January 3, 2024

Last Updated on January 17, 2024

Originally created by the UK government and later rebranded by the US Critical Infrastructure Security Agency (CISA), Cyber Essentials is a foundational cybersecurity framework for SMBs and other businesses across verticals. It establishes “the starting point to cyber readiness” designed to protect organizations from about 80% of the most prevalent cyberattacks, including phishing, ransomware, and other malware.

Cyber Essentials requires organizations to complete a self-assessment questionnaire that demonstrates they have put the basic cybersecurity controls in place. Cyber Essentials Plus gives businesses the option to provide a third-party attestation that they have met the Cyber Essentials requirements.

This article explains how Cyber Essentials Plus and Cyber Essentials work so you can decide if either choice could help your business.


What is Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus describe the same five best-practice cybersecurity controls. When implemented correctly, these five controls provide foundational security capable of blocking or reducing the impact of about 80% of today’s common cyberattacks. The program has been highly successful in the UK and is now available in the US through CISA.

The only difference between Cyber Essentials and Cyber Essentials Plus is the certification/attestation method. While Cyber Essentials relies on a self-assessment questionnaire, Cyber Essentials Plus requires a third-party audit.

This gives Cyber Essentials Plus a higher level of assurance and peace of mind for clients, regulators, business partners, management, investors, and other stakeholders.


Which Cyber Essentials certification level is right for my business?

To obtain a Cyber Essentials certification, a business that has the required controls in place just needs to complete a self-assessment questionnaire. This choice is best for companies that need a basic security certification to show stakeholders that they have the most essential cybersecurity capabilities in place.

For organizations that want a stronger level of security attestation, Cyber Essentials Plus requires an audit from an accredited third party to confirm that essential cybersecurity controls are in place and operating effectively.

Cyber Essentials Plus may be a good choice for organizations:

  • In regulated or critical infrastructure industries
  • That need to address special risks like a remote workforce or third-party access to critical IT systems
  • Whose customers are asking for stronger security attestation


What are the five Cyber Essentials controls?

The five basic security controls that Cyber Essentials and Cyber Essentials Plus require include:

  • A firewall to secure your internet connection
  • Access controls to prevent unauthorized access, privilege escalations, etc.
  • Malware protection for endpoints
  • Defining and implementing secure configurations for software and devices
  • Timely patch management to eliminate vulnerabilities

These essential controls allow organizations to develop a proactive risk management approach by ensuring you know:

  • What devices are connected to your network
  • What applications are running in your environment
  • Who has access to those applications
  • What cybersecurity controls are operating

By applying and maintaining these controls, organizations can safeguard sensitive data from many common cyberattacks, including phishing, ransomware, and other malware.


What are the key elements of a Cyber Essentials Plus external audit?

When your organization undergoes a Cyber Essentials Plus external audit, you can expect the following:

  • An auditor will select a representative sample of systems in your organization and will audit those to ensure that devices are configured as per your policy.
  • The auditing organization will perform a vulnerability scan on the sample computers to confirm that patching is up to date and basic configurations are at an acceptable level.
  • The auditing organization will conduct an external port scan of your internet-facing IP addresses to search for obvious misconfigurations or other known vulnerabilities.
  • The auditing organization will conduct a test on your default email/web browser to confirm they are properly configured to block the execution of malicious files.
  • An auditor will take screen shots as evidence that your environment is Cyber Essentials compliant.


How can a Cyber Essentials Plus audit help my business?

Cyber Essentials and Cyber Essentials Plus are quickly becoming a de facto US standard for essential best-practice cybersecurity as they have in the UK. A certification may increasingly be required or helpful for many public sector contracts. Many private sector organizations are also requiring their suppliers to comply with Cyber Essentials or Cyber Essentials Plus.

Reasons to consider attaining a Cyber Essentials Plus certification include:

  • Stronger cybersecurity with the ability to prevent common attacks.
  • Improved supply chain security.
  • Improved ability to reassure customers and other stakeholders that you are actively working to secure your IT against attacks.
  • Competitive differentiation and greater ability to attract new business.
  • Clarity and insight into the performance of your cybersecurity measures.
  • Some US government contracts require Cyber Essentials or Cyber Essentials Plus certification.


How do we get Cyber Essentials certified?

US companies seeking Cyber Essentials readiness can start with CISA’s Cyber Essentials Starter Kit, which provides “the basics for building a culture of cyber readiness.”

Working with the starter kit can help you create an action plan to move your organization toward the Cyber Essentials requirements. The action plan includes links to specific guidance on how to meet the requirements.

Other recommendations from CISA on how to begin developing a culture of cyber readiness include:

  • Put a backup solution in place that automatically backs up sensitive data and system configurations.
  • Require multifactor authentication (MFA) whenever possible to access your systems, starting with privileged, administrative, and remote access users.
  • Enable automatic updates to software where possible. Replace unsupported hardware, applications, and systems. Minimize the lead time to test and deploy patches.


What’s next?

Cyber Essentials Plus is an effective way to ensure that your organization is protected against the most common cyber threats. It not only provides peace of mind but also helps in attracting new business and fulfilling government contract requirements.

To connect with an expert about Cyber Essentials Plus and what it will take for your business to get certified, contact CBIZ Pivot Point Security.