What’s the difference between Cyber Essentials and Cyber Essentials PLUS?
17th March 2019
... Comments

We are often asked about the differences between the Cyber Essentials and Cyber Essentials PLUS standard, and what level they should choose.

There are some circumstances that will dictate the level you are required to have in tenders, especially with Government contracts, and the level there depends on the risk that they associate with the particular contract. But for everyone else, here’s a brief run down on the two levels of certification.

The Cyber Essentials Scheme

Cyber Essentials is a security standard that is designed to mitigate against the most common cyber attacks, and University of Lancaster research has shown that with Cyber Essentials controls in place 99% of the common attacks they tested against where either fully mitigated (69.2%) or partially mitigated (29.8%). There is a set list of requirements that your organisation is required to meet as published by the National Cyber Security Centre (Part of GCHQ).

The Cyber Essentials (basic) is a self-certification that is assessed by companies such as ours, to validate the answers. This means that you’re asked to supply answers to a questionnaire (with evidence) through our online portal, assessment at this level is simply a pass or fail and feedback given on areas of non compliance.

Cyber Essentials PLUS builds on the self certification questionnaire, as it is an independently audited test of the controls required by the ‘basic’ level, along with an internal and external vulnerability scan. This means that we, as a certification body will visit your offices and perform a test that is in line with the Cyber Essentials requirements. Every certification body will have the same test process, however – the costs may vary.

The vulnerability scan will identify unpatched, or unsupported software, open ports, incorrect firewall configurations – all elements that the basic level will require your own working knowledge of your IT systems to answer.

So what one should I choose?

That can really only be answered by your motivations for gaining the accreditation, are you doing it as we said at the start (as part of a tender requirement) or are you just looking to check your business has the basics in place?

To continue reading, please click here

About the Author

Michael F

Member since: 25th March 2014

Southern IT Networks provides technology advice, support and management for SME's, with specialisation in regulated industries, Office365 & Azure

Popular Categories