2 minute read
8 Frequently asked questions
8.1 Why should our organisation be Cyber Essentials certified?
A virus could result in your organisation losing company and client data, disrupting cashflow and taking up staff time. An attack could also put off customers, damage your reputation and even prevent you from trading. Loss of personal data could breach laws such as the GDPR or the Data Protection Act and lead to fines or prosecution.
Obtaining the certification will protect your organisation against common cyber threats, show your customers you take cyber security seriously and enable you to bid for government contracts.
8.2 Is Cyber Essentials certification mandatory?
Simply put, no it isn’t. But since October 2014, it has been mandatory for suppliers of more sensitive contracts with the British Government to be certified. If your organisation is not certified, you may not be entitled to bid for those lucrative public sector contracts.
8.3 What does it cost?
There is now a graduated pricing scheme according to the size of the organisation, between £300 and £500 for the basic Cyber Essentials certification.
8.4 If we have multiple offices, can we certify just one?
Yes! The boundary of scope would then be limited to that one office. The Cyber Essentials certificate would state that the office that is certified, rather than the entire company. Note that this may preclude the use of the cyber insurance that comes with Cyber Essentials certification however.
8.5 What else do I get for my money?
As well as peace of mind, you will get a numbered certificate, which lists your boundary of scope. You will also be given permission to display a Cyber Essentials logo on your stationery, website and email signature. It looks like this:
You also have the option for some free cyber insurance to cover your organisation against the costs of a breach or incident.
8.6 How will people know we’re certified?
IASME lists all certified organisations on its website. Click here and then enter an organisation’s name in the search box to see whether or not it is certified to basic or Cyber Essentials Plus level.
8.7 Does Cyber Essentials Certification expire?
Organisations must re-certify every year to ensure their equipment and processes are secure. IASME removes organisations from its certified list if they have not been certified in the past 12 months.
8.8 We already have the ISO27001 standard – do we still need Cyber Essentials?
ISO 27001 is an information security standard published by the International Organization for Standardization. There is increasing demand for organisations to have both, especially if they want to be eligible to bid for large tenders, such as those with the Government. For the five controls covered, Cyber Essentials is more prescriptive than the ISO27001 standard, so may provide additional protection.
8.9 What is Cyber Essentials Plus?
As well as all the benefits of the basic scheme, Cyber Essentials Plus includes authenticated vulnerability scans of an organisation's workstations and mobile devices. This increases the validity of the certification considerably by providing evidence of compliance against a number of scenarios, including the following:
• Can malicious files get through via internet traffic or email messages?
• Should such content infect a system, how effective is the antivirus and anti-malware software?
• Should the mechanisms fail, how likely is it that the organisation will be compromised due to a failure to patch workstations?
