Cyber Essentials Certification Support

Cyber Essentials is the standard benchmark in the UK for demonstrating strong cyber security practices. Certification is mandatory when bidding for certain government contracts, but it can also give you a competitive advantage in the private sector as you prove your commitment to cyber security.

These frameworks serve different but complementary purposes. ISO 27001 is a comprehensive management standard covering people, processes and technology. By contrast, Cyber Essentials provides a focused, technical validation of your security controls. It therefore isn’t necessarily a choice between ISO 27001 and Cyber Essentials, with many organisations certifying to both.

The choice depends on your specific business requirements. Although both certifications cover the same five technical controls, they differ in how they are verified. Cyber Essentials is self-assessed, whereas Cyber Essentials Plus involves a hands-on technical audit by a third party to prove the controls work in practice.

Cyber Essentials Plus therefore provides a higher level of assurance, which can be useful for organisations whose supply chains involve more sensitive data.

Organisations are required to pay for Cyber Essentials certification, whether they self-certify or seek third-party support.

If you certify via GRC Solutions, the certification costs begin at £420 + VAT, and increase depending on the size and complexity of your organisation and the level of support you are seeking.

Before beginning the certification process, you can view the Cyber Essentials self-assessment questions online for free. This can help you understand how the scheme works and prepare for certification.

Cyber Essentials is recommended for UK organisations of all sizes and across all sectors, including sole traders, public institutes and charities.

This is because the scheme provides the baseline level of security recommended by the UK government, and its controls can prevent the majority of common cyber attacks.

If your IT infrastructure already aligns with the Cyber Essentials requirements, the self-assessment questionnaire can often be completed in a few hours, and most assessors return a result within a few days. For Cyber Essentials Plus, you should allow additional time for the technical audit and any necessary remediation.

To begin the Cyber Essentials Plus process, you must have achieved the standard Cyber Essentials certification within the past three months. From there, you can schedule a technical audit, which typically takes one to two days to conduct.

Depending on the results of the audit, you might need to address identified vulnerabilities to bring your controls fully into line with the framework. This could take anywhere from a few days to several weeks, depending on the size of your organisation and its available resources.

Cyber Essentials certification is valid for 12 months. To maintain compliance, organisations must complete a new assessment and recertify annually. This ensures that certified organisations’ regularly check that their technical controls continue to work as intended account for any new risks that emerge.

Cyber Essentials is mandatory for organisations that intend to bid on certain government contracts – particularly those involving sensitive personal data.

Some private sector organisations also make Cyber Essentials certification a contractual requirement for its suppliers.

Cyber Essentials is not a legal requirement, but it is a government-backed scheme that outlines the minimum expected level of cyber security.

Organisations are only eligible to win certain government contracts if they are certified to the scheme, while some private-sector organisations require suppliers to certify to Cyber Essentials.

Although there is no UK law mandating Cyber Essentials, many public and private sector tenders now list Cyber Essentials as mandatory for suppliers. In these circumstances, certification is a contractual requirement.