Cyber Essentials
Developed and backed by the UK governments' National Cyber Security Centre (NCSC), Cyber Essentials is a program to assist businesses implement the foundations of cyber security.
Here we address the most common misunderstandings and frequently asked questions surrounding the Verified Self-Assessment (VSA).
Before Starting Cyber Essentials
Everyone says yes, but then provide responses that clearly indicate that they have not.
Take care to read the question and answer AND the lines of guidance provided underneath them. Some of them often provide examples of how to phrase your answer or the content it is requesting. Not doing this and entering incomplete, ill-thought out responses that do not answer the question - is a clear statement to the examiner that securing your organisation is something that is not taken seriously.
The Cyber Essentials question set changes every year. New questions are added, the phrasing of some questions are changed therefore requiring different answers to previous years. The answers you may have supplied the year before might not be applicable in the current assessment. Do not just blindly paste in the answers you provided last year; this again demonstrates a lack of attention, care and consideration for the process and how your organisation views cyber security.
Cyber Essentials FAQ
If you are only looking to certify parts or subsidiary not the whole organisation, you need to understand what offices and networks make up the whole organisation, then which networks you are going to exclude from the assessment.
A scope description needs to state what networks are in scope, and what networks are not in scope, and would usually need to be in one of the following three formats:
If most of the networks are in scope, only a few networks are excluded:
- Whole Organisation, excluding Network A, Network B, Network C
If only a few networks are in scope, with the rest of the networks excluded:
- Network A, Network B, Network C only, excluding all other networks
If there is an even split of networks being in scope, and not being in scope:
- Network A, Network B, Network C only, excluding Network D, Network E, Network F
As an example if an organisation has a HQ in London, with three networks (Administration network, Sales network and a Development network), a branch in Leeds, a branch in Reading and a branch in Paris, and only wanted to scope the London HQ and Leeds branch, then the following statement would be fine (assuming correct segregation):
London HQ Networks and Leeds Office Network only, excluding London Development Network and all other Networks.
Where centralised app management is not being used - Mobile App version numbers can be found here:
[iOS] Settings > Apps > [App Name]
If the information is not found here then navigate to the App Store, search for the App and the version number will be displayed under the 'Whats New' section.
A cloud service is any app or element that requires an internet login to a cloud / web-hosted service.
This includes, M365, Microsoft Azure, AWS, Apple iCloud, Google services, Xero, Sage, SAP, LinkedIn, Facebook, Instagram, Canva, ChatGPT, Meraki, Norton, McAfee etc.
You should declare all Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) items in use by your organisation.
Yes.
The question set is updated each year, and the controls are reviewed in light of cyber attacks observed across the globe. Bring Your Own Devices (BYOD) are now in scope. This means small companies that have many partners, contractors or associates who use their own computers instead of company assets - now need to adhere to the security controls in the assessment.
What Cyber Essentials Covers
The standard focuses on five key areas applied to all in-scope devices, users, applications, and cloud services.
Firewalls & Routers
A firewall is a security gateway between your network / devices and the internet. Your internet router usually includes a firewall. The rule is simple, only let the traffic through that you need for work, and block the rest. If something is open to the whole internet when it does not need to be, attackers will find it and exploit it.
Secure Configuration
New devices and apps often ship with default settings that are easy to use but not secure. Secure configuration means switching off extras you do not need, changing weak defaults, and setting the device up to reduce risk.
Security Update Management
Criminals look for known weaknesses in commonly used software. Vendors publish fixes called updates or patches. Applying updates quickly closes the door before hackers walk through it. Updates apply to computers, phones, tablets operating systems, apps, browsers, office suites, and also to firmware on devices such as routers and firewalls.
User Access Control
Staff should have only the access they need to do their job, nothing more. Administrator access should be rare and controlled. Strong login methods reduce the chance of criminals guessing or stealing passwords.
Malware Protection
Malware is malicious unwanted software such as viruses, ransomware, and spyware. Companies must have a suitable method to stop it from running, to detect it and remove it if it appears.
Get Cyber Essentials With LANDR Security
Cyber Essentials Certification
The Cyber Essentials base level certification involves a "point in time" self-assessment covering the five core areas of control.
We work with you to prepare your technical estate and company processes prior to the assessment.
Cyber Essentials PLUS Certification
Available for Cyber Essentials base level certified companies, the Cyber Essentials PLUS certification involves an in-depth assessor led audit, examining compliance and verified defence protection from simulated intrusions.
LANDR is with you every step of the way; explaining the process, expected outcomes and remediation.
Ready To Start Your Journey ?
Let's get you started. Complete the onboarding steps and we will contact you to discuss your requirements and timescales for certification.