Confused about which level of Cyber Essentials to apply for?
Cyber Essentials Basic vs Cyber Essentials PLUS Breakdown
An abundance of organisations approach us for advice about when to apply for Cyber Essentials vs Cyber Essentials PLUS. This can be confusing and we’re going to clarify which might be the best solution for you.
What is Cyber Essentials?
Cyber Essentials is a security standard backed by the UK Government. It is frequently requested by government and private tenders to demonstrate that your organisation has taken best practice steps to protect sensitive information, like financial information and customer data, against the most common cyber attacks.
By implementing the controls outlined by Cyber Essentials you can your organisation from around 80% of attacks.
The differences between Cyber Essentials BASIC and Cyber Essentials PLUS
Cyber Essentials BASIC is a self-certification. This means that you’re asked to supply answers to a questionnaire (with evidence) and the application is marked by our certification body Capula, and assessed by IASME.
Cyber Essentials PLUS is the highest level of certification and is a more rigorous test of your organisation's security systems. It involves an external vulnerability scan carried out by cyber security experts who will check how robust they are against basic hacking. This means that one of our certification bodies will visit your office, or in some cases it's possible to do this online, and perform a test that is in line with the Cyber Essentials requirements.
When you need Cyber Essentials Basic and Cyber Essentials Plus
This depends on your motivations for seeking out certification in the first place: are you looking to show your customers that you take data protection seriously? Are you looking for certification because it is required to meet a contract/supply chain criteria? another reason?
When bidding on a contract/procurement/tender
Procurement tenders, especially if they are involved with the public sector, will ask for Cyber Essentials as a minimum. If they haven’t specified which level of Cyber Essentials, it usually means they only require the basic level.
When looking for your own internal reasons
If you want to demonstrate that your organisation is compliant with Cyber Security and takes data protection seriously - then Cyber Essentials PLUS is the obvious choice. Companies that hold sensitive data should always seek out PLUS certification, especially if they are involved in sectors that are frequent subjects of Cyber Attacks. However, this is not always cost efficient for SMEs and for some companies, the basic certification is sufficient.
As an IT Support/ Managed Service Provider
If your clients are asking for your help with Cyber Essentials certification, your organisation should really be certified to at least the level that they are asking for help with, especially considering you could be a gateway to your customers’ data.
If you have ISO 27001 certification, do you still need Cyber Essentials/Cyber Essentials PLUS?
Yes, and no – it depends. If a client has requested your organisation to be Cyber Essentials certified, a 27001 certification will not satisfy this request. 27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. Again, this would depend on your motivations; certification in 27001 does not guarantee compliance in Cyber Essentials.
How the pricing works for both levels
At APMG, Cyber Essentials basic is available for £360 from the APMG Store. This is a self-service questionnaire.
Cyber Essentials PLUS assessments are available from £1674 from the APMG Store. This includes questionnaire and vulnerability scan.
