working towards Cyber Essentials Plus involves the following key stages:
Preliminary activities:
领英推荐
Internal preparation stage activities:
Contact an independent Certifying Body from the government-approved to:
?Certification must be renewed annually via repeat testing to ensure controls remain robust, especially as the threat landscape evolves.
?
Benefits of Cyber Essentials Plus Certification
Gaining Cyber Essentials Plus certification provides a wealth of benefits, including:
Achieving Cyber Essentials Plus is an investment in robust defences that delivers excellent ROI regarding risk reduction. It puts your organisation on the cyber security map as an industry leader.
?
Cost of Cyber Essentials Plus Implementation??
Cyber Essentials Plus combines internal systems changes and external oversight, requiring reasonable investment to implement. Costs are proportionate to the size of your organisation and the complexity of your digital infrastructure. Smaller businesses can expect to invest around £1,000-£2,000, while larger enterprises with extensive, complex networks are likely to invest upwards of £10,000-£20,000.??This is very reasonable compared to ISO27001, SOC2 Type II, etc., which can cost many times more but are much more than baseline controls.
Major cost components include:
Ongoing costs will be reduced after the first year as your security foundations will be in place. Some vendors also offer combined solutions to address multiple Cyber Essentials areas, which can enhance efficiency.
Ultimately, investment compares very favourably against a damaging cyber breach’s financial and reputational consequences, which can quickly run into millions. Certification also boosts your security posture over the long term, saving effort downstream. When weighing cost vs risk, Cyber Essentials Plus delivers tremendous value.
?
How Does It Compare to Other Standards???
Cyber Essentials Plus is an entry-level certification organisation that can be further built upon as an organisation matures. The problem is that many organisations don’t develop further because they think they’re fully covered when my research highlights that these are base controls and should be treated as the bare minimum to address the primary security threats. It should be considered the first step of the security journey if anything.
Several other complementary standards are worth considering for managing cyber risk.
ISO 27001: ISO 27001 provides an overarching information security management system (ISMS) structure. It enables organisations to define comprehensive suites of information security policies, procedures, and controls tailored to managing risks to any organisational data. Certified organisations must continually monitor and improve their ISMS to embed security practices. In contrast, Cyber Essentials Plus verifies baseline technical measures at a point in time. The two approaches work exceptionally well together - ISO 27001 provides ongoing risk management while adopting Cyber Essentials Plus controls, which offer pre-defined starting points to incorporate within a broader ISMS. Together, they combine assurance of baseline controls with continuous organisational security improvements to counter a changing threat landscape.
?NIST Cybersecurity Framework (CSF): While Cyber Essentials Plus provides a clear baseline of technical controls for organisations to implement, the NIST Cybersecurity Framework focuses more on cyber risk management processes. The CSF offers a comprehensive structure to assess your current risk posture across identity, data, devices, infrastructure, and applications. It then guides you through reducing threats proactively to reach your target risk profile through ongoing monitoring and improvement. The two approaches complement each other well - Cyber Essentials Plus ensures foundational protections are in place. At the same time, NIST CSF enables you to build a mature risk management system tailored to your situation. Using both together provides both assurance and adaptability.
CIS Critical Security Controls:?CIS Critical Security Controls provide a more extensive set of safeguards to implement based on cyber threat intelligence. The CIS Controls encompass 20 specific areas, from inventorying hardware to penetration testing and data recovery capabilities. A key benefit is the ability to prioritise which controls offer the most significant risk reduction within your infrastructure. Together, they offer both validation and prioritisation for maximising defences against threats.
?
Final thoughts?
Cyber Essentials Plus neatly complements such advanced frameworks, effectively plugging security gaps while you work towards broader certifications. Gaining Cyber Essentials Plus protection provides a solid platform for introducing more advanced assurance over time.
I recommend Cyber Essentials Plus certification for any UK-focused organisation wanting to demonstrate that a credible first step in cyber security basics has taken place. The government backing and independent assessment process are useful accolades that reassure customers and stakeholders that your defences are up to scratch against most attack vectors.
For a modest investment, you can implement some fundamental best practices, achieve ongoing monitoring of vulnerabilities, and benefit from an external audit of your cyber hygiene every year.??
Cyber Essentials Plus delivers high ROI compared to the rising costs of data breaches, reputational damage, and disrupted operations from cyber incidents. The controls it mandates will thwart opportunistic hackers, most malware, and automated attacks prevalent online.
As threats increase, certification also creates a foundation to introduce more advanced protections over time, avoiding complexity overwhelm. Consider viewing it as the first rung on your cyber security ladder.
While no single certification offers total protection, Cyber Essentials Plus gives you and your customers confidence that your organisation is on the right path and has taken steps to show they understand the importance of cyber security seriously.?
Director, Head of Risk Assurance @ PwC Channel Islands | MBA, Risk Management, Digital Transformation, Cyber
8 个月With an emphasis on "first step". The cred equivalent of having "Cyber for Dummies" on your bookshelf as a CISO.
Fleet loving founder ?? Let’s not meet by accident ??
9 个月This was exactly what I needed to read today. A brilliant breakdown of what I need to do, the steps I need to implement, cost factors and its benefits. Thank you Andrew, you've saved me a chunk of time today!
Appreciate the nudge to revisit Cyber Essentials Plus, Andrew! Looking forward to your insights on how it aligns with ISO27001. Always great to expand our perspectives on security standards.
27001 makes me laugh ... someone tell me where you can easily identify which companies are 27001 certified and what their "scopes" are. It's literally a joke and needs adressing. CE and CE plus especially are a VERY good start for all organizations, especially those smaller companies with limited resources wanting some evidence of intent and endeavour.
I will be curious to understand what they'll do with it given they plan to reciprocate on CMMC.