Falanx Cyber’s, Toby Western, gives you the lowdown on the difference between Cyber Essentials and Cyber Essentials PLUS.
You’re feeling pleased with yourself; the Cyber Essentials questionnaire that you’ve completed on behalf of your organisation has proved successful. The independent assurance went well, too. Your company is well on the way to being listed as having Cyber Essentials certification, getting that badge, and being able to tender for those UK Government contracts.
However, you’ve noticed that most of your competitors hold Cyber Essentials PLUS certification. The nagging voice in your head is asking whether you should have applied for PLUS certification? Would it be worth it and what would be the benefits?
The Differences Between Cyber Essentials and Cyber Essentials PLUS
Be it at Essentials or PLUS level, the Cyber Essentials scheme sets out five security controls to protect organisations against the most common cyber threats. These are defined as:
- Boundary Firewalls and Internet Gateways;
- Secure Configuration;
- Access Control;
- Malware Protection; and
- Patch Management.
So far, so good. However, the differences begin to make themselves apparent when you start to look at the requirements for each (as shown in the table, below):
Therefore, the significant divergence between the two ‘levels’ are that Essentials is very much focussed on the external. Whilst Cyber Essentials entails the completion of a self-assessment questionnaire verified by an external certification body and an external vulnerability scan, Cyber Essentials PLUS requires an additional internal assessment and internal scan, conducted on-site by a CREST-accredited certification body.
Cyber Essentials PLUS also requires twice the number of assessments of your company’s security measures to be conducted, including reviewing end-user workstation build and mobile devices, none of which is covered at Essentials level.
Significant Benefits of Cyber Essentials PLUS Certification
So, what are the benefits of going Essentials PLUS, rather than just Essentials? In a nutshell:
- Essentials PLUS encompasses a far greater number of Cyber assessments, thereby providing you with a better understanding of your organisation’s levels of Cyber risk;
- It clearly demonstrates your commitment to protecting your own data and that of your customers and suppliers;
- It will provide a boost to your reputation and give a greater chance of winning contracts;
- Whilst Cyber Essentials allows organisations to work with the UK Government, Cyber Essentials PLUS provides you with the opportunity to work with the MOD;
- Cyber insurance agencies often look more favourably on organisations that have achieved Cyber Essentials certification, particularly at PLUS level.
How Can my Organisation Become Cyber Essentials PLUS Certified?
Happily, you don’t have to hold Cyber Essentials certification to apply for Cyber Essentials PLUS. Nonetheless, you do need to keep in mind that Cyber Essentials PLUS certification is more expensive that the entry-level version. This is understandable as PLUS is delivered by CREST-certified experts on a project basis, and the requirements are far more comprehensive.
However, costs need not be exorbitant if you use a CREST certifying body, such as Falanx, to work with you to define the scope of the process and to collect all the technical information required for submission. This pre-assessment would enable Falanx to work with you to gather required evidence and establish any missing elements that may need to be dealt with.
Once all information is readied, the Cyber Essentials PLUS questionnaires would then be submitted with all necessary evidence for verification. Falanx would then run the final scans as part of the overall submission in order to verify the materials being submitted.
Finally, both Cyber Essentials and Cyber Essentials PLUS must be renewed annually.
Ready to get Cyber Essentials PLUS certified? Get in touch with Meghan at firstname.lastname@example.org.