2 minute read

8 Frequently asked questions

8.1 Why should our organisation be Cyber Essentials certified?

A virus could result in your organisation losing company and client data, disrupting cashflow and taking up staff time. An attack could also put off customers, damage your reputation and even prevent you from trading. Loss of personal data could breach laws such as the GDPR or the Data Protection Act and lead to fines or prosecution.

Obtaining the certification will protect your organisation against common cyber threats, show your customers you take cyber security seriously and enable you to bid for government contracts.

8.2 Is Cyber Essentials certification mandatory?

Simply put, no it isn’t. But since October 2014, it has been mandatory for suppliers of more sensitive contracts with the British Government to be certified. If your organisation is not certified, you may not be entitled to bid for those lucrative public sector contracts.

8.3 What does it cost?

Different certification bodies charge different amounts, but you should expect to pay between £300 and £600 for the basic Cyber Essentials certification.

8.4 If we have multiple offices, can we certify just one?

Yes! The boundary of scope would then be limited to that one office. The Cyber Essentials certificate would state that the office that is certified, rather than the entire company.

8.5 What else do I get for my money?

As well as peace of mind, you will get a numbered certificate, which lists your boundary of scope. You will also be given permission to display a Cyber Essentials logo on your stationery, website and email signature. It looks like this:

8.6 How will people know we’re certified?

The National Cyber Security Centre (NCSC) lists all certified organisations on its website. Click here and then enter an organisation’s name in the search box to see whether or not it is certified to basic or Cyber Essentials Plus level.

8.7 Does Cyber Essentials Certification expire?

Organisations must re-certify every year to ensure their equipment and processes are secure. The NCSC removes organisations from its certified list if they have not been certified in the past 12 months.

8.8 We already have the ISO27001 standard – do we still need Cyber

Essentials?

ISO 27001 is an information security standard published by the International Organization for Standardization. There is increasing demand for organisations to have both, especially if they want to be eligible to bid for large tenders, such as those with the Government.

8.9 What is Cyber Essentials Plus?

As well as all the benefits of the basic scheme, Cyber Essentials Plus includes authenticated vulnerability scans of an organisation's workstations and mobile devices. This increases the validity of the certification considerably by providing evidence of compliance against the following scenarios:

• Can malicious files get through via internet traffic or email messages? • Should such content infect a system, how effective is the antivirus and anti-malware software? • Should the mechanisms fail, how likely is it that the organisation will be compromised due to a failure to patch workstations?

This article is from: