Cyber Essentials – The Long Road to Certification

There is some confusion surrounding Cyber Essentials; what it is, why people need it and often there is a misinterpretation that Certifying Bodies are responsible for the schemes rules. Cyber Essentials is a relatively new certification. It has been mandated since October 2014 for UK government suppliers, although it is not limited to them, non-government organisations are encouraged to seek to obtain the certification.

This post focuses on the responsibilities of the bodies involved in the scheme rather than the scheme itself, but if you’re interested you can read more about what Cyber Essentials is in our previous post here: https://www.cyberis.co.uk/blog/what-is-cyber-essentials.html.

It all starts with the National Cyber Security Centre. NCSC is the Technical Authority for the scheme. They decide the technical specification for the certification that everyone must follow. They inform the Accrediting Bodies of what constitutes a certification pass or fail.

Accreditation Bodies stand between the Technical Authority and the Certifying Bodies. Accreditation Bodies are not allowed to perform Cyber Essentials testing themselves, but they must be assessed to Cyber Essentials Plus in order to offer the service. Accreditation Bodies act as a conduit between their Certifying Bodies and NCSC.

Certifying Bodies are those companies that are approved to carry out the certification process as laid out by NCSC and the Accreditation Body they are aligned to. In the same way Accreditation Bodies need to be certified, Certifying Bodies also need to be assessed to the same standard that they deliver. Cyberis, for example, is itself Cyber Essentials Plus certified, and is approved, as a Certifying Body, to deliver Cyber Essentials and Cyber Essentials Plus assessments under the CREST Accreditation Body. Certifying Bodies are the client-facing element of Cyber Essentials. They are responsible for conducting Cyber Essentials assessments and delivering the reports, certificates, branding material and branding guidelines to their certified organisations.

  • Technical Authority (NCSC) - the technical authority is responsible for maintaining the technical aspects of the scheme. This includes what constitutes a pass/action point/fail under the scheme.
  • Accreditation Bodies (CREST, IASME, QG Management Standards and AMPG) - the Accreditation Body acts as a conduit between the Certifying Bodies and the Technical Authority
  • Certifying Bodies (CREST, IASME, QG Management Standards and AMPG – these are links to each Accreditation Body’s list of Certifying Bodies)

Each Accreditation Body has their own take on Cyber Essentials, meaning that there are slightly different methodologies depending on which Accreditation Body the Certifying Body you are seeking to be assessed by adheres to. Each approach has its pros and cons and your decision regarding which Certifying Body you engage with will be determined by the level of assurance you are seeking to achieve through your Cyber Essentials Certification.

Cyberis is an accredited Certifying Body under the CREST Accreditation Body. We believe that CREST approach to Cyber Essentials offers the best assurance at both stages of Cyber Essentials. Other accreditation bodies follow the basic scheme laid out by NCSC, meaning that the Cyber Essentials (stage 1) certification ONLY requires the company being assessed to fill out a self-assessment questionnaire – if this is passed then the organisation is certified to Cyber Essentials (stage 1).

CREST mandates that Cyber Essentials (stage 1) requires an external vulnerability scan, as well as the self-assessment questionnaire. This offers an additional level of assurance that is only offered by other Accreditation Bodies if the assessed company proceeds with Cyber Essentials Plus.

As a result of the differences in methodologies and assurance levels, the cost of a Cyber Essentials certification can vary depending on the Certifying Body.

If you are interested in having your organisation certified to Cyber Essentials or Cyber Essentials Plus, contact us and we would be more than happy to help!